PCI Compliant Web Hosting and Managed Service Provider
Hosting Solutions since 1995

WordPress Brute Force Attacks

Author: ; Published: Oct 15, 2012; Category: Managed Hosting, Security, WordPress; Tags: , , ; 7 Comments

Weak PasswordsIt is common for me to submit several hundred abuse reports as part of our security monitoring service every day.  If I was asked for an off the cuff ball park of the main attack types from January 2012 to August 2012, I would probably answer with 40% remote file inclusion attacks, 40% local file inclusion attacks, 15% directory transferal attacks, 4% other (including brute force attacks), and 1% SQL injection attacks.

If you asked me from September 2012 forward, the answer would change dramatically with WordPress Brute Force Attacks now exceeding 50% of all attacks being reported.

If you review your or your hosting provider reviews your web site’s access logs on a regular basis, you can tell if there are Brute Force attacks being attempted on your WordPress site by seeing multiple requests to access the file wp-login.php from the same IP address over and over again.  Sometimes it might be a single request every x period of time; other times it might be scores of requests from the same IP address.  By the way, are you or your provider regularly checking your web site access logs for abuse?

How can you protect yourself against WordPress Brute Force attacks?

  1. Use strong passwords that are at least 12 wide which are unique to the user id and the application / device (you never re-use the same password for anything).
  2. Change your password every 90 days; and never re-use the same password from the past.  Alternate the width of the password each time, never going less than 12 wide.
  3. Make sure your WordPress was installed in a secure manner.  If your WordPress was installed by a hosting automation system rather than manually, the installation is insecure.  Use the WordPress Hardening Codex to go through and harden your WordPress installation or ask your designer or hosting provider to do it for you.
  4. Go through the excellent check lists and articles at the WordPress Security Checklist site.
  5. If you can take advantage of limiting access to wp-config.php by IP address, then do so.
  6. Consider using plugins like More Security Login, Login Security Solution, and Limit Login Attempts.
  7. Consider using a hosting provider like our company that does review the logs for you, has intrusion systems in place to catch and stop most break in attempts, who does free daily backups and free restores who will work with you to keep your site secure.

Since nothing is hacker proof, should you find your WordPress site hacked, see our Site Security page for what we recommend for you to do (if you host with us, we do the clean up 100% in-house).

Do you have your own suggestions for how to protect against WordPress Brute Force Attacks?  Let us know in the comment area below.


Peter Abraham
Former CEO of Dynamic Net, Inc. Will be transitioning to a new career in the near future.
Peter Abraham


Peter Abraham

7 Responses to “WordPress Brute Force Attacks”

  1. […] original article/video can be found at WordPress Brute Force Attacks – How you can protect yourself against WordPress Brute Force att… This entry was posted in Team Cymru and tagged archives, december-2011, february-2012, hosting, […]

  2. Over 15,000 WordPress Sites Compromised to Host “Make Easy Money” Ads | IT-Networks says:

    […] also offers some valuable advice on how WordPress blogs can be protected against such attacks. Share […]

  3. Anders says:

    Hi Peter,

    Great article – thanks for providing the statistics!

    And thanks for the mention – much appreciated :-)

    I hope it’s ok if I link back to this article from a couple of new articles we’ll be posting soon. We’re due to update The WordPress Security Checklist soon.

    A user recently asked a great question in relation to this topic on our forum. He did not understand how the bots doing the brute force attacks could find his admin user name… the link to the question and answer is here: http://www.wpsecuritychecklist.com/forums/topic/hacking-attempts-hide-username/

    I think this might be of interest to your readers too.

  4. Good day, Anders:

    Thank you for your kind words. Yes, you can link back to the article.

    BTW, I have been sharing your site as I’m able. Mark Vang @chmod777Mark shared he appreciated your articles for making WordPress more secure.

    Thank you.

  5. […] articles:Protect Against Brute-force/Proxy Login AttacksAre Small Sites Targeted For Hacking?WordPress Brute Force Attacks (by Peter Abraham of Dynamic Net)Follow The White RabbitClick HereAre you reading this article as a […]

  6. Sherry says:

    Great article. The Christmas rush of brute force password cracking attempts appears to be slowing down once again as the kids return to school. I can count on these attacks to occur whenever there are school holidays. Not that they do not occur at other times, but the volume is significantly increased.

    I use a plugin to detect failed logins over a specific period of time and lockout those IP addresses. This does not generally stop the attacks, but it does give me notice and allows me to ban the IP address at a higher level. This is a lot of extra work, but I find it effective. After a period of time, the IPs are then removed, as generally the computers involved will have changed IP addresses. Depending on the purpose of the website, banning IP ranges may also be an option. Domain tools will tell you where the IP ranges are assigned.

    When it comes to brute force password attacks on my WP sites, more than 90% are aimed at the admin login. I replace the admin login so that it isn’t there to be hacked. I also ensure that at the admin level at least, nicknames are used that differ from login names, which I assume makes it harder for the casual hacker to come up with a valid login name to work with.

    The hosting company I currently use has the cPanel interface and also has Simple Scripts as a WP site builder option. What I like about Simple Scripts is the ability to use non-default table prefixes easily.

    I am impressed that as a hosting provider you do monitor logs and offer inhouse clean up. I do know that this is not done by my current provider. When I asked what options were available in protecting against these types of attacks, I was told I was on my own.

    What I find to be frustrating is that there appears to be no recourse for site owners and most, like myself, have probably giving up on sending in abuse reports as there is no response from the recipient. It is a lot of work to scan logs and pick out the related information just to send it off and never hear anything back. And while I realize that often the systems being used for these attacks have been compromised, and there are privacy issues involved, some response would be appreciated to make the effort worthwhile.

    Many years ago, most ISPs would not take responsibility for virus activity on their networks. Since then, many have incorporated free virus protection software into their offerings. Of course we all know this is not free, but it is more convenient for customers and it does show the willingness of the ISPs to take partial ownership of the problem. We need something simular to happen in regards to online hackers. At the moment, most site owners are on their own and it doesn’t appear that anyone is listening.

    Just my two cents.

Leave a Comment