10 Things You Should Know About The WordPress Brute Force Attacks


Unless you have been living at the bottom of a well, you are probably well aware by now of the brute force login attacks hammering WordPress sites worldwide. Today, we are enumerating 10 things you should know about this situation and how to harden your WordPress installs — and what to do if you are a victim of these attacks.

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in…. They are, in short, an attack on the weakest link in any website’s security: You. ~~ WordPress Codex

  1. Some web hosts have been disabling access to the wp-login.php file across all WordPress installs. If that’s the case, you won’t be able to access your WordPress backend; you’ll just have to wait it out. (Or change web hosts because this is really NOT how you cope with this situation.)
  2. Follow the advice given on WordPress’s own Codex on Brute Force Attacks article.
  3. Use a plugin that limits unsuccessful login attempts; two to consider are Login Lockdown and Limit Login Attempts
  4. If your web host is not one who has disabled the wp-login.php file, you can protect it yourself by creating an authenticated user and password and modifying your .htaccess file.
  5. Read this article and consider how to strengthen your passwords so that they are virtually hack-proof.
  6. Still not convinced about your login credentials? Then read what WordPress’s creator, Matt Mullenweg, has to say about this recent hack attempt.
  7. If you are not using a self-hosted WordPress install but are instead blogging at WordPress.com, then enable Two-Step Authentication.
  8. Did I forget to mention? Update WordPress, update all your plugins; delete the ones you are not using (don’t just disable them; delete them completely from your server); and update your theme if it needs updating.
  9. DIYers, learn how to rebuild your MySQL database after a hack.
  10. If the worst happens, you can hire a web developer with experience in threat management to help get your hacked site back on its feet, safe and sound.
Joni Mueller has been designing web sites for hire since 2003, when she first blew up her web host's server by insisting on running Greymatter. Since then, Joni has designed for Blogger and Movable Type, TextPattern, WordPress and CMS Made Simple. She lives with her cat and shoe collection in a bucolic old section of Houston called Idylwood. For some strange reason, Joni likes to refer to herself in the third person. When she's not working on web design, she's ordering lawyers around. And blogging about it. Or both.

2 thoughts on “10 Things You Should Know About The WordPress Brute Force Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *