Brute-force attack targeting sites running WordPress

We’ve seen several reports this morning of a brute-force attack currently underway against websites running WordPress. According to one source, the frequency of attacks range from 2,000 to 40,000 attempts per minute.

In simple terms, a brute-force attack is a technique hackers use to try different username and password combinations until they are able to successfully log in to a site. Usually these attacks are automated, allowing hundreds or thousands of attempts at once.

Read a more detailed definition of brute-force attacks on Wikipedia.

Such attacks are not unique. Fortunately, securing WordPress against brute-force attacks is relatively easy. Here are some simple steps you can take to keep your site protected:

Use a unique username and strong password. Easy to guess usernames, such as ‘admin’ or ‘webmaster’, should be avoided, and passwords should use a combination of upper and lower case letters, numbers, and symbols. Strong Password Generator is one tool for creating random passwords.

Install security plugins. There are many free WordPress security plugins. Here are a couple of options we like:

  • BruteProtect guards against brute force attacks by blocking IP addresses with too many failed login attempts, and by tracking failed logins across its entire network of users;
  • WordFence Security monitors your site for security vulnerabilities and available software updates, and (optionally) sends an email notification when action is required;

An alternative to these plugins is to subscribe to Sucuri.net, a premium service offering full-scale security protection and monitoring for your site. It does all that the plugins above do, and more.

Backup frequently. Keeping a recent backup of your website files and database will save you a lot of time, money, and headaches in the event your site does get hacked.

Keep your WordPress installation and plugins up to date. Updates to the WordPress core and third-party plugins usually fix security vulnerabilities. Keeping your site up to date will make the site less open to exploitation.

If any Skunkworks clients are experiencing issues with your site loading slowly, not loading at all, or worse, please get in touch.

Or:

Monthly Archives