A WordPress brute force attack has been around and making the news the last couple of weeks. The botnet that is launching these brute force attacks is going around all of the WordPress blogs and websites and trying to login with the “admin” username and use a number of common and predictable passwords.

The WordPress Bruteforce Botnet

This WordPress botnet has over 90,000 IP addresses so limiting the number of logins, or login throttling plugins are not the best solution. Once a botnet IP address is blocked, it will automatically try from another IP. Such botnet has the capability of launching a login from a different IP every second for over 24 hours.

Protect your WordPress from Brute Force Attacks

Many WordPress security companies embraced this opportunity to recommending a myriad of services to help you protecting your WordPress from brute force attacks. We have two very simple and free solutions for you to protect your WordPress from such brute force attacks.

Change Default Admin WorPress User

Since WordPress version 3.0 it is possible to change the default “admin” username during the installation. Unfortunately many people are still using the default “admin” username in WordPress and this makes many WordPress installations a victim of this WordPress brute force attacks.

If you are using the default “admin” username in WordPress it is recommended to change the username. Follow this WordPress tutorial to change your WordPress admin user. A strong username should consist of both letters and numbers and should be a non predictable word, such as “25RV4LP6”.

Use a Strong Password

We can never stress enough on how important it is to use a strong password. Here are some guidelines you can use to generate a strong new password for your WordPress admin account. A password should:

  • Consist of at least 8 characters
  • Should not be a predictable and dictionary word
  • Should not be a name of someone, such as your girlfriend, pet name or the town where you live
  • Should include both upper and lower case letters, numbers and special characters such as !, $, ?, ( etc
  • If possible change your password once a month or two

Storing your WordPress Password Securely

If you have problems remembering long and difficult passwords use a password manager. If you have multiple passwords, you only need to remember one password to open the password manager. Do not store your WordPress password on a piece of paper and keep it in your wallet or attached to the monitor (yes we’ve seen this!!!).

Add an Extra Layer of Protection to WordPress Administration Screens (wp-admin)

To further protect your WordPress from brute force attacks (and also from zero day exploits) you can also:

WordPress Brute Force Attack Protection

As we have seen, by using a strong username and a strong password you are already protecting your WordPress from such brute force attacks that are circling around. There is no need to invest a lot of money to have a secure WordPress installation.

WordPress Hosting and Backup

WP White Security is hosted on Digital Ocean and backed up with BlogVault online WordPress backup service.

Speak Your Mind


Get Notified Instantly of Changes on Your WordPress

The WSAL Notifications Extension plugin enables WordPress administrators to setup monitoring rules so they are notified instantly via email when important changes happen on their WordPress.

Learn More