For the past week there has been a rolling brute force attack on all major host providers that specifically targets the login of WordPress sites. According to the report by HostGator, it was a well-coordinated attack with over 90,000 IP addresses involved. The symptoms are a sluggish admin area after login, slow speeds, or trouble logging in. Read on for the steps that you can take to protect your site now and in the future.
Backup Backup Backup
There is no such thing as bullet-proof security on a WordPress site. Some attacks, like this one, come from outside the server. But some super sneaky ones come from inside. The hackers get in through unprotected sites on shared hosting and cause chaos everywhere. Think of it as living in an apartment building. When one catches on fire, all are at risk.
The very best thing you can do for yourself is set up a solid backup and recovery plan. If you’re using a free plugin for this, and storing the backup on your site, you can kiss all of that goodbye if your site gets attacked or hacked. It’s time to get serious about making a real plan.
Backup Resources
How to Backup Your WordPress Site is a free report that you can download with 14 backup and storage options. Personally, I use, recommend, and install on every client site, the BackupBuddy plugin (aff link) and store my files on Amazon S3 (which recently announced they are cutting prices in half, and it’s free for the first year).
Lock the Front Door
(NOTE: Ensure that you don’t already have a plugin that secures your login before adding any of those mentioned below. And check your site after install for conflicts.)
Since a brute force attack is on the front door of your site, that’s where you need protection. The Login Lockdown plugin is my favorite. Now, when you go to install it, you’ll see a warning that it hasn’t been updated in over 2 years. That’s okay. The developer made it right the first time.
Install and activate it and you’re done. No configuration needed.
The other popular plugin for this is Limit Login Attempts. It works, but I’m not a fan because it tells the hacker how many attempts are left and how long they will be locked out. I’m not interested in giving the burglar that much info.
There are other plugins too, like Better WP Security, Wordfence, and a whole host of firewalls. Again, just make sure that you check the plugins you have first before installing a new one.
Visit the Plugins resource page to see all of my recommended plugins.
Strengthen Your Login
A strong username and password for your login is one of your best defenses. If you’re still using admin as your username, or have a weak password, you’re just waiting to be hacked. And if you show admin in the byline of your posts, you’re actually advertising to hackers.
At the very least, create a strong password. It’s easy to do. If you need to change your username, you’ll actually need to create a new User. I have a video tutorial on how to do that in the library. It’s in the WordPress Advanced section under SEO and is titled User Profile.
Also, read this post for more info on creating strong logins, and how a brute force attack works.
Need More Help?
I sent immediate notice to all subscribers of BlogAid News as soon as I learned of the attacks. That’s the best way to ensure you know about serious issues like this. While you’re subscribing, also check the box to receive all blog posts via email. I know social media is where a lot of you follow me, but honestly, Facebook’s delivery is just too unreliable (you’re only seeing 25% or less of my posts there) and I know most of you don’t check G+ regularly yet. I also report on plugins and WordPress news in my weekly Tips Tuesday post and podcast. You can subscribe to those too, but if you get all blog posts, you’ll get them in that. Plus, you can find the podcast on iTunes, as well as Stitcher, and the Blackberry Podcast.
Site Evaluation and Review
I also do comprehensive site reviews where I check your security and plugins. It’s live and you’ll see everything I see. And, I provide written documentation of what we discussed immediately afterward.
Or, you can contact me directly and I’ll be happy to tailor services to your unique needs.
This book could save you hundreds of dollars and months of frustration. Get it free with your subscription to
I am using tthe free version of WP. How much am I at risk with this?
Paulissa, your site is probably okay, but it may experience slow downs as the servers get hit.
Great info MaAnna. I do back up my WordPress site, and store it on my hard drive. Is that enough?
I think I may also have WP Security as a plug in, but need to see if it was ever activated. I’m not a “techno geek” and think the company that set up my site initially may have downloaded that plug in.
Thanks!
~Debra
Hi Debra, yes, as long as your backup is off your hosting, you’re good.
I offer a comprehensive site evaluation to look at all security and plugin setups. It’s cheap peace of mind for things like this.
This Attack is not limited to wordpress, but also includes Joomla and other open source installations – password may appear to be an option, but it has predominately affecting many of the servers
Thanks for the update on that and hate to hear it for other open-source platforms.
One thing several articles on this subject have failed to mention is the importance of having a really secure password for your FTP site and your MySQL database.
If your FTP site can be breached, it’s easy to get your config file for Drupal, Joomla, or WordPress. That file is what contains your WP admin password, so think about that when you’re updating your passwords for your site.
Efrem, you’re 100% right about securing the core. I think one of the reasons most folks don’t mention this is for the same reason I don’t. Doing such things is probably beyond the scope of most of my readers. I’d much rather do the service for them than to try to write a comprehensive, and technical tutorial that tries to cover every setup on every kind of host.
Nodding my head in agreement. It is certainly beyond my scope and comfort zone.
Cloudflare has recently revised their security options to block the latest brute force attack. It is available to both paid and free customers.
MaAnna,
Great advice… would include getting rid of ‘admin’ as a username. Using it gives hacker-bots a big YES!! to the first thing they try … but if you delete it, make sure you’ve got another username with admin RIGHTS before you say ‘buh-bye”!!
You’re totally right Allison. I’ve actually got a video on how to do it in the tutorial library and might need to make it widely available for a while. But, as you mentioned, there are extreme cautions that need to be taken. They’re in the video too.
in this days .. we need a military firewall to protect your site …
Before making a comment on this post, I did strengthened my log in details first! Haha! I felt the need to do it asap before anything else. Thank you so much! :)
Security is very important for your online safety or the safety of your content. Using a good firewall or security plugins for your websites is absolutely necessary these days. Also, as you said, good, complex login credentials are a good way to strenghten your security.