Brute Force Attack
Alert ID: brute_force
MITRE ATT&CK: T1110 – Brute Force
Severity / Criticality
Section titled “Severity / Criticality”| Level | Condition |
|---|---|
| Low | 3–5 attempts → Initial suspicious activity |
| Medium | 6–20 attempts → Moderate active attack |
| High | 21–40 attempts → Significant persistent attack |
| Critical | 41+ attempts or successful login after brute force → Potential compromise |
Why is it considered malicious?
Section titled “Why is it considered malicious?”- Unauthorized access attempts against administrative accounts.
- Risk of full WordPress site compromise.
- Possible credential or sensitive-data theft.
- Use of the site as a starting point for further attacks.
!!! danger “Critical” A successful login after multiple failed attempts indicates a potential breach.
When does the alert trigger?
Section titled “When does the alert trigger?”- Initial threshold: 3 failed attempts from the same IP.
- Aggregation window: 60 seconds.
- Cooldown: 5 minutes after each alert.
- Immediate critical trigger if there is a successful login after consecutive failures.
- Pattern analysis:
targeted_single_usertargeted_multiple_usersdictionary_attack
Technical Indicators (IOCs)
Section titled “Technical Indicators (IOCs)”| Type | Pattern | Description |
|---|---|---|
log_pattern | POST /wp-login.php | High-volume login requests |
log_pattern | POST /xmlrpc.php (system.multicall) | XML-RPC attacks |
behavior | 401/403 responses | Access-denied responses |
behavior | >2 requests/sec | Automated activity |
file_pattern | wp_options -> failed_login_attempts | Failed-attempt record |
Common false positives
Section titled “Common false positives”- Users who forgot their password, usually fewer than 3 attempts.
- Misconfigured password managers.
- Authentication plugins that retry automatically.
- Monitoring tools or uptime checkers with incorrect settings.
Investigation steps
Section titled “Investigation steps”- Verify IP origin:
whois [IP]andgeoiplookup [IP]. - Analyze timing patterns to determine whether activity is human or automated.
- Review targeted users and check whether administrative accounts are being targeted.
- If login succeeded, analyze subsequent activity such as user, permission, plugin, or file changes.
Recommended mitigations
Section titled “Recommended mitigations”=== “Immediate”
!!! danger "" - Block the attacking IP in the firewall or WAF. - Force a password change if login succeeded. - Revoke active sessions for the compromised user. - Enable two-factor authentication (2FA).=== “Preventive”
!!! tip "" - Implement login-attempt limits, for example Wordfence or Limit Login Attempts. - Change the `wp-admin` access URL, for example with WPS Hide Login. - Add CAPTCHA to the login form. - Disable XML-RPC if it is not used. - Configure fail2ban with a WordPress-specific rule.References
Section titled “References”- MITRE ATT&CK T1110 – Brute Force
- OWASP Blocking Brute Force Attacks
- WordPress Security Guide