Effectively managing your own passwords under any circumstances is hard work but managing your users’ passwords on a WordPress installation can become the job from hell. Say you’re the admin of a WordPress site and you have a variety of users with accounts on your system. You immediately have a problem because WordPress is insanely popular (it’s used on almost one quarter of all Websites) and has roughly three times more bugs identified than the next largest content management system. Not surprisingly, WordPress is the most attacked CMS. So, unless you like having your WordPress installation hacked you’d better get serious about security.
While you can enforce user compliance to password standards through the use of plugins such as No Weak Passwords or Force Strong Passwords, users can still choose passwords that are weaker than you’d like. So, how do you check whether their passwords are “good”? You use the Wordfence plugin published by Feedjit Inc.
Wordfence not only provides malware and firewall facilities for WordPress installations, it’s also a password auditing subsystem. Before I explain how Wordfence works let me explain how hackers get hold of passwords.
Everybody knows the concept of trying different passwords to break into systems but the reality of any credential checking interface is that it’s implicitly or explicitly rate limited. In the latter case the rate limiting (the number of login attempts with passwords that can be tried against a known account name) is constrained by the target site’s bandwidth and computing power while the former relies on tests such as the maximum number of attempts in a period or account lockout after so many failures.
Hardcore account cracking begins when a hacker gets hold of a server’s password file that contains user login names and hashed passwords. Hashing is the one-way encryption of a string that creates a unique hash value for each unique input string. The “one-way” part means that given the hashed value, it’s not possible to deduce the original input string. So when a user tries to login, the server takes the user name and computes the hash value from the entered password. The server then looks up the user name in the password file and finds the stored hash value. If the calculated hash value matches the stored hash value, the user is authenticated.
Now if a hacker gets the password file and knows the hashing function (that’s the algorithm used to calculate the hash value and there’s only a few to choose from) then they can test millions or billions of passwords to see whether they can generate the hash value associated with a user name in the password file. Because they don’t have to use the server to do this testing there isn’t any kind of rate limiting and they can apply as much computing power to the task as they can muster.
But that’s just the beginning of the methods used to crack passwords because out there on the ‘Net there are lists of tens of millions of passwords and their associated hash values. Obviously searching for a known hash value in a password file is a smart place for a hacker to start but almost as useful is taking the commonly used passwords and hashing them to see if you get a match.
Servers can also use a number of techniques to make this kind of attack much harder but, as always, there are counter-techniques that ensure that perfect security is impossible.
In short, once a hacker gets access to a server’s password file it’s likely that user accounts will be compromised and the way that hackers get access if it’s not through a software vulnerability is usually through a single compromised account.
Wordfence audits your WordPress passwords by accessing your WordPress password file, encrypting it with some serious, heavyweight encryption methods, then sends it to Feedjit’s data center where it remains encrypted until testing begins. The testing process starts with decrypting the password file and then using the same techniques the bad guys use … except the Wordfence system uses a 40+ Teraflop cluster of industrial strength GPUs to simulate a cracking attack on site passwords using both a list of 310 million passwords from public disclosure of hacked accounts as well as brute force guessing.
When a new password is created or a site administrator schedules an audit, Wordfence conducts the tests and notifies the admin of weak passwords and, optionally, emails the user, asking them to set a new (and better) password.
The free version of Wordfence is amazing! It provides scanning of the WordPress core, theme and plugin files searching for attacks, repairs compromised files, scans content for bad URLs, provides a real-time traffic view of hackers and crawlers, scans for known malware and backdoors, provides firewalling, rate limits rogue crawlers, intelligently blocks IP addresses and IP blocks, blocks fake Googlebots and brute-force attacks, monitors content leeches, monitors disk space, enforces strong passwords, audits existing passwords, scans for DNS changes, and tracks IP address to their source and acquires detaiedl IP information. Oh, and Wordfence includes a WordPress caching engine that, it is claimed, can increase site performance by up to 50 times!
Premium service which starts at $39 per year for a single site and drops to as little as $3 per year for multiple sites adds two-factor authentication (cellphone sign-in), an advanced comment spam filter, checking to see if site is spamvertized or if the site’s IP address is generating spam, remote scans, country blocking, frequent scans, scheduled scans, and premium support.
The password auditing combined with all of Wordfence’s other security features is a really powerful combination and, as a consequence, the plugin has been downloaded over 5,500,000 times and currently has over 700,000 active installs. Currently Wordfence is rated on the WordPress site with a 4.9 out of 5 stars.
On the Wordfence site there’s a world map showing events occurring to sites using the Wordfence plugin and, as of writing, they show 39,590 attacks per minute.
Related Article: The Blogger’s Guide to WordPress Security