• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
BlogAid Logo

BlogAid

Help for DIY Site Owners and Webmasters - WordPress, SEO, HTTPS, Security, and Performance

  • Home
  • Blog
    • Current Posts
    • Helpful Posts
    • Hobby to Money Making Blog Series
  • Tips Tuesday
  • Site Services
    • Happy Clients
    • Setup, Backups, Fixes
    • Site Service Requests
    • Site Audits
      • What’s In the Audit
      • Audit Request Form
    • HTTPS Conversion
      • About the Service
      • HTTPS Request Form
  • Resources
    • Plugins
    • Helpful Posts
    • Site Resources
    • Start Here with BlogAid
  • Classes
    • Happy Clients
    • All Classes
    • Gutenberg Ninja
    • DIY SEO Course
    • Webmaster Training
  • About
    • About MaAnna
    • Happy Clients
    • Privacy Policy and Terms of Use
    • Affiliate Disclosure Policy
    • Disclaimer
  • Contact
    • General Contact
    • Site Service Requests

Global Brute Force Attacks on WordPress Sites

April 12, 2013 by MaAnna Stephenson

TwitterFacebookPinterestLinkedinRedditWhatsApp

no-hackerFor the past week there has been a rolling brute force attack on all major host providers that specifically targets the login of WordPress sites. According to the report by HostGator, it was a well-coordinated attack with over 90,000 IP addresses involved. The symptoms are a sluggish admin area after login, slow speeds, or trouble logging in. Read on for the steps that you can take to protect your site now and in the future.

Backup Backup Backup

There is no such thing as bullet-proof security on a WordPress site. Some attacks, like this one, come from outside the server. But some super sneaky ones come from inside. The hackers get in through unprotected sites on shared hosting and cause chaos everywhere. Think of it as living in an apartment building. When one catches on fire, all are at risk.

The very best thing you can do for yourself is set up a solid backup and recovery plan. If you’re using a free plugin for this, and storing the backup on your site, you can kiss all of that goodbye if your site gets attacked or hacked. It’s time to get serious about making a real plan.

Backup Resources

How to Backup Your WordPress Site is a free report that you can download with 14 backup and storage options. Personally, I use, recommend, and install on every client site, the BackupBuddy plugin (aff link) and store my files on Amazon S3 (which recently announced they are cutting prices in half, and it’s free for the first year).

Lock the Front Door

(NOTE: Ensure that you don’t already have a plugin that secures your login before adding any of those mentioned below. And check your site after install for conflicts.)

Since a brute force attack is on the front door of your site, that’s where you need protection. The Login Lockdown plugin is my favorite. Now, when you go to install it, you’ll see a warning that it hasn’t been updated in over 2 years. That’s okay. The developer made it right the first time.

Install and activate it and you’re done. No configuration needed.

The other popular plugin for this is Limit Login Attempts. It works, but I’m not a fan because it tells the hacker how many attempts are left and how long they will be locked out. I’m not interested in giving the burglar that much info.

There are other plugins too, like Better WP Security, Wordfence, and a whole host of firewalls. Again, just make sure that you check the plugins you have first before installing a new one.

Visit the Plugins resource page to see all of my recommended plugins.

Strengthen Your Login

A strong username and password for your login is one of your best defenses. If you’re still using admin as your username, or have a weak password, you’re just waiting to be hacked. And if you show admin in the byline of your posts, you’re actually advertising to hackers.

At the very least, create a strong password. It’s easy to do. If you need to change your username, you’ll actually need to create a new User. I have a video tutorial on how to do that in the library. It’s in the WordPress Advanced section under SEO and is titled User Profile.

Also, read this post for more info on creating strong logins, and how a brute force attack works.

Need More Help?

I sent immediate notice to all subscribers of BlogAid News as soon as I learned of the attacks. That’s the best way to ensure you know about serious issues like this. While you’re subscribing, also check the box to receive all blog posts via email. I know social media is where a lot of you follow me, but honestly, Facebook’s delivery is just too unreliable (you’re only seeing 25% or less of my posts there) and I know most of you don’t check G+ regularly yet. I also report on plugins and WordPress news in my weekly Tips Tuesday post and podcast. You can subscribe to those too, but if you get all blog posts, you’ll get them in that. Plus, you can find the podcast on iTunes, as well as Stitcher, and the Blackberry Podcast.

Site Evaluation and Review

I also do comprehensive site reviews where I check your security and plugins. It’s live and you’ll see everything I see. And, I provide written documentation of what we discussed immediately afterward.

Or, you can contact me directly and I’ll be happy to tailor services to your unique needs.

TwitterFacebookPinterestLinkedinRedditWhatsApp

Filed Under: Security, WordPress

About MaAnna Stephenson

MaAnna is a geek who can still speak in plain English. She helps DIY site owners plus webmasters and designers create sites that are secure, perform well, and get noticed by search engines and readers.

  • Facebook
  • LinkedIn
  • Pinterest
  • RSS
  • Twitter
  • YouTube

This book could save you hundreds of dollars and months of frustration. Get it free with your subscription to BlogAid News plus my blog posts.
Privacy Policy



Reader Interactions

Comments

  1. Paulissa says

    April 12, 2013 at 8:44 am

    I am using tthe free version of WP. How much am I at risk with this?

    • MaAnna Stephenson says

      April 12, 2013 at 11:30 am

      Paulissa, your site is probably okay, but it may experience slow downs as the servers get hit.

  2. Debra Jason says

    April 12, 2013 at 9:43 am

    Great info MaAnna. I do back up my WordPress site, and store it on my hard drive. Is that enough?
    I think I may also have WP Security as a plug in, but need to see if it was ever activated. I’m not a “techno geek” and think the company that set up my site initially may have downloaded that plug in.
    Thanks!
    ~Debra

    • MaAnna Stephenson says

      April 12, 2013 at 11:29 am

      Hi Debra, yes, as long as your backup is off your hosting, you’re good.
      I offer a comprehensive site evaluation to look at all security and plugin setups. It’s cheap peace of mind for things like this.

  3. karenm says

    April 12, 2013 at 10:44 am

    This Attack is not limited to wordpress, but also includes Joomla and other open source installations – password may appear to be an option, but it has predominately affecting many of the servers

    • MaAnna Stephenson says

      April 12, 2013 at 5:32 pm

      Thanks for the update on that and hate to hear it for other open-source platforms.

  4. Efrem R. Jasso says

    April 12, 2013 at 11:12 am

    One thing several articles on this subject have failed to mention is the importance of having a really secure password for your FTP site and your MySQL database.

    If your FTP site can be breached, it’s easy to get your config file for Drupal, Joomla, or WordPress. That file is what contains your WP admin password, so think about that when you’re updating your passwords for your site.

    • MaAnna Stephenson says

      April 12, 2013 at 5:34 pm

      Efrem, you’re 100% right about securing the core. I think one of the reasons most folks don’t mention this is for the same reason I don’t. Doing such things is probably beyond the scope of most of my readers. I’d much rather do the service for them than to try to write a comprehensive, and technical tutorial that tries to cover every setup on every kind of host.

      • Alys Milner says

        April 16, 2013 at 9:05 am

        Nodding my head in agreement. It is certainly beyond my scope and comfort zone.

  5. Lorenzo C. says

    April 13, 2013 at 10:06 am

    Cloudflare has recently revised their security options to block the latest brute force attack. It is available to both paid and free customers.

  6. Allison Rapp says

    April 14, 2013 at 12:35 pm

    MaAnna,
    Great advice… would include getting rid of ‘admin’ as a username. Using it gives hacker-bots a big YES!! to the first thing they try … but if you delete it, make sure you’ve got another username with admin RIGHTS before you say ‘buh-bye”!!

    • MaAnna Stephenson says

      April 14, 2013 at 12:39 pm

      You’re totally right Allison. I’ve actually got a video on how to do it in the tutorial library and might need to make it widely available for a while. But, as you mentioned, there are extreme cautions that need to be taken. They’re in the video too.

  7. Bucur Marian says

    April 23, 2013 at 3:50 pm

    in this days .. we need a military firewall to protect your site …

  8. Vianney says

    April 24, 2013 at 10:12 pm

    Before making a comment on this post, I did strengthened my log in details first! Haha! I felt the need to do it asap before anything else. Thank you so much! :)

  9. [email protected] jaipur says

    May 4, 2013 at 4:41 am

    Security is very important for your online safety or the safety of your content. Using a good firewall or security plugins for your websites is absolutely necessary these days. Also, as you said, good, complex login credentials are a good way to strenghten your security.

Primary Sidebar

This book could save you hundreds of dollars and months of frustration. Get it free with your subscription to BlogAid News plus my blog posts.
Privacy Policy

Hi! I'm MaAnna, and a geek who can still speak in plain English. I help DIY site owners plus webmasters and designers create sites that are secure, perform well, and get noticed by search engines and readers. How May I Help You?

Let’s Connect

  • Facebook
  • LinkedIn
  • Pinterest
  • Twitter
  • YouTube

Looking for Something?

Search by Category

Footer

BlogAid News

This book could save you hundreds of dollars and months of frustration.

Get it free with your subscription to BlogAid News plus my blog posts. Privacy Policy

From the Blog

  • Tips Tuesday – Easy Gutenberg, PHP 7.3, Site Speed, Personalized SEO
  • How Gutenberg Made it Easy to Monetize My Site
  • WordPress Database Table Prefixes
  • Tips Tuesday – Site Speed, Holiday Deals, WP 5.3, Genesis, Gutenberg
  • BlogAid Holiday Deals 2019
  • Tips Tuesday – Updates for WordPress, Genesis, PHP, Plugins, and More
  • Tips Tuesday – WordPress 5.3, Social Pug and Mediavine, Recipe and Travel Site SEO
  • Tips Tuesday – Site Speed, Broken Links, Chrome, Astra Widget, Gutenberg Tutorials

© 2019   Blog Aid · WordPress for Non-Geeks · All Rights Reserved

Disclosure: Some of the links on this website may be affiliate links. When you make a purchase from these links, I earn a small commission.
While commissions allow me to keep this site 100% free, I only endorse products I trust and use for myself and clients.