Preventing Aggressive WordPress Brute Force Attacks


According to Forbes, WordPress is the most popular CMS in the world and is used by nearly 75 million websites. According to WordPress, more than 409 million people view more than 23.6 billion pages each month and users produce 69.5 million new posts and 46.8 million new comments every month. It also powers more than 25% of the world’s websites.

Being that WordPress is one if not the most popular content management systems in the world, hackers prefer to focus on vulnerabilities with the CMS. For that reason, it is no surprise that WordPress attacks are rising ever year.

Today, December 18th, 2017 at 10pm EST a large number of brute force attacks were implemented in order to gain access to as many sites as possible. Here is a quick overview of what happened.

  • A large number of attacking IP addresses (10,000) were used in the attack
  • Each IP is generating an enormous number of attacks
  • It was the most aggressive campaign seen to date by hourly attack volume (over 14 million attacks per hour)
  • 190,000 WordPress sites were targeted per hour

On December 5th, a massive database of hacked credentials emerged on the internet containing over 1.4 billion usernames and their passwords. This information very well could have been used in the brute force attacks.

How to Protect Your WordPress Site from Brute Force Attacks

If you have not done so, install a firewall like Wordfence Security immediately on your WordPress website

Even the free version provides excellent brute force protection by limiting login attempts and hiding usernames while employing other mechanisms to ward off attackers.

If you want a real-time blacklist implemented you can use the premium version of Wordfence to completely block attackers.

Some WordPress Security Tips That Anyone Can Apply (without plugins)

  • Install a firewall that intelligently blocks brute force attacks.
  • Ensure that you have strong passwords on all user accounts, especially admin.
  • Change your admin username from the default ‘admin’ to something harder to guess.
  • Change ‘/wp-admin/’ login page to something less generic.
  • Delete any unused accounts, especially admin accounts that you don’t use. This reduces your attack surface.
  • Enable two-factor authentication on all admin accounts.
  • Enable an IP blacklist to block IPs that are engaged in this attack.
  • Monitor login attempts by configuring alerts when an admin signs into your website.
  • Do not reuse a password on multiple services. That way if you have a password from a data breach in this new database, it won’t be the same as your WordPress admin password.

As you know, you can never be safe from your website being attacked but you should do everything you can to prevent it. Give us a call or send us a message if you have any questions about website security practices and technology. We can schedule an audit as well as a plan to make sure that you and your clients are as safe as possible on and off the internet.

Brave River is a one-stop-shop for everything web design and internet marketing. Contact us today if you’re interested in speaking to one of our experienced WordPress website designers.

Recent Posts

Browse by Category

Want to keep up with latest? Subscribe today!