How to protect your site from mass WordPress brute force attacks

Last updated on June 26th, 2020 by Robert Abela. Filed under WordPress Security Tutorials & Tips

A WordPress brute force attack has been around and making the news the last couple of weeks. The botnet that is launching these brute force attacks is going around all of the WordPress blogs and websites and trying to login with the “admin” username and use a number of common and predictable passwords.

The WordPress Bruteforce Botnet

This WordPress botnet has over 90,000 IP addresses so limiting the number of logins, or login throttling plugins are not the best solution. Once a botnet IP address is blocked, it will automatically try from another IP. Such botnet has the capability of launching a login from a different IP every second for over 24 hours.

Protect your WordPress from Brute Force Attacks

Many WordPress security companies embraced this opportunity to recommending a myriad of services to help you protecting your WordPress from brute force attacks. We have two very simple and free solutions for you to protect your WordPress from such brute force attacks.

Change Default Admin WorPress User

Never user a default username such as admin for your WordPress administrator account. Use a username that is not easy to guess, that is not predictable, like as 25RV4LP6.

Use a Strong Password

We can never stress enough on how important it is to use a strong password. Here are some guidelines you can use to generate a strong new password for your WordPress admin account. A password should:

  • Consist of at least 8 characters
  • Should not be a predictable and dictionary word
  • Should not be a name of someone, such as your girlfriend, pet name or the town where you live
  • Should include both upper and lower case letters, numbers and special characters such as !, $, ?, ( etc
  • If possible change your password once a month or two

You can also use a plugin to enforce strong password policies on your WordPress sites.

Storing your WordPress Password Securely

If you have problems remembering long and difficult passwords use a password manager. If you have multiple passwords, you only need to remember one password to open the password manager. Do not store your WordPress password on a piece of paper and keep it in your wallet or attached to the monitor (yes we’ve seen this!!!).

Add an Extra Layer of Protection to WordPress Administration Screens (wp-admin)

To further protect your WordPress from brute force attacks (and also from zero day exploits) you can also:

WordPress Brute Force Attack Protection

As we have seen, by using a strong username and a strong password you are already protecting your WordPress from such brute force attacks that are circling around. There is no need to invest a lot of money to have a secure WordPress installation.


Suzie 20/09/2019

Thanks for your useful content. You’ve mentioned that there are over 90,000 IP addresses in the WordPress botnet. Can you provide a reliable resource for this number?

Robert Abela 21/09/2019

Sure Suzie. It was mentioned on the US-Cert website, TechCrunch and many other websites.

However, that is just a small detail and specific to that brute force attack which happened quite a few years ago. Since then there had been a few others that were much bigger. With all the tools available, nowadays it is not that difficult to setup a large scale botnet attack.

Leave a Reply

Your email address will not be published.

Our other plugins