Last week a sophisticated botnet that targets and launches brute force attacks against WordPress blogs and websites has been detected. Some WordPress hosting providers suffered downtime, security experts are exploiting this opportunity to sell their WordPress security services and thousands of WordPress sites have been hacked.

The botnet is launching a mass brute force attack against WordPress installations by trying to guess the administrator credentials. The attack is being launched from over 90,000 IP addresses. Your WordPress won’t be safe if you try to block the botnet requests or throttle WordPress logins since the botnet has enough IP addresses to send requests from different IP addresses every second for over 24 hours.

From the attack logs we’ve seen, the botnet is trying to use generic usernames in the attacks, such as the default WordPress installation account admin. Other usernames used by the botnet are administrator, test and root. As for passwords, it is also using the most commonly used passwords, such as admin, qwerty, password and 123456.

If you have a strong username and password, your WordPress site won’t be a victim of this botnet. You can also add an additional layer of security by adding HTTP authentication to access the WordPress administration screens.

If you are still using the default WordPress admin account, change the username as soon as possible. Acunetix published an easy to follow tutorial to show you how to rename the default WordPress admin account.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.