Web Design, SEO, and Internet Marketing

WordPress Brute Force Attacks On WP-ADMIN

Written by Tony Sova | Sep 27, 2013 6:29:00 PM

Recently our hosting servers were attacked by a botnet of hacker programs attempting to gain access to the WordPress admins via brute force attempts.  The programs run thousands of login attempts usually against the admin username to try and crack passwords.  The requests come so fast that the server eventually slows down trying to keep up with the requests and crashes.

This is a worldwide phenomenon that is related to a weakness within WordPress itself.  With common knowledge that the admins of every WordPress website is in www.yourdomain.com/wp-admin it's just a matter of time until your site gets found and exploited.

To combat this on the server level there are rules in place as a preventative measure.  Unfortunately nothing is perfect and hackers are finding ways to get past those rules and still overloading the server.

In our recent attack it was necessary to block all IP's from accessing wp-login.php and then only allowing certain IP's access so that website owners could login into their admins.  This is obviously not a long term solution and hosting companies are scrambling to find solutions until the WordPress orgnaization comes out with a fix for the problem.

Here's some other hosting companies info about this problem:

http://www.inmotionhosting.com/support/news/general/wp-login-brute-force-attack

http://www.mnxsolutions.com/apache/blocking-wordpress-brute-force-attacks-against-wp-login-php.html

Right now we are working on server protection rules and other methods to give owners access to their admins from any location.  If you have any questions or would like to know more just send us a message.