During the last few days there has been a global brute force attack on WordPress sites.

Brute force attacks are nothing new and won’t going away anytime soon. This recent outburst is just an increase in an already increasing frequency.

How do I protect my WordPress site?

Accounts with the username ‘admin’ are bad.  Really bad.

To protect your WordPress site there are a few, simple, things you can do that will greatly increase your site’s security. Make sure all default accounts like “admin” have been deleted or renamed and that your passwords are very difficult to guess. A brute-force attack is a relatively unsophisticated attack where one or more remote machines try to guess your password.

The more successful attacks are attacks where a back-door known only to a hacker (a zero day vulnerability) is exploited to gain access to your system without logging in. The Timthumb vulnerability is an example of this. I haven’t seen any reports of a new “zero day” vulnerability being exploited in this attack.

Strong Passwords Are Your Friend. Use them.

If you have passwords that look like ‘12345’, or even worse, ‘admin’ or ‘password’ now is a good time to change those passwords!  I use the password generator that comes with 1Password. Not only does it generate a good password but it also stores it in my computer’s database.

Here is what one of my typical passwords looks like.


Do you think that is long enough?  ;)

Disabled and Delete all Unused Themes and Plugins

Despite what you may have heard WordPress is actually a very secure platform; granted you are using a good hosting company.  However, using poorly coded, or outdated plugins or themes make it easier for attackers to get in.  If you are not actively using a plugin, or theme do yourself a favor and delete it. Less is more in this case.

Install a Security Plugin

There are a whole slew of WordPress security plugins that do a great job at protecting your site.  Some better than others.

Right now I’m using and older plugin called Login Lockdown.  It does one thing and it does it very well; blocking repeated attempts at logging in to your site.  Note: Yes, the plugin has not been updated in a few years but I have been assured that the code is still up to par.

More Details About The Attack

The nature of the attack does suggest that a large part of the brute force attacks currently underway may be originating from an person or a single group.

If successful this will result in a single individual or group having access to a large distributed network of compromised WordPress servers on relatively high bandwidth links. They can then launch further attacks from this platform.

However, whether the attacks are being orchestrated by one person or one group should not affect how you protect yourself.

Plan of action for you or your Webmaster

  1. Make sure your “admin” account has been renamed.
  2. Make sure all your passwords are difficult to guess.
  3. Make sure you’ve disabled and deleted all unused themes and plugins.
  4. Install a security plugin that stops repeated login attempts.