Stop Global Brute Force Attack on Your WordPress Blogs

WordPress blogs across the world are being attacked by brute force using a huge botnet. Several web hosting services have warned webmasters that they should secure their WordPress blogs. Hostgator claims it affect all web hosts and the brute force attack is very well organized and very distributed and over 90,000 IP addresses seem to be involved in this attack.

It is typically targeting WordPress blogs using the ‘Admin’ user and using a brute force dictionary attack to try thousands of passwords and find passwords to hack the blogs. They say blogs will have slow WordPress backend, and maybe inability to login; and will mostly attack VPS and Dedicated servers. Cloudflare claims to have pushed updates to all free and paying customers to block the signatures causing the attack.

Brute Force Attack on WordPress Blogs

botnet attack

The  most recommended tips to avoid this attack on your site are

  1. Change admin user – New WordPress installations by default create ‘Admin’ as the main user. Since this attack is targeting Admin users and using brute force to detect their passwords, its a good idea to change the admin user.
  2. Strong passwords – its a good idea to make long passwords more than 8 characters, with small and capital letters, symbols, numbers etc. Here are some best practices to make a strong password.
  3. Two-factor authentication – Wordpress.com users can turn on two-factor authentication, to further protect their blog. Though it may seem a little more time consuming, it is worth it.
  4. Security WordPress plugins –  some of the commonly referred plugins to protect your site are WordFence (includes firewall, virus scanning), and Limit Login Attempts (Limits rate of login attempts)
  5. Upgrade WordPress –  Ensure you have upgraded to the latest version of WordPress. Its just a click away now with super quick upgrades.

Have you secured your WordPress blog. It could be your blog next.

Share with friends

17
Leave a Reply

avatar
10 Comment threads
7 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
12 Comment authors
Gaurav ChawlaPavan SomuS.Pradeep KumarP. ChandraRichard Bloomfield Recent comment authors
  Subscribe  
Notify of
Rohan Mod
Rohan Mod

they are targeting the blogs whose username starts with ADMIN so the best thing will be change your username from admin to something else.

QuickOnlineTips
QuickOnlineTips

That’s right. They are targeting the default Admin username.

Peter Stolmar
Peter Stolmar

Unfortunately Wordfence is likely to crash the server or cause other major problems if you use it to try to block a large scale attack like this. No plugin is likely to have any effect, they are using one IP per login attempt, so anything IP based will not work. Most hosts have mitigated with some success, although the attackers quickly change tactics every time a new security measure is put in place, so it is a constant battle to keep the attack “muffled”. The main issue now is there are infected sites infecting computers all over the place, and… Read more »

Peter Stolmar
Peter Stolmar

I would NOT recommend any plugins to try to block an attack of this scale. Wordfence and similar plugins that execute another PHP process or worse, also write to the database for each IP and login, will very likely crash your server or at least slow your site to a crawl.

Follow this guide if your site was attacked (wp-login.php several times in your access logs):

http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html

rakesh
rakesh

Thanks God, we have done this before. looking to install some security plugin. Thanks for an alert.

PrIyAnGsHu
PrIyAnGsHu

Thanks for the update. Fortunately, I’m not a victim of this attack yet now :).

nazneen
nazneen

Thanks For Update. Mostly user don’t change their username and they faces this type of problem.

Madhav Tripathi
Madhav Tripathi

I also changed my username (admin) in Phpmyadmin. because of this DDoS attack my blog had down times.

Richard Bloomfield
Richard Bloomfield

As it’s a nightmare to remember difficult passwords with numbers, why not stick to a password where you can easily and naturally use numbers and letters eg “Division” becomes d1v1s10n

S.Pradeep Kumar
S.Pradeep Kumar

Nothing will beat a strong password I say, it is one of the most essential security tips. Also eliminating ‘admin’ role is recommended.

Pavan Somu
Pavan Somu

Not all the times Pradeep. I used unbreakable password but still my blog got affected. I’m HostGator user.

Gaurav Chawla
Gaurav Chawla

I have a doubt about the last precaution. Because updating the WP version causes compatibility issues. Nevertheless, great information.