The ContentRobot team has been monitoring the ongoing brute-force attacks against WordPress sites, which has been escalating in recent weeks. One or more illegal botnets are being used to attack WordPress sites by trying as many username and password combinations as possible in order to find valid login credentials. They are being relentless and can be used to shut down websites, be used to commit fraud, send spam, and more.

Threats from Login Attempts

Your server’s resources are being used with every login attempt. If the attack starts to send continual login attempts every second, your site’s performance can suffer. Worst case, your host may take you down for “using too many resources.”

Threats from a Successful Login

If the attacker successfully get access into your site, your entire install and server could be compromised. Remember administrator accounts can do lots of things on your site including adding new files, modifying existing files, adding new fake admins. Further they can injecting malware into the your site and even turn your hosting account into a spam bot.

How Do You Access WordPress?

If you are still using the names admin or administrator, please stop reading this and go change that right now and then delete those admin / administrator accounts. Also if your username is part of your domain name that should also be changed. [Tip: first create your new administrator account id, then upon deletion of the old admin account, choose to associate all the pages and posts to the new id.]

If you are using a very weak password, go and strengthen it now. [Tip: try mixed case letters, numbers, and symbols of at least 8 characters in length.]

Other Measures You Can Take

  • Install and activate the Login Lockdown plugin. It protects the site by blocking login attempts by a specific IP once that IP has failed too many times in a row.
  • Update your wp-config.php keys.
  • Consider CloudFlare. It’s a CDN service that also helps protect your site against attacks of this nature.
  • Check out Sucuri. They are security experts and we’ve recommended them many times.

Need help locking down your WordPress site?

Our sister site, WeFixWP, is ready to help you protect your WordPress site.