Stay Connected

PERSONAL BLOG

How To STOP WordPress wp-login.php Brute Force Attack

WordPress admin login with brute force attack typedThere been several large scale WordPress wp-login.php brute force attacks, coming from a large number of compromised IP addresses spread across the world since April 2013.

A large botnet of around 90,000 compromised servers has been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard.

Global WordPress brute force attack

General WordPress brute force protection

While we do HIGHLY recommend implementing as many security solutions as possible for WordPress. The following guides would be a great first step in protecting yourself and your WordPress site from further attacks.

10 recommended steps to lock down and secure WordPress

1. Use a strong password

Minimum password recommendations:

  • At least 8 characters total
  • The mixture of upper and lower-case letters
  • Numbers, punctuation or other non-alphanumeric characters

Example weak password: secret1

Improved strong password: aHX#qw#13.hups

2. Change default WordPress admin username

When installing WordPress by default the administrator user has the username of admin.

The botnet attack is currently only targeting this default username, so even having an administrator username of admin123 could significantly reduce the likelihood of your site being successfully logged into by a malicious user.

3. Lockdown WordPress admin access with .htaccess

Utilizing a WordPress brute force plugin for this type of attack is not very efficient, and in some cases can lead to your site becoming unavailable due to a large amount of processing power used to attempt to challenge every malicious login attempt.

4. Temporarily disable CPU intensive login limit plugins

Blocking this attack with .htaccess rules is the preferred method, as login limiting plugins can not only lead to issue with triggering our own internal security rules, but they also will not be effective in this type of large scale attack.

5. Scan website for hacks, check Google Safe Browsing

If your WordPress site had been successfully compromised, a clear indication will usually be found either by a surface security scan of the website, or it will also get reported to Google’s Safe Browsing.

Check Google’s safe browsing for your domain, at google.com/safebrowsing/diagnostic?site=example.com

6. Setup Cloudflare DNS level protection

Due to the large scale of this botnet attack, Cloudflare has offered DNS level filtering for this attack on all of its free accounts.

While probably not an ideal solution if you have many WordPress sites due to having to update the name servers for each domain, and then waiting typically 24-36 hours for DNS propagation. Single site owners might benefit greatly from this type of protection which should block the botnet requests from even making it to the server in the first place.

7. Backup WordPress

At this point, it’s probably a good idea to backup WordPress just in case. That way, as the attacks continue, you’re ensured that you always have a good point to restore to in the event something goes bad.

8. Update everything WordPress

To protect yourself from any known exploits to WordPress you should update everything related to WordPress:

Necessary updates to make:

  • Update WordPress from the admin dashboard
  • Update WordPress theme
  • Update WordPress plugin

0. Other general WordPress recommendations

  • Optimizing WordPress with W3 Total Cache plugin
  • Log out of WordPress admin dashboard when not in use
  • Limit or disable WordPress revisions
  • Disable WordPress autosave
  • Install and use the Better Delete Revision WordPress plugin
  • WordPress Hosting

Hopefully, your WordPress website should be locked down and secure now, which should help prevent our own internal security rules from blocking your access to your WordPress admin.

Adnan Sattar

A self-driven productive Software Engineer who thrives in highly pressurized and challenging working environments by constantly improving skills. Eager to grasp new ideas and concepts from the environment.

Leave a Reply

×
%d bloggers like this: