How to combat the brute force attacks on WordPress blogs

We wrote 1.5 months ago in the article Botnet attack on WordPress about the ongoing distributed attack on the WordPress platform.

WordPress has a default administrator called “admin” which can be changed to any user upon installation. According to various sources, the attack guesses up to 1000 most commonly-used passwords (see here examples).

Now, we see that the attackers have added more intelligent checks in their attempts to gain access to the blog. They are now parsing the blogs, extract the user names who posted something and then try to guess the passwords of these users.

A very interesting fact is that these intelligent attacks come from only a few domains in this moment. The most used are,

All the other attempts to access the default “admin” account continue, and even from the domains mentioned above still come a lot of requests with the default account.

There are some easy ways to prevent an attacker to gain access to your blog.

1. Set a strong password: this the most basic measure which should be used in combination with any other method.

2. Rename the administrative account: On a new install you can simply create a new Administrative account and delete the default admin account. On an existing WordPress install you may rename the existing account in the MySQL command-line client with a command like UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin';, or by using a MySQL frontend like phpMyAdmin.

3. Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks.

4. Install a security plugin like Wordfence: Make sure you configure it to block the IPs which have failed login attempts. Set the number of attempts to 1. After setting up the plugin, you will see emails like this:
wordfence-email has published a page where various methods of hardening WordPress are described. However, they are extremely complex  and should not be attempted by non experienced users. If you have any doubts about the security of your installation, contact your ISP that hosts the blog.



Sorin Mustaca

IT Security Expert

© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

1 Comment on "How to combat the brute force attacks on WordPress blogs"

Comments are closed.

%d bloggers like this: