WordPress Sites Under Brute Force Attack

WordPress is one of the most widely used blogging platform, and right now it’s under brute force attack via a large botnet. In a recent post Matt Mullenweg posted about the recent attack on WordPress sites. This is a botnet attack, and is performing brute force attack using default WordPress login (admin). Let me first explain what botnet is, and how it works.

What is Botnet attack:

Botnet attackHere are few terms you should know:

  • Bot master: Usually the hacker who operates all infected computer.
  • Zombies computer/Bot: System which are infected by the Bot master, and helps in spamming. Usually owner of computers are unaware of the fact, that they are compromised. It could be anyone computer, including yours.

Usually a hacker, first hack a large number of system spread on different geographical location, and then he uses those compromised system to run attacks like Denial of service attack, Brute force attack, Email spam and many more. You could see this image to understand how Botnet model works. If you wish to learn more about other hacking methods, you should check out how hackers hack passwords.

The major problem with Botnet attack is, it’s hard to block access via I.P. blocking method, as hacker have access to different I.P range, and it will be virtually impossible to block all I.P.

Preventing WordPress brute force attack:

According to Matt, this recent botnet have access to 90,000+ I.P., and these systems are being used to run a brute force attack. Brute force attack is a method of trying all possible combination of dictionary and non-dictionary words to login to a system. I have already talked about Limit login attempt plugin, but it blocks individual I.P., in this botnet attack, hackers are running the attack using 90,000+ I.P., so such plugins like limit login will not be an effective solution.

Here I’m sharing few things which every WordPress users should immediately do to secure his WordPress blog against this brute force attack:

Change WordPress default username:

When you install WordPress, you have an option to select your username. By default WordPress uses “admin” as username, and I have already explained why you should not use default username. If you are still using WordPress username as “admin”, you should immediately change it to a custom username. Here you can find ways to change your WordPress default username (note: Wp optimize plugin method doesn’t work anymore).

Do remember, the point here is: You should not have “admin” username on your blog. This means, don’t just create a new user with admin privilege, and leave the admin username as it is. You have to delete user with username “admin”.

Use a Complex password:

This rule applies to every web property you have. Use a complex password using alphabet, numeric and special character (#&%^@). This makes it hard for a brute force attack to crack your password. Here are few guides to help you create a smart password for your WordPress blog:

Enable two-step authentication:

If you are a WordPress.com blogger, you can use this guide to enable two-step authentication. Self hosted WordPress blogger can use this guide to enable 2-step authentication on your blog.

Integrate Cloudflare:

Cloudflare which is a free CDN service have added a rule to detect the signal of such attack, and prevent your website from attack. You can read about it here, and this feature if also available on free version of Cloudflare.

Hostgator users can use this guide to safeguard their WordPress blog from brute force attack. There are many WordPress security plugins out there, but for now I would recommend to use Better WP security plugin.

None the less, ensure that you are taking a timely backup of your WordPress blog. That means a complete backup of your database and Wp-content folder, to ensure faster recovery once your blog is affected. I hope you take suggested measures to ensure the safety of your WordPress blog. If you find this article useful, do consider sharing it on Facebook and Google plus.

Subscribe on Youtube

Article By
Harsh Agrawal is a blog scientist and a passionate blogger. He is blogging since 2008 & writes about Blogging, SEO, Make money online & tech. His blog, ShoutMeLoud receives 1 million Pageviews/month and have over 700K subscribers.


COMMENTs ( 10 )

  1. Aditya Nath Jha says

    Thanx Harsh, it’s really a pain. Even the wordpress backend has slowed down so much due to this attack. I don’t use Cloudfare. But I use Google pagespeed service, is it ok, does it have any additional security like Cloudfare ?

    • says

      If you don’t have “admin” username, you need not need to worry. Google page speed and Cloudflare are entirely different. Cloudflare helps to stop spam bots along with free CDN feature, where as Google page speed module is just for speeding up your website.

  2. Sreejesh says

    Yesterday the attack was going on and I was alerted by a plugin. Today right now two more of my blogs are being attacked.

  3. Abhinav Jain says

    I keep it a point to change my login user name from (admin) to my own specific login user name. Also i do use special symbols ($&)*^%) in my password. Also i am using this wordpress plugin (BackUpWordPress) if in case a hacker is still able to crack in, using this plugin i am able to save my data. This way i will be able to i will not run a chance to loose my hard work.

  4. says

    Very important article Harsh. A dangerous atmosphere is prevailing with all these blogs getting hacked.

    And these tips can be of great help! Thanks for sharing this article. I will be sharing it with my friends. I hope these attacks stop soon.