Over the past 24 hours it has come to our attention that a large network of over 90,000 IP addresses have ramped up their use of a brute force attack to target WordPress blog installations. According to several published reports, the botnet is attempting to gain access to WordPress installations by using the default Admin user name and trying multiple passwords. By default, WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Popular hosting providers CloudFlare and HostGator are reporting that the scale of the current attack is much larger than what they typically experience, with some reports claiming that they are blocking 60 million requests per hour during peak times. After reviewing our logs we’ve already noticed several failed login attempts using the username Admin.

What can I do to protect my WordPress installation(s)?

  1. If your username is currently set as Admin, change it to something custom. The easiest way is probably by using something like the Better WP Security WordPress plugin.
  2. Change/strengthen your password. Your password should include capital letters and symbols (%+!#)
  3. Install a plugin to limit login requests.  We use the appropriately titled Limit Login Attempts WordPress plugin, but there are several other plugins with similar functionality.

Once that is done, sit back and hope for the best!

Update: HostGator has provided additional tips.

Kyle Eslick is WordPress enthusiast who took his passion for WordPress to the next level in 2007 by launching WPHacks.com as a place to share hacks, tutorials, etc. Follow Kyle on Twitter @KyleEslick!

  1. Eric says:

    Thanks for the info here. I’ve been hearing about this today all over the web and I’m going to get some security setup on my blog including changing the password to something harder to hack into.

    Hopefully things get back to normal here soon.

  2. Already done! I am using a custom username, a difficult password and the Google Authenticator plugin. 😉

  3. Randy says:

    I also use Limit Login Attempts, however, they are saying it won’t make a difference with this type of attack because they are using multiple IPs in a short time. You can read the top notice in the WP forums to verify this.

  4. Th security and limit login attempts WP plugins are good steps, but if reports are to be believed, the bot net has multiple ip’s to utilise so blocking ip access may not work, but setting limit login attempts to a low number and upping the time out. Also the admin username being changed is a great step as it targets this. nice post, great tips.

  5. Sam Woods says:

    Unfortunately you wont be able to plug all WP holes for security, but all you can do is try.

    I completely agree that you need a security plugin to help combat ‘brute force’ attacks. On a good note, there are a few really good free ones!


  6. Salvatore Capolupo says:

    very serious problem in my opinion… but changing admin username and using not easy password could be a good start.

  7. Isolation Transformer Manufact says:

    Popular web host suppliers CloudFlare and HostGator are confirming that the range of the current strike is much bigger than what they generally experience, with some reviews declaring that they are preventing 60 thousand demands hourly during optimum times. After examining our records we’ve already observed several unsuccessful sign in efforts using the login name Administration.

  8. Sure would be nice if this post had a date on it. I thought it happened again.