WordPress Brute Force Attacks, and What You Need to Do About it

Last updated Jul 10, 2019

Several major sources have confirmed that there are mass brute force attacks being targeted towards WordPress and Joomla sites as we are speaking right now. HostGator, InMotion Hosting, LiquidWeb, and many others have informed their customers regarding this issue. The hackers botnet contains over 90,000 different IPs, and they are preying on WordPress beginners who are making some very common mistakes. Yes, this all sounds scary, so here is what you need to do to decrease your chances of being hacked.

1. Stop using the admin username

Often beginners use very common usernames such as admin, administrator, test, root etc. Our friends over at Sucuri reported those usernames are being heavily targeted right now. If you have a generic WordPress username such as admin, then you should change it right now.

We have an easy to follow tutorial that will show you how to change your username in WordPress.

2. Use a strong password

Please, please, please use a very strong password. These brute force attack tries to target all the most common passwords that people use. A strong password contains uppercase and lowercase letters, numbers, and symbols. Do not use the same password at more than one location. It is never too late to start using a password management solution like 1Password or LastPass.

3. Keep Good Backups

The best security you can have for your website is a great backup solution. We are using VaultPress which is a monthly service. However, if you don’t like to pay monthly, then we highly recommend that you get BackupBuddy.

Please keep good backups of your site because most hosting companies do not.

4. Use Two Factor Authentication

Start using two-factor authentication. This way even if someone guesses your password, they can’t access your site because they don’t have the security code. We highly recommend that you do this right now.

5. Password Protect WP-Admin and Limit Login Attempts

We always recommend our users to limit login attempts. However, this alone cannot protect all the attacks because this botnet contains 90,000 IPs. Another thing you can do is password protect your WP-admin directory. You can also limit your wp-login.php file to a specific IP.

6. Start using Sucuri

If you are not using Sucuri, then we highly recommend that you start using Sucuri. They are always on top of things, and there is no one else we would trust more when it comes to our WordPress security. See 5 reasons why we use Sucuri.

We are not sure what is the end goal for these attacks, but whatever it is we would hate to see our users fall prey to this. Please keep your sites up to date, and follow all the tips above.