Protect your WordPress from Mass Brute Force Attacks

Last week a sophisticated botnet that targets and launches brute force attacks against WordPress blogs and websites has been detected. Some WordPress hosting providers suffered downtime, security experts are exploiting this opportunity to sell their WordPress security services and thousands of WordPress sites have been hacked.

The botnet is launching a mass brute force attack against WordPress installations by trying to guess the administrator credentials. The attack is being launched from over 90,000 IP addresses. Your WordPress won’t be safe if you try to block the botnet requests or throttle WordPress logins since the botnet has enough IP addresses to send requests from different IP addresses every second for over 24 hours.

From the attack logs we’ve seen, the botnet is trying to use generic usernames in the attacks, such as the default WordPress installation account admin. Other usernames used by the botnet are administrator, test and root. As for passwords, it is also using the most commonly used passwords, such as admin, qwerty, password and 123456.

Since last week I’ve seen many WordPress security companies trying to sell their service or WordPress security software to desperate WordPress site owners. The reality is that you do not need to spend a penny to protect your WordPress form such mass brute force attacks; the solutions are available for free. If you are subscribed to WebsiteDefender and apply the suggested security changes, your WordPress is safe from this mass brute force attack.

If you have a strong username and password, your WordPress site won’t be a victim of this botnet. You can also add an additional layer of security by adding HTTP authentication to access the WordPress administration screens.

If you are still using the default WordPress admin account, change the username as soon as possible. Acunetix published an easy to follow tutorial to show you how to rename the default WordPress admin account.

Share this post
  • We have been seeing these attacks on our server. While your plugin does provide some protection, there are other things to take into account such as where does the error or page come from that they are served? If it is from the wordpress site, then it will add to load on the server.
    People really need to have secure passwords and a firewall with mod security so that the attacks are mitigated and attackers are blocked.
    To protect against these attacks, we used custom code to block anyone who visits more than 3 wp-login.php pages in a row with a 200 response code which would indicate 2 failed login attempts. This helps to reduce the server load and keep our sites loading at lightening speed.

    If anything, this attack will teach people to not have easy passwords for their wordpress sites.

  • Leave a Reply

    Your email address will not be published.