WordPress Brute Force Attacks 2014

The first major WordPress Brute Force Attacks of 2014 is underway. Today WordPress security plugin creators Wordfence issued a severe security warning to owners of WordPress websites. They have detected what they say as being the largest attack on WordPress sites to date.

You can read the warning issued by Wordfence below, but to quickly get your website secure it is advised to at least ensure the most basic of security measures are in place on your website.


WordPress site security measures

To keep your website safe from Wordpress Brute Force Attacks 2014 follow the following measures.

  • Ensure the default username is not admin or user
  • Create a secure username using a combination of upper and lower case letters
  • Use a tough to crack password using a combination of uppercase and lowercase letters as well as special charcters (eg. BruteForceAttack/Defence**2014)
  • Install a security plugin such as Wordfence or Bullet Proof
  • Update WordPress to version 3.8.1
  • Update all plugins and themes


As of 11am eastern time this morning we are monitoring the largest distributed brute force attack on WordPress installations that we’ve seen to date. The real-time attack map on www.wordfence.com became so busy that we’ve had to throttle the amount of traffic we show down to 4% of actual traffic.

Starting at 11am EST this morning we saw a roughly 30 times increase in the volume of brute force attacks across WordPress websites running the WordPress.org software. The attack ramped up so quickly that we initially questioned the data we were seeing and immediately deployed code to verify that the reports we were receiving were accurate and not an attack on our own systems. Within a few seconds it became clear that the attack was in fact real and being reported from across the universe of WordPress websites.

Some definitions if you’re not in the InfoSec field: A brute force attack is when an attacker tries many times to guess your username password combination by repeatedly sending login attempts. A distributed brute force attack is when an attacker uses a large number of machines spread around the internet to do this in order to circumvent any blocking mechanisms you have in place.

If you’re using the free or paid version of Wordfence you should have the option to “Participate in the real-time Wordfence security network” under ‘Other options’ enabled. This will immediately block any attack originating from an IP address that has attacked other WordPress sites. This is an effective defense against this kind of attack.

We recommend that until this passes you monitor your WordPress websites closely for unusual activity including logins, account creation or changes to the public facing website.

We will continue to monitor this attack and will post updates here and on our WordPress Security mailing list which you can subscribe to on this page.





Wordpress Brute Force Attacks 2014



For more details and updates on WordPress security as well as Wordpress Brute Force Attacks 2014 follow us on Twitter