Brute Force WordPress Login Attacks on the Rise

It’s a brave new world. Distributed brute Force attacks on WordPress sites are on the rise. A brute force attack is when an attacker tries many times to a username/password combination by repeatedly sending login attempts. A distributed brute force attack is when an attacker uses a large number of machines spread around the internet to do this in order to circumvent blocking mechanisms. Wordpress sites with poor administrative passwords are vulnerable to this type of attack.

The largest distributed brute force attack on WordPress sites to date was reported on February 10th 2014 by Wordfence. Starting at 11am EST, Wordfence reported a 30 times increase in the volume of brute force attacks across WordPress websites running the software. At the height of the attack, Wordfence had to throttle its real-time data map to 4% to prevent visitor’s browsers from crashing when viewing data.

Another large scale brute force attack on WordPress sites was reported early in 2013 involving 90,000 IP addresses. Future attacks will likely grow in scale and sophistication. It’s important to protect your WordPress site with a strong administrative password. As of WordPress 3.7, there is a password strength meter that helps determine how well your password will hold up to this type of attack. Aside from a strong password, there are a number of plugins and services that can help keep your WordPress site safe.

Browser Related Plugin

LastPass: is a free robust password manager. It remembers passwords you use to log into websites. It can also generate strong passwords for you. This is great not only for your WordPress site, but for your online banking and day-to-day transactions. The service is browser and operating system independent, meaning that you can use your LastPass account on different computers and different browsers. The only password you have to remember is the one to your LastPass account!

Host Related Services

CloudFlare: is a free content delivery network that acts as a filter between external requests and your server. Aside from speeding up your site, it block SQL injections, distributed denial of service attacks, spam, and brute force login attempts. Your hosting provider might offer simple CloudFlare integration. SiteGround is a host I use for my site, and provides other useful tools such as HackAlert.

WordPress Plugins

There are a number of plugins that will keep your site safe from brute force logins. As always back up your site before installing these plugins:

  • Clef: This is a really interesting plugin that uses your phone to login to your WordPress site. A companion app is required for your phone. Once installed, it stores a private key. The app uses your phone’s camera to sync with a wave pattern on your login page. Once the signature is confirmed, you are logged in.
  • Wordfence: is a complete firewall and anti-virus package that helps with a range of attacks, and even has attack recovery tools. It uses the data from failed login attempts to help monitor the scope and nature of attacks and to help adapt to these attacks. The free version is feature rich, the paid version may appeal to those who require better scanning features and premium support.
  • Limited Login Attempts: If you want a more basic plugin that allows only a certain number of login attempts per IP address, then this is it.

View WordPress Attacks as they Happen

Visit Wordfence to view their real-time graphic of WordPress attacks.


Large Bruteforce Attack Against WordPress Sites Starting To Subside. Jeff Chandler

Weigh In: What measures do you employ to secure your WordPress site?