Stop Global Brute Force Attack on Your WordPress Blogs

WordPress blogs across the world are being attacked by brute force using a huge botnet. Several web hosting services have warned webmasters that they should secure their WordPress blogs. Hostgator claims it affect all web hosts and the brute force attack is very well organized and very distributed and over 90,000 IP addresses seem to be involved in this attack.

It is typically targeting WordPress blogs using the ‘Admin’ user and using a brute force dictionary attack to try thousands of passwords and find passwords to hack the blogs. They say blogs will have slow WordPress backend, and maybe inability to login; and will mostly attack VPS and Dedicated servers. Cloudflare claims to have pushed updates to all free and paying customers to block the signatures causing the attack.

Brute Force Attack on WordPress Blogs

botnet attack

The  most recommended tips to avoid this attack on your site are

  1. Change admin user – New WordPress installations by default create ‘Admin’ as the main user. Since this attack is targeting Admin users and using brute force to detect their passwords, its a good idea to change the admin user.
  2. Strong passwords – its a good idea to make long passwords more than 8 characters, with small and capital letters, symbols, numbers etc. Here are some best practices to make a strong password.
  3. Two-factor authentication – users can turn on two-factor authentication, to further protect their blog. Though it may seem a little more time consuming, it is worth it.
  4. Security WordPress plugins –  some of the commonly referred plugins to protect your site are WordFence (includes firewall, virus scanning), and Limit Login Attempts (Limits rate of login attempts)
  5. Upgrade WordPress –  Ensure you have upgraded to the latest version of WordPress. Its just a click away now with super quick upgrades.

Have you secured your WordPress blog. It could be your blog next.


  1. Rohan Mod says:

    they are targeting the blogs whose username starts with ADMIN so the best thing will be change your username from admin to something else.

  2. Peter Stolmar says:

    Unfortunately Wordfence is likely to crash the server or cause other major problems if you use it to try to block a large scale attack like this.

    No plugin is likely to have any effect, they are using one IP per login attempt, so anything IP based will not work. Most hosts have mitigated with some success, although the attackers quickly change tactics every time a new security measure is put in place, so it is a constant battle to keep the attack “muffled”.

    The main issue now is there are infected sites infecting computers all over the place, and the malware dropped on computers infects other sites (without necessarily using the login brute-force).

    Affected users should follow this guide to properly respond to the attacks – the main point is to change the admin username to something difficult to guess:

    The guide also explains how to “reset” a hacked WordPress site and links to several useful resources for site owners about WordPress security.

  3. Peter Stolmar says:

    I would NOT recommend any plugins to try to block an attack of this scale. Wordfence and similar plugins that execute another PHP process or worse, also write to the database for each IP and login, will very likely crash your server or at least slow your site to a crawl.

    Follow this guide if your site was attacked (wp-login.php several times in your access logs):

  4. rakesh says:

    Thanks God, we have done this before. looking to install some security plugin. Thanks for an alert.

  5. Ron says:

    I got mail from my host , it says the purpose of the attack isn’t entirely clear, but as security researcher reports, currently most of the attacks seem to be sourced from PCs, not servers. The attack seems to install a “backdoor [that] lets the attackers control the site remotely.” Those backdoors will presumably be used to some followup attack at a later date, and in theory could cause more damage than a PC-based botnet attack.

  6. PrIyAnGsHu says:

    Thanks for the update. Fortunately, I’m not a victim of this attack yet now :).

    • P. Chandra says:

      I wanted to change my admin user for a long time. This was a good motivating event to do that.

      • PrIyAnGsHu @ System Mechanic 11 Review says:

        Yes, I heard that the WordPress sites that were having the default username i.e. “Admin” became the victims of this attack. It was good that I was not having that on any of my sites :).


  7. nazneen says:

    Thanks For Update. Mostly user don’t change their username and they faces this type of problem.

  8. Madhav Tripathi says:

    I also changed my username (admin) in Phpmyadmin. because of this DDoS attack my blog had down times.

  9. Richard Bloomfield says:

    As it’s a nightmare to remember difficult passwords with numbers, why not stick to a password where you can easily and naturally use numbers and letters eg “Division” becomes d1v1s10n

    • P. Chandra says:

      It is a great idea. But now I think a lot of people are aware of that trick, and can try it out to guess passwords.

  10. S.Pradeep Kumar says:

    Nothing will beat a strong password I say, it is one of the most essential security tips. Also eliminating ‘admin’ role is recommended.

    • Pavan Somu says:

      Not all the times Pradeep. I used unbreakable password but still my blog got affected. I’m HostGator user.

  11. Gaurav Chawla says:

    I have a doubt about the last precaution. Because updating the WP version causes compatibility issues. Nevertheless, great information.

Leave a Reply

Your email address will not be published. Required fields are marked *