A WordPress brute force attack has been around and making the news the last couple of weeks. The botnet that is launching these brute force attacks is going around all of the WordPress blogs and websites and trying to login with the “admin” username and use a number of common and predictable passwords.
The WordPress Bruteforce Botnet
This WordPress botnet has over 90,000 IP addresses so limiting the number of logins, or login throttling plugins are not the best solution. Once a botnet IP address is blocked, it will automatically try from another IP. Such botnet has the capability of launching a login from a different IP every second for over 24 hours.
Protect your WordPress from Brute Force Attacks
Many WordPress security companies embraced this opportunity to recommending a myriad of services to help you protecting your WordPress from brute force attacks. We have two very simple and free solutions for you to protect your WordPress from such brute force attacks.
Change Default Admin WorPress User
Since WordPress version 3.0 it is possible to change the default “admin” username during the installation. Unfortunately many people are still using the default “admin” username in WordPress and this makes many WordPress installations a victim of this WordPress brute force attacks.
If you are using the default “admin” username in WordPress it is recommended to change the username. Follow this WordPress tutorial to change your WordPress admin user. A strong username should consist of both letters and numbers and should be a non predictable word, such as “25RV4LP6”.
Use a Strong Password
We can never stress enough on how important it is to use a strong password. Here are some guidelines you can use to generate a strong new password for your WordPress admin account. A password should:
- Consist of at least 8 characters
- Should not be a predictable and dictionary word
- Should not be a name of someone, such as your girlfriend, pet name or the town where you live
- Should include both upper and lower case letters, numbers and special characters such as !, $, ?, ( etc
- If possible change your password once a month or two
You can also use a plugin to enforce strong password policies on your WordPress sites.
Storing your WordPress Password Securely
If you have problems remembering long and difficult passwords use a password manager. If you have multiple passwords, you only need to remember one password to open the password manager. Do not store your WordPress password on a piece of paper and keep it in your wallet or attached to the monitor (yes we’ve seen this!!!).
Add an Extra Layer of Protection to WordPress Administration Screens (wp-admin)
To further protect your WordPress from brute force attacks (and also from zero day exploits) you can also:
- Password protect wp-admin directory with htaccess
- Restrict access to the WordPress wp-admin directory via IP
WordPress Brute Force Attack Protection
As we have seen, by using a strong username and a strong password you are already protecting your WordPress from such brute force attacks that are circling around. There is no need to invest a lot of money to have a secure WordPress installation.