WordPress Brute Force Attack

Hello TCH’ers,

I would like to inform everyone that a large distributed brute force attack against sites running WordPress is occurring throughout the entire internet. There are dozens of reports coming from various web hosts, both large and small, that a very large botnet with close to 90,000 servers is trying to log into random WordPress Dashboards by cycling through various usernames and passwords, otherwise known as a Brute Force attack.

Here’s What We Are Doing:

We have been battling this attack for the past 3 days and have had to block all requests to wp-login.php. We realize this may cause minor inconveniences for some clients, but we ensure you that we feel it is in the best interest of keeping your site and our servers safe. We also see that this is the current recommended solution throughout the internet for this issue.

Edit: April 12, 2013 – 5:10 PM (EST) – We have now enabled access to wp-login.php.

If you are currently having issues accessing your WordPress site, please submit a support ticket at our help desk so our technicians may investigate it further. You can access the help desk at http://support.totalchoicehosting.com

Here’s What You Can Do:

We would like to remind you how important it is to use strong passwords throughout all of your accounts. It is very important to change your password regularly to help protect yourself against these sort of attacks.

We also urge you to make sure you are using the latest and most updated stable scripts available. If you are using an older version of WordPress, Joomla, Drupal, etc., you should update immediately.

Limit Login Attempt: We recommend limiting login attempts to your WordPress Dashboard. There are various plugins that can help accomplish this. Here is an example of one: http://wordpress.org/extend/plugins/limit-login-attempts/

Install Google Authenticator: Thanks to a fellow TCH’er, we can recommend installing Google Authenticator. It enables a 2 part authentication process to add an extra layer of security to your blog.

Bad Behavior Plugin: Another TCH’er recommended looking into the Bad Behavior Plugin.

Thank you for your patience and understanding and remember, don’t hesitate to create a support ticket if you need help!

Edit: The attack is so widespread and well known that even magazines are covering it! http://www.pingzine.com/wordpress-admin-accounts-targeted-by-botnet-23840/

10 thoughts on “WordPress Brute Force Attack

  1. Mark,

    We are fully aware of the implications and this is not a permanent solution. Our concern is really not with what methods that are “recommended” but with the overall health of server farm and all of our clients. We temporarily chose to do this as the server loads were making sites completely inaccessible., which is much worse than not being able to log in.

    However, you will notice that we have already flipped back access as we pushed out new rules again. These rules are working much better than the ones that we had in place, but should we need to block access again, it is an option we may have to use.

    Thanks for the feedback and rest assured we are listening.

  2. TCH-Dick – thanks for the update. We recognize that dealing with this stuff isnt fun. There’s a reason why you’ve been my webhost for going on 13 years:)

  3. Mark,
    You are welcome.
    One of the things that these all out block do is let us gather new data and adjust our rules. However, this time we thought we post it all up and get everyone in the loop.

  4. Cloudflare is another option to consider. I read on their blog that security rules were added for both paid and free customers. This should help filter out the brute force attack.