By April 15, 2013

WordPress Admin Accounts Suffer Brute Force Attack

Ars Technica reported a widespread brute force attack on WordPress sites on Friday. Simply put, a horde of infected computers are trying many common password combinations against the default administrator WordPress account. Once the admin account is compromised, the WordPress site joins the fray. Think Mongol-style conquest in the blogosphere. That’s right, I wrote blogosphere.

As of Friday, over 90,000 sites were part of the horde. I am sure that number has grown since then.

Here are a few things you should do if you’re running a WordPress site:

  1. Try not to use the admin account. You can create other accounts and then give those accounts administrative privileges. The downside to using the default admin account is that it makes it easier for accounts to become compromised. If attackers make assumptions about the username, they don’t have to worry about getting the password and the username correct.
  2. Don’t use basic passwords. Randomize passwords if you can. I love password generators like KeePass, which I have been using for almost six years.
  3. Don’t reuse your password. Meaning, don’t use your WordPress password anywhere else. This doesn’t directly help with the security of your WordPress site, but as passwords are compromised in other places it may make breaking into other accounts easier if you use the same password over and over.
  4. Install the Limit Login Attempts plugin for WordPress. It’s free. The Limit Login Attempts plugin blocks people from trying to log into your site over and over again if they fail. This is critical in denying brute force attempts like the one going on right now. Setup is super easy and takes about a minute or two if you are familiar with installing WP plugins. LLA can be customized to lower or raise the number of failed logins before a block happens, or what to do when someone gets blocked, etc. I’ve stopped about a dozen unique login spam attempts since installing the plugin late Friday night.
  5. Install the Better WP Security plugin for WordPress. It’s also free. The most useful thing about Better WP Security for my sites is that it lets me know about common vulnerabilities and if my site is susceptible to them. For example, I left a pretty obvious hole open and thanks to Better WP Security I was able to plug it. This plugin doesn’t help so much with the current brute force attack, but will be helpful for attacks in the future.

So far none of my sites have been compromised. If you have a WordPress site (including one on you should log in to see if anything looks different behind the scenes. If you use a simple (human readable) password you may want to change it immediately, regardless if you think your site has been hacked or not.

2 Comments on "WordPress Admin Accounts Suffer Brute Force Attack"

Trackback | Comments RSS Feed

  1. Selki says:

    Thanks for the tip. I at least changed my admin password over on my WordPress blog.

  2. Selki says:

    I finally installed and activated Limited Login Attempts. Looking back at my previous comment, of course, I wasn’t using a *default* password, anyway. I get what you’re saying about not using an account name they can guess, but unless I blew that account away, it would still be vulnerable, from what I understand. The rearrangements that would require manually would still take more monkeying than I’m up for right now, but the Better WP Security write-up says it would rename the admin account — is it really that easy, all done for me?