Preventing Aggressive WordPress Brute Force Attacks
December 18, 2017
Forbes, WordPress is the most popular CMS in the world and is used by nearly 75
websites. According to WordPress, more than 409 million people view more
23.6 billion pages each month and users produce 69.5 million new posts
million new comments every month. It also powers more than 25% of the
Being that WordPress is one if not the most popular content
management systems in the world, hackers prefer to focus on vulnerabilities with
the CMS. For that reason, it is no surprise that WordPress attacks are rising
Today, December 18th, 2017 at 10pm EST a
large number of brute force attacks were implemented in order to gain access to
as many sites as possible. Here is a quick overview of what happened.
- A large number of attacking IP addresses (10,000) were used in
- Each IP is generating an enormous number of attacks
- It was the most aggressive campaign seen to date by hourly
attack volume (over 14 million attacks per hour)
- 190,000 WordPress sites were targeted per hour
On December 5th, a massive database of hacked
credentials emerged on the internet containing over 1.4 billion usernames and
their passwords. This information very well could have been used in the brute
How to Protect Your Wordpress Site from Brute Force Attacks
If you have not done so, install a firewall like Wordfence Security immediately
on your WordPress website
Even the free version provides excellent brute force
protection by limiting login attempts and hiding usernames while employing
other mechanisms to ward off attackers.
If you want a real-time blacklist implemented you can use the
premium version of Wordfence to completely block attackers.
Some WordPress Security Tips That Anyone Can Apply (without
- Install a firewall that intelligently blocks brute force
- Ensure that you have strong passwords on all user accounts,
- Change your admin username from the default ‘admin’ to
something harder to guess.
- Change ‘/wp-admin/’ login page to something less generic.
- Delete any unused accounts, especially admin accounts that
you don’t use. This reduces your attack surface.
- Enable two-factor authentication on all admin accounts.
- Enable an IP blacklist to block IPs that are engaged in this
- Monitor login attempts by configuring alerts when an admin
signs into your website.
- Do not reuse a password on multiple services. That way if
you have a password from a data breach in this new database, it won’t be the
same as your WordPress admin password.
As you know, you can never be safe from your website being
attacked but you should do everything you can to prevent it. Give us a call or
send us a message if you have any questions about website security practices
and technology. We can schedule an audit as well as a plan to make sure that you and
your clients are as safe as possible on and off the internet.
Brave River is a one-stop-shop for everything web design and internet marketing. Contact us today if you're interested in speaking to one of our experienced WordPress website designers.
Get an IT Security Assessment