WordPress Brute Force Attack 2013

Posted by:


If you have a WordPress site you may have noticed performance issues the last week or so, or you may have been unable to login at all.

If you haven’t heard, there’s been a massive brute force attack on WordPress going on for the past few days now (it’s April 16th today).

A brute force attack is where an automated attacker hits your login screen with thousands of different username/password combinations trying to gain access. This particular attack is on a massive scale (see how massive here).

What To Do About It

1) If you are unable to login at all to your WP dashboard, contact your hosting provider and let them know what’s going on.

2) Change your passwords. A strong password is your first and best line of defense against brute force attacks. Your password should be so long and complex that you could not possibly ever remember it yourself…basically, if you’re still writing your passwords down it’s time to move out of the dark ages 🙂

Please get a password manager service like Roboform or Last Pass (I use Roboform). A password manager creates strong passwords for you, then saves them so you only have to click 1 button to log into any account you’ve ever created from the beginning of time.

If you spend any amount of time creating accounts online (if you run your own website, this is definitely you) a password manager will be your best friend. Roboform saves me hours upon hours of time and frustration…I honestly don’t know how I could do business efficiently without it.

3) Delete the “admin” user. Most brute force attacks target the admin username because they know thousands of WordPress users never change the default settings. It is extremely easy for a hacker to obtain all your usernames anyway…but the fact is probably 99% of these attacks are automated attacks targeting the admin username.

Here is a tutorial I found for how to delete your admin account. Please follow the directions carefully so you won’t delete any of your posts.

4) Install a login security plugin. By default WordPress allows unlimited failed login attempts. This means a hacker can sit there and attack your site all day long trying hundreds of thousands of password combinations, tying up your website resources, until they finally crack your login.

A login security plugin will automatically lock out an attacker after a specified number of failed login attempts.

Try one of these login security plugins:

Limit Login Attempts

Login Security Solution

If you’d like to try a more robust security plugin that includes login security as part of their tool suite, check out these plugins:

Better WP Security


5) You can also set up some king of 2 step authentication for your login screen. You can ask you hosting provider to do this for you on their end, or try Google Authenticator.

6) Always make regular backups. If you have a website, please back it up. You can never be 100% safe from disaster and having a good backup strategy is like having home owner’s insurance…if the worst should happen, you’re still covered. One of the most popular backup solutions is Backup Buddy, but there are many others.

Be Security Minded

Website security is everyone’s responsibility, and the best strategy you can have is to stay informed and adhere to best practices.

1) Learn how WordPress recommends protecting your site.

How to Harden WordPress

2) Stay up to date with the latest security vulnerabilities and exploits.

Sucuri Blog

3) Watch this webinar from the folks at Sucuri that goes into the most common WordPress vulnerabilities and how to fight back.

Here’s another really helpful and informative webinar from the creator of the BulletProof Security plugin: Watch It Here

A Few Words In Closing

I find it extremely unfortunate, annoying, and disappointing that we have to worry about cyber terrorists destroying our hard work and derailing our lives…but that’s the world we live in.

If you have a website that’s important to you, you need to take steps to protect it.

Website security is a big and complicated topic and for most of us with small websites, it’s simply too much to take on alone. Thankfully, there are many experts out there that offer their security services to small business owners like ourselves at a reasonable price or even free in the case of many plugins.

If you have a WordPress blog and have not done anything to secure against the ongoing brute force attack happening right now, I urge you to do so immediately.

If you’re anything like me, you’ve probably put more hours into your website than you can count and it represents a significant investment and asset to your business.

Hopefully you’ve received value from this post. If you have anything to add, feel free to leave a comment (and we always appreciate a share) 🙂

Thanks for reading and happy blogging.

Shawn Smith