The past few days, WordPress sites around the world have either witnessed slower load or even downtime. Some may have even been hacked or spammed.
This is because there has been a global attack on sites using WordPress, specifically trying to find your password. This is not an attack on just one web host, but several.
So, what is a brute force attack. Well, a brute force attack according to Wikipedia is:
In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data[1] (except for data encrypted in an information-theoretically secure manner).
No worries, here are a few things you can do:
1. Change your password to something a little more complex. Make sure to use both uppercase and lowercase characters, as well as numbers and symbols. The longer the password, the better, but if you wish, no less than 10 characters should be used. Some places recommend 8, but I like to recommend just a little more.
2. Install Better WordPress Security, BulletProof Security, or some people recommend Limit Login Attempts. You may want to install one of the first two plugins instead of the last since Limit Login Attempts only does what the plugin title says it does.
3. If you are a dedicated server client with your web host, ask the host to install a more robust firewall plugin. They may charge, but it will work better than the default firewall program they usually install.
According to HostGator’s blog post on Global WordPress Brute Force Flood, you can ask your web host to password protect the .htaccess files and all WordPress login files. This offer is for their VPS and dedicated server clients. HostGator also provides a way that you can set this yourself with their WordPress Login- Brute Force tutorial in their Support Portal.
If you are having issues of downtime or load time, even though your host is aware of this happening, at least submit a support ticket so they can track this issue.
Have you had this issue? What have you done to combat this brute force attack.
What a royal pain when it comes to hackers. I’ve just started updating my security during the last few months. Obviously it’s becoming more important every single day that goes by.
Security plugins will work for hack attacks as well?
Great suggestion to limit login attempts. What makes WordPress different from other password protected systems is the way the login form is designed. Contrary to the best practice, when you enter a username and incorrect password instead of telling you that either your username or password is incorrect WP will say if you got the name correct or not. This makes the amount of combinations needed to break into wordpress much lower. And many users choose to have “admin” as a login name which also makes it a whole lot easier to guess. So enabling login limiter solves that particular problem.
Really appreciable post. All the points if done immediately then your site can be safe as a house or bank.
p.s- nowadays even a house or bank is not safe.
Thank you for the priceless information on these attacks. I want to safeguard my sites and blogs for sure.
Hello Nile!!
First of all thanks for this awesome post. You have aware all blog owners with such a dangerous stuff. Hope all have taken useful step after reading this post.
Thanks again!!
I also read it on Hostgator and Many Other sites and many of my friends got into this Too.Don’t know who is behind this but it will cause only loss to bloggers and webmasters.
Yes, this can really create huge problem to mainly those who don’t have much strong password and admin username.
Niles, thank you for the Brute warning! I also got the same reminder from Kimberly Castleberry, and am so happy to be on your ‘team.’ Thank you for keeping us up to date on these sort of things. I’m going to take your advice and install one of those plugins.
I had no clue about brute force. Thanks for this post. I am all over it. I use bullet proof but I had no clue that host gator can lock out the htaccess file.
hello
nile thnx for this nice info really enjoyed the read Thank you for the priceless information on these attacks. I want to safeguard my sites and blogs for sure.will share it with my other frnds too.
Hi,
Thanks for share it.
CloudFlare can also protect against brute force attacks!!
Not all the time… CloudFlare is not your host and is not protecting your login.
this is seriously not good. what the hell is going on in this world? btw just changed the password
Thanks for sahring with us this wonderful post you are damn right if we follow all the points then your site can be safe from all scammers.
Awesome share. I have been a victim myself of these attacks. My advice is change you password weekly. I like the part where you talk about mixing it up with characters and capitals. This works beautifully. Thanks for the share.
Blimey O’Riley Nile thanks for this! I have missed the news of this entirely we have been out on the boat for 5 weeks not due to entirely due to design more due to mechanical failure! Back land side for a few days and frantically trying to catch up on all that I have missed! Thanks again I appreciate you heap! 🙂
Awesome article! I had something like this happen a couple of years ago… ended up getting almost 20 sites marked as spam by Google before I even knew what was happening…
Now I use a password generator to make crazy passwords for all of my sites and change them regularly.
Great article and good reminder to protect your sites!
Thanks for sharing this security information. This is time to update all plugins and keep eye on security plugins statics. BulletProof Security is a better option to save our blogs getting hacked.
Hii Vipin,
Can you please mention what is Bullet Proof security?
Thanks Nile . Thanks For This Post 🙂 I am also going to change my password .. Because Yet my password is little bit short 🙂 and thanks for sharing plugins also and they will help us to make our site more secure 🙂
Hi Nile! Thanks for the info you shared with us though hacking is not ordinary news to every one of us. We as a site owner must know the different safety tools that must be added in our site. Adding a couple of bucks for our own site’s safety is more important than loosing our investment and or our future. Thanks for bringing this up!
Thanks for sharing this post and letting me know. one of my blog is recently hacked i don’t know if this was a reason. I will apply your tips. I hope it will never happen again to me
I have installed security plugins to fight this.. thnx for your advice..
Hi Nile Flores
Though , my blogging platform is not wordpress but It is a very serious matter . As per my friend , Don’t use any free security plug in .
Nile,
Thanks for this informative and timely post. Everyone should pay careful attention to steps one and 2 at the very least. I, myself, use Wordfence plugin to limit login attempts.
And, for heaven’s sake, do NOT use “admin” as the login password. I have also heard that moving the “admin” folder so that it’s not easily found by hackers is another great strategy.
I limite login attempts to 2. After that, whoever attempted to login will be blocked for a certain time. And there is a workaround in case I accidentally type in the wrong password myself!
Gotta Share!
~ Jupiter Jim
Thanks Niles I did read Kim’s post about this a few days ago and did add the Limit login attempts I am going to add one of these security plug ins as soon as I am done here. Why do people fell the need to do these kind of things. As you know I have enough challenges trying to get rid of those pesky text ads. Thanks for sharing.. Chery 🙂
This is really a hard time these days. There were several outage last week and now this brute-force attacks. Time to tighten all the latches and blogs.
I believe the combination of Login Limit and BulletProof Security helps to make it virtually impossible.
Thanks for the news and tips.
Hey Nile,
Thanks for this informative post. Everyone should be informed about these attacks to secure everyone’s sites most especially those who are WordPress powered sites. I just encountered one site where it was reported as an “attack page”. The site was automatically blocked and I was not able to access the site. I guess the site was a victim of this Brute Force Attack.
Thanks for sharing the information. I have changed my password and installed some great security plugins to prevent attack.
Bulletproof security is good, but it sometimes creates lot of problem when you update to new wordpress version. Just tried limit login attempt and it works great . Thanks for this post
I have checked my site load time and it’s up to 80% increase. Thanks for an alert.
Hi Nile,
thank you so much for this helpful post and the links.
It is so good to have people in the online community who have their finger on the pulse of what is happening.
I am so glad that my host has been onto this straight away and to also have Kimberly’s suggestions.
Much appreciated!
Cheers,
Yorinda
Thanks Nile, for letting us know about it.
Your blog is so awesome, I have much to learn from your blog.
I just became alert to your blog through Google, and found that it’s truly informative. I’m waiting for more details.. I will be grateful if you continue this in future. Lots of people will be benefited from your writing. Cheers! :
Great to find this post , there have been an increase in the brute force attack attempts on WordPress blogs. I have also recently posted about it.
Awesome post Nile!!
Recently my domain has been attacked and hacked by someone. If I have come through this blog earlier, so i may protect my site against Brute force. Well, keep it up , unknownly you have helped may of us by posting this article.
I don’t understand the mentality of people who do these things. Never have and frankly, I don’t want to.
I really appreciate the plugin suggestions in addition to the limit logins. I would like to have security that runs in the background and only needs some occasionally monitoring. I know its important, I just don’t want to spend all my online time defending instead of creating.
As soon as, I read about this on techcrunch, I have changed all my wordpress blog username and password. Buy default username was “admin” earlier.
This is always a royal pain. Why do people have so much free time that they do these kinds of things? I mean honestly, there is no financial gain so why do it? The sad part is that these kinds of people are normally pretty intelligent and if they just applied themselves to something else, like say a career, they could probably be very successful.
It is disturbing news. I would really like people to use strong passwords and a number of user ids, random ones, out of which only the most inconspicuous is the admin account. The rest of them should have no privileges whatever. It takes long to crack long strong passwords.
This is for the first time i have visited your blog. and i must say, you rock.!
Amazing way of presentation, typically impressed..:) and great post admin.!
yeah they do massive attack on wordpress site
that was still hot in forum
luckily my password is hard to hacked
i think if people failed login in wordpress 3 times
it should be wait 15 minutes or something
to make it more secure
Whenever it comes to hacking – it really becomes a big pain!
I heard about this brute forcing attack on WordPress blogs. Even I have take several actions to secure my blogs from this kind of attacks, trying to secure more & more.
This is great advice to counter brute force attacks, Nile.
Some sort of security plugin is definitely needed, and I might even add a backup plugin to automatically backup your blog at regular intervals.
I use WP Backup, for instance. The backups come right to my email every week and I don’t have to think about it.
Just a little extra insurance.
Hi Nile, thanks for the explanation and I didn’t know the option from Hostgator yet! Since I use them as a host you just gave me an extra option to prevent this attack on my sites. Thanks.
i am a web developer and this information that you provided regarding wordpress site is very useful..Thank you
I was not aware of what the term brute force attack means but now thing are a lot clearer. Having a efficient firewall and other type of security plug-ins and programs definitely help. Furthermore, I have always believed the password should be a little bit more complicated so it woudl be harder to crack . That is common sense. You should not use a simple password. Never. Cheers and thanks for sharing this with us.
This happened to me one, but I believe it was because I wasn’t updating my WordPress install as often as I should have been. I’ve also since added a plugin called OSE Firewall, which blocks a lot of standard attacks. No problems since then.
Very well written article. I agree on what you wrote especially about writing on a particular niche and not just writing about anything. Find your niche and stick to it.
Thanks for this info, I wasnt aware of it although this week i have had some load problems especially when trying to access the admin area.
WordPress.com does not believe that allowing “admin” as a password is a security matter, and do not accept this as a bug report. There’s an obscure plugin you are supposed to track down which stops it. Also, admin:admin has been used against both wordpress and joomla for almost a year now.
Such troubles always happened, but they just are paying more attention to this now! Unfortunately the bad guys exist.
Over this past weeekend, I couldn’t bring up my website which is hosted by godaddy. When I went to their facebook page it said they were experiencing a brute force attack. I admittedly have been lazy with my password. Thanks to your post I just changed it to a complicated password that I can easily remember.
I’ve noticed slow response on my sites from time to time recently – thanks for explaining about the attacks, Nile.
I use BulletProof Security and a very strong (generated) password on all my sites. Another tip is never to use “admin” as your username. Fora nyone who is doing this, you need to add a new user, make it an administrator, and then delete admin as a user.
There are several other tricks you can use: I posted some of them a while back.
Stay safe!
Alan
Thanks to reading Kim C’s email early, I was able to install the plugins that she recommended. I may look into the plugins that you mentioned in #2. Thank you.
I actually have an issue with my .htaccess file. My WP dashboard is displaying that it’s in some folder and needs to be moved. I have verified and even had the Hostgator peeps to look, and they too have verified that it’s not in that subfolder. I was told to just ignore the message, but lately, I noticed that the message has gone from black to red. There’s a number of .htaccess files I’ve seen when I did a search but not in the folder that it was flagging it to be. I wonder if the Bulletproof Securtiy plugin would fix it?
Many thanks Nile for the valuable information about brute force attacks. What I can’t figure out is what is the reasoning behind it all for someone to want to even do something like this. And do they target certain types of blogs or just any one. What are they gaining by doing something so malicious? Just wondering…..
Lynn
I actually ran into this issue on another site today. Someone is displaying some type of pop-up on a site not their own. I guess its really the day of the techno criminal and we have to prepare for it. Thanks for the suggestion on the security plugin. I was looking for a good one that is easy to use. The last one I was using had a lot of options. And you know me, the more options the more things I can break!! lol
I am using wordfence security plugin for WordPress and that plugin notifying me via email about massive brute force attempts on my WordPress panel. But now I have moved my admin panel to a hidden location and my WP admin is now brute force protected with the help of a WP better security plugin.
You would think people could find better things than to write hacking programs and viruses, I’ve never been able to understand what they get out of it,
They don’t even see what happens as a result of their behaviour.
Thanks for your report Nile
Wow Nile,
“brute force attack” that is scary.
Thanks for your heads up… and thanks for the tips… very helpful.
All the best.
nickc
So this is the reason why I suddenly can’t login to my wordpress site for over an hour and when I was editing, it seems to be going too slow. Love your post! I’m gonna follow these steps and take extra precautions in protecting my account.
Thanks Nile for the advice ………Thanks for looking out for us all……I haven’t had any problems yet,,,,,,,,don’t want to start!….I shall go check my plugins now …….and install more security……thanks for the links too Nile!….Smokey
Thanks for the post Nile.. I have read in some other news website about the wordpress sites being hacked… Its really a threat for bloggers like us..
What I have noticed on my wordpress blog is that I’m cosntantly getting spammed yet I have some of the installed WP plugins activated. I guess I’ll give Bulletproof Security a go and see if that helps. I appreciate the post as it will hopefully help me out a lot.
Regards
Steve
Nile,
I had been warned about the security breech last week and got busy and did nothing about it. My question for you is: I have Kaspersky, a very high level malware and virus protection system, on my computer. Does that preclude the need for the wordpress plugin or do I also need to install the plugin.
‘Warmly,
Dr. Erica
Hi Dr Erica, you need the plugin as well. Kaspersky protects your computer. Your site is being hosted in the cloud or off site (somewhere not on your PC) and therefore not covered by your computer’s protection system. Go and install the plugin quick.
Brute-force attack is really affect the many websites and blogs. I also faced it. It is almost 4-5 Months ago. I just reached to this blog post and I want to share my views about this.
My own web blog faced this problem I lost all data and I need to redevelop the website.
Luckily, I was not affected. Actually I decided to run a poll and contact all members of my social network. It seems that none of them was affected by this attack against WordPress.
Hi Niles, I just received info about this from my site developer. I have taken measures to protect my site but you never know if this is enough to stop hackers from being able to do something. Thanks for the links, I will check them out.
Thankfully I have not been affected by this problem, though I have seen an increase in the number of spam comments in my moderation queue. Thanks for the good info, Nile! You and Kim Castleberry are a wonderful pair of friends to have when it comes to blogging info. 🙂
Willena
Yep. Got the plugin. Thoughtless of me not to protect my sites more.. thinking … nah.. but oh yeah! What a wake-up call!!
Thanks for the resources, much appreciated and love your blog!
Great post…it just amazes me people will (groups) will do this enmasse…but I guess this is the times we live in, lock your doors and windows and change your password regularly!
Thanks for the alternatives to Login Lockdown. Passwords must be changed and changed for a stronger, more robust password asap.
Good advice Nile…Will definitely give 1 of the 2 plugins a go.
Hi Nile,
Thanks for the information about the brute force attack. I heard about it when it happened and downloaded a login limit plugin. I’m going to check into the other two you recommended.
I remember a couple of years ago there was a security problem with WordPress, so I changed my passwords. Beginners usually keep the admin login, which I believe, is vulnerable, and I was glad I got the heads up. Backing up is also very important. Thanks Nile!
Raena Lynn
Great suggestion to limit login attempts. Why WordPress completely different from other password protected systems could be the way the login form was made. About the best practice, if you enter a username and incorrect password as an alternative to hinting that either your username or password is incorrect WP will say in case you got the name correct you aren’t. This may cause the volume of combinations had to plunge into wordpress dramatically reduced. And a lot of users opt to have “admin” as being a login name which helps it be a tremendous amount better to guess. So enabling login limiter solves that exact problem
I guess that proves why I got a sudden spike in traffic on my blogs. On and around 10th to 12th of this month I got a sudden spike in traffic and server was melting due to it.
Thanks for the tips. I will go and change the passwords right now and also install some better security measures.
good article Nile about the brute force attack.
tahnks!!
hello Nile..
cyber attacks are the thing which are more dangerous for a blogger,Even greater than getting 0 traffic.LOL.Thanks for the tips for being away from these.
Thanks for these helpful tips & advice. I am gonna implement these all on my site. These days, Brute Force Attack are very common. As I can see, there are 1000+ Brute Force Attack logging entry for my site.
recently lot of sites have also faced adsense click bombing attacks 🙁 what is going on?
Security is such a needful thing. If there’s no security, it can ruin our lives in just seconds. Thanks for this wonderful post.
Good article and a lot of information available. I enjoyed reading about this entry and all the information was very helpful to me.
I’m using BulletProof Security plugin but confused if it really works.
These type of attacks are always an unwanted problem for webmaster. Thanks Nile, you have shared some great tips here. Will definitely be implementing these ideas on my site.
Thanks for sharing your nice post. Now I want to know How to security plugins use? Actually I’m a new blogger. Please kindly help me anybody.
Just thought to mention that there is now a Google Authenticator Plugin for WordPress. You can enable (or disable) it per user (admin, editor, etc). This, together with strong password and a strong user name will go a long way to securing the back end.
Also make sure that Wordfence (or equivalent) is set up to lock out unauthorized logins.
Thanks for all your good work. I enjoyed your post….
The past few days, WordPress sites around the world have either witnessed slower load or even downtime. Some may have even been hacked or spammed.This is because there has been a global attack on sites using WordPress, specifically trying to find your password. This is not an attack on just one web host, but several. This is great information.It is so good article.Thank you for sharing it!! It is amazing.
Thanks Nile!
I thought this happened only to me! Great sum up!
Thanks for the post. Saw a similar post elsewhere on the WP brute force attacks and they recommended the Limit Login Attempts which we did install. But in reading this post we may give the other to a look see and install one of them.
Thank you for posting this.
hi, thanx a lot for your information and tips. I am already implementing your tips and hopefully not attack from hacker. Thanx a lot..
popularity of wordpress site can be one of the reasons of these brute force attacks. I am taking on your advice and going to change my passwords on regular basis for my blog’s security.
thanks.
🙂
Niles, thank you for the Brute warning! I also read it on Hostgator and Many Other sites and many of my friends got into this Too.
This is really amazing post for me. Thanks for sharing this security information. This is time to update all plugins and keep eye on security plugins statics.
Thanks for sharing this security measures. I’ve experienced this problem too in these recent days!
WordPress.com does not believe that allowing “admin” as a password is a security matter, and do not accept this as a bug report. There’s an obscure plugin you are supposed to track down which stops it. Also, admin:admin has been used against both wordpress and joomla for almost a year now.
Thanks for the tips. I wasn’t aware of this attack so will make sure I take steps to safe-guard my client’s wordpress sites.
Being a begineer in the field, I was really not aware of the security issues in this area. Your blog gave me a kickstart.
Thanx a lot for the info!!
Thanks for the tips.
It makes perfect sense, in the respect that a good password should be easy to remember. Every website ever will conveniently remind you of your password, if “WRONG_PASSWORD” is your password. Of course, that makes it easier to guess than “Correct Horse Battery Staple”.
First ‘m saying about your site. beautiful background of this site. I am glad I went to this site, these are great ideas you suggested. I belong to a few Article, but someone I never thought or heard of. I will join some of what you suggested. Thanks.
Thanks Nile for these great tips. I had heard that there was some issues with some blogs in April. These tips are very good and I will certainly apply some of them.
These brute force attacks are nothing new but they are becoming more aggressive with wordpress these days. Thanks for the great advice Nile, these are simple steps anyone can take to protect your wordpress websites.
Thanks for the tips here. I realize how little I know, I’m a beginner who has much to learn
that is to much bad for blogs
During this attack I seemingly lost 5 WP site, fortunately I have 2-steps gmail password protection…
During this attack I seemingly lost 5 WP sites, fortunately I have 2-step password protection of my email…
the cryptography is, a brute-force attack, or exhaustive key search and it is the most common attack usually happen .
thus thanks for sharing this knowledge
I have also faced this attack on my wordpress websites. This remained a week almost. Thanks for sharing this.
Yes I was new in blogging and I have faced this problem. I was quite shocked when this problem occur to me.
Hi Nile,
I have just installed Better WordPress security. I had Login Lockdown but it locked me out due to conflict with cloudflare. Conflicts are very confusing and time consuming working out what doesn’t work with what! However, security is a big deal today and so I have persevered to determine what works without conflict and Better wordpress security works!
Thanks for sharing your great knowledge.
Clare
Could these attacks be coming from China as well?
Hey Nile,
Nice post and Thanks for sharing this post with us. Yes, Hacking is become the most common things these days and for saving our blog from this we have to choose a strong password. I used better wordpress security plugin and it really amazing.
Hi Nile,
thanks for sharing such a valuable information with the bloggers. There are many bloggers which always prefer to work with the blogs having wordpress installed. But, they generally do not maintain a secure password and often compromise their valuable their blogs with the brute forces.
Use free Cloudflare service to protect your WP sites from brute force attack, it’s work for my blog.
After reading this i installed WP security plugin for my Blog. now sometimes it warns me about changed Log errors.
Thank you for the priceless information on these attacks. I want to safeguard my sites and blogs for sure.i will installed above mentioned plgins right now
Brute force attacks is seriously not good for wordpress security
But don’t worry, i am using best wordpress plugin for wordpress security that is better wp security and limit login attempts and these are performing well.
🙂
Good thing there’s no attack anymore. At least none that I know of.
Yes this can really create huge problem to mainly those who don’t have much strong password and admin username.
Yes, this can really create huge problem to mainly those who don’t have much strong password admin username.
Hello Nile, we own several blogs on wordpress platform and weebly – do you suggest to also move them each to different servers as well? Does it matter if they are all on one server or on different. Does amazon cloud services seem a good choice for wordpress?
We are using WP security plugin and it works well for us, doesnt require a lot of resources and also doesnt slow down any processes.
Personally, I don’t think Amazon is a really good choice for hosting a WordPress site. It’s much better if you have a product download, or for storing podcasts and videos… for storage. You’re better off on being able to manage your site through a typical host.
It’s a fact that your blog posts are so unique and interesting and I enjoys a lot while reading your posts because you explained your post very deeply in a very easy and clear language. Thanks for your support and Happy Blogging 😀
Heya i’m for the first time here. I found this board and I
find It truly useful & it helped me out much. I hope to give something back and aid others
like you aided me.
Valuable information, btw is there any tools that we can use for non wordpress website to avoid or prevent brute force?
Depends… other CMS have their methods. A straight static site, you would have to ask your web host on how they take care of the security on a server level. If you are using a script that is not a CMS, you would want to make sure to put in code and hardening methods to the script itself like for the login or to close any holes so your database cannot be tampered with through the script.