WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» News» WordPress Brute Force Attacks, and What You Need to Do About it

WordPress Brute Force Attacks, and What You Need to Do About it

Last updated on April 12th, 2013 by Editorial Staff
249 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
WordPress Brute Force Attacks, and What You Need to Do About it

Several major sources have confirmed that there are mass brute force attacks being targeted towards WordPress and Joomla sites as we are speaking right now. HostGator, InMotion Hosting, LiquidWeb, and many others have informed their customers regarding this issue. The hackers botnet contains over 90,000 different IPs, and they are preying on WordPress beginners who are making some very common mistakes. Yes, this all sounds scary, so here is what you need to do to decrease your chances of being hacked.

1. Stop using the admin username

Often beginners use very common usernames such as admin, administrator, test, root etc. Our friends over at Sucuri reported those usernames are being heavily targeted right now. If you have a generic WordPress username such as admin, then you should change it right now.

We have an easy to follow tutorial that will show you how to change your username in WordPress.

2. Use a strong password

Please, please, please use a very strong password. These brute force attack tries to target all the most common passwords that people use. A strong password contains uppercase and lowercase letters, numbers, and symbols. Do not use the same password at more than one location. It is never too late to start using a password management solution like 1Password or LastPass.

3. Keep Good Backups

The best security you can have for your website is a great backup solution. We are using VaultPress which is a monthly service. However, if you don’t like to pay monthly, then we highly recommend that you get BackupBuddy.

Please keep good backups of your site because most hosting companies do not.

4. Use Two Factor Authentication

Start using two-factor authentication. This way even if someone guesses your password, they can’t access your site because they don’t have the security code. We highly recommend that you do this right now.

5. Password Protect WP-Admin and Limit Login Attempts

We always recommend our users to limit login attempts. However, this alone cannot protect all the attacks because this botnet contains 90,000 IPs. Another thing you can do is password protect your WP-admin directory. You can also limit your wp-login.php file to a specific IP.

6. Start using Sucuri

If you are not using Sucuri, then we highly recommend that you start using Sucuri. They are always on top of things, and there is no one else we would trust more when it comes to our WordPress security. See 5 reasons why we use Sucuri.

We are not sure what is the end goal for these attacks, but whatever it is we would hate to see our users fall prey to this. Please keep your sites up to date, and follow all the tips above.

249 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • How to Properly Move Your Blog from WordPress.com to WordPress.org

  • Google Analytics in WordPress

    How to Install Google Analytics in WordPress for Beginners

  • Revealed: Why Building an Email List is so Important Today (6 Reasons)

    Revealed: Why Building an Email List is so Important Today (6 Reasons)

  • How to Fix the Error Establishing a Database Connection in WordPress

    How to Fix the Error Establishing a Database Connection in WordPress

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

13 Comments

Leave a Reply
  1. Janet says:
    Apr 17, 2013 at 12:18 am

    I am working at securing sites for my clients, and need to password-protect their wp-admin folder. I am having a problem and hope someone can help. When I go to cPanel to pw-protect that folder, I get an error about Frontpage Extensions being installed, which prevents pw-protecting. When I go to uninstalled the extensions, I get this message:

    Warning: Installing or uninstalling FrontPage extensions will result in the loss of all “.htaccess” files. Any changes you have made to your “.htaccess” files will be lost.

    If I made a .htacess backup as instructed on this page https://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/ , would that be enough?

    Thanks for your help and all your VERY helpful information!

    Reply
    • Editorial Staff says:
      Apr 18, 2013 at 8:28 am

      As long as you have backups, then you should be good to go.

      Reply
      • Janet says:
        Apr 24, 2013 at 9:12 pm

        Thank you! I ended up having some problems with the .htacess, but our web host fixed everything for us. Thanks so much for the help!

        Reply
  2. Sarah B R says:
    Apr 16, 2013 at 9:13 pm

    Hello,
    I followed your guidelines for two steps authentication and it worked fine the first time a few days ago.
    I wanted to log in today and went to the app on my phone and the wordpress account I had added is nowhere to be found. So now I can’t log in.
    Thanks for the help.

    Reply
    • Editorial Staff says:
      Apr 18, 2013 at 8:29 am

      That’s weird. Well the easiest thing would be to delete that plugin via FTP and login again. Set it up again once you are logged in :)

      Reply
  3. Edwin Lynch says:
    Apr 14, 2013 at 8:18 pm

    I use WP Better Security. It’s free, does nearly everything Sucuri does except promote affiliate marketing spam :)

    Reply
  4. Ratnesh says:
    Apr 14, 2013 at 2:40 am

    Login lock down is the best plugin to secure WordPresss blog by brute force attack

    Reply
  5. Robert Connor says:
    Apr 14, 2013 at 1:21 am

    Some good advice my site admin panel is getting bombarded daily with login attemps!

    Reply
  6. Jane says:
    Apr 13, 2013 at 10:41 pm

    How do you know when you’ve been Brute-Force attacked? My client has been having issues with his WP site recently, so I’m wondering if this has to do with it.

    Reply
  7. Jennifer says:
    Apr 13, 2013 at 11:03 am

    I have a site that is currently getting hit with a brute force attack. It is RELENTLESS. The site uses SUCURI (thank goodness!) and they have already done one clean-up for us.

    Thank you, Syed & team, for all of the great information. I just added the two factor authentication and will put the rest of your suggestions in place ASAP.

    Reply
  8. Esther says:
    Apr 13, 2013 at 9:13 am

    Thank you for the link to the free video, I just started my WP site yesterday, after running a Blogger site, and it is, kicking, my, butt! I am fairly tech savvy, so I have no idea what my problem is, only that I have one! lol

    Reply
  9. Keith Davis says:
    Apr 13, 2013 at 7:13 am

    Hi guys
    Read the article over on the Sucuri website – I’m with those guys and I use a few other security measures.

    Just given you a callout on #WordPress

    Reply
  10. Scott Hack says:
    Apr 12, 2013 at 9:05 pm

    Would love to see a limit to logins added to core for 3.6

    Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
OptinMonster
OptinMonster
Convert website visitors into email subscribers. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2021 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2021)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2021)
    • SiteGround Reviews from 4464 Users & Our Experts (2021)
    • Bluehost Review from Real Users + Performance Stats (2021)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2021 – Step by Step Guide
Deals & Coupons (view all)
Connections Pro
Connections Pro Coupon
Get 15% OFF on Connections Pro WordPress directory plugin.
Media Maestro Coupon
Get 30% OFF on Media Maestro WordPress media content management plugin.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).

Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
  • Growth Fund
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon
  • AIOSEO

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress Security by Sucuri.