Large Scale Botnet Brute Force Attack Targets WordPress Sites, Over 90K Servers Affected

Own a website that runs on WordPress? You'll want to pay attention to this story. Since last week, there's been an ongoing brute-force attack that's targeted stand-alone WordPress installations. Like most login prompts, WordPress' will lock you out for some time after putting in an incorrect password a certain number of times, but there's an easy way to get around that by those who don't mind putting the effort in: use multiple IP addresses.

A handful of IPs wouldn't be too worrisome, but this particular attack has been monitored to use up to 90,000 of them. Clearly, there's no simple way for anyone to block such a large number of addresses from their site, and that's hardly an ideal solution anyways.

The attack has been seen to test up to 1,000 different passwords, using the default WordPress administrator login of "Admin". If your password is truly secure, you likely have nothing at all to worry about. If you've been lazy with your admin password, you'll want to go change it to something secure now. Once a site is compromised, a backdoor is installed that adds your server to this growing botnet, seeking out other sites and brute-forcing them.

As an article at Krebs on Security suggests, there are a couple of very easy steps you could take that will help amp up the level of security on your WordPress site. In addition to a secure password, you could install a plugin from Duo Security which enables two-step authentication. Going the hardcore route, you could tweak your security to allow only specific IP addresses access to the WordPress admin (this isn't ideal for those who have dynamic IPs, however).

Though WordPress is the target of this attack, there's really no exploit to speak of. The only thing WordPress could change is restricting the total number of admin login attempts regardless of the IP address being used. But again, that's a bit on the hardcore side. A strong password helps protect against this sort of attack extremely well.

thunderdan602 one year ago

What a shame. I'm all for strong passwords, but this is ridiculous.

Clixxer one year ago

I don't think having up to 5 or so chances to login for an admin account would be that hardcore. I though that was starting to be a standard so brute force is pretty much made useless for certain periods of time. Then again I would hope people that are admins would understand that leaving your password as something easy would be the first thing not to do but I'm sure people do it. 

Its kinda funny though this comes up and while I don't have any admin access to a wordpress site I went and tested my usual passwords I use. I was shocked my "hard" password which I think is simple to remember beat out my buddy's military password that seems very difficult to type in and remember. Either way people should be educated enough that regardless of the service they use to have a good medium but hopefully strong password.

JeffYablon one year ago

Coincidentaly, we made this point in one of our Daily Influency Videos , just this week:

It's a real problem, and the fact that so many WordPress sites are being hammered hard enough to get seriously slow needs to just work its way out, but the security part is actually pretty simple, eh?

OSunday one year ago

And here I was considering different venues to start a little website for myself with WordPress among them

Clixxer one year ago

OSunday, I wouldn't let this get you down on wordpress. Its actually pretty good and just some conscious effort on your part to either make a strong password or change it ever so often thwarts this easily along with the plug-ins.

OferSchreiber one year ago

6Scan’s WordPress plugin ( has built-in protection against dictionary and brute force attacks as part of its “login security” feature.

To ensure you are protected against almost any type of attack, make sure to run a free vulnerability scan on your WordPress site directly from, and fix any vulnerability found (6Scan offers manual fix instructions for vulnerabilities entirely free).

Solve all your security problems with a single click, No expertise required!

For more details, visit

Post a Comment
or Register to comment