Awesome April Brute Force WordPress Attack

Some naughty unknown individuals initiated a massive brute force botnet attack on WordPress blogs. They are using thousands of bots, that try billions of passwords from a dictionary. Which is not really a problem for me. More of a challenge to find ways to make hacking my blog more difficult. In the worst case scenario if somebody changes my password and locks me out, I still can regain access. Also I have backups, that I create on my local machine and send by e-mail with a backup plugin. In case you are interested, I have a collection of WordPress plugins on my WordPress Quora board.

Strong Password

You have to have a strong password and change it frequently. Which I just did. A strong password should have different alphanumeric and non-alphanumeric characters and be generally hard to guess. It should be long and not a real word like Supercalifragilisticexpialidocious for instance. You can generate a password with an online generator or use LastPass. On a personal note I don’t trust LastPass.


A captcha could also help. I have been using the Conditional Captcha plugin, that works together with Akismet to block spam. However, it seems that it can’t be used for the login screen, so I switched to a different plugin, which offers more functionality. This plugin requires you to solve some very easy math problems. Bots should be slowed down by this, but probably they still can bypass the captcha somehow.

More plugins

I installed the WordFence plugin, that is supposed to limit the number of login attempts from one IP address. The Content Delivery Network I am using is doing something similar. However, I think it could also make sense to have a very small whitelist of IP addresses for the login screen. I have been looking into two factor authentication WordPress plugins, but I still have some reservations concerning their reliability. By the way I think it would be okay, if the second factor was sending e-mails instead of SMS.

Special Administrator Account

It is recommended to change the administrator user, if you haven’t done so already. Apparently the botnet is trying to hack the default WordPress administrator account. The steps to take in order to create a new administrator are:

  1. Go to Users | Add New and create a new user. This user may not have the same e-mail address as the current administrator. Make sure that this account has administrator privileges.
  2. Test that the new account works. Log out and log back in.
  3. Go to  Users | All Users. Delete the default administrator account. Alternatively you could change the role of the original administrator to something more restrictive.

No more passwords

Passwords are so twentieth century! We should have a better security mechanism. Some sort of device that can recognize voices, fingerprints or even brain activity. Then we could have five factor authentication.

Disclaimer: this is my own security approach. It might not work for you. Before making any changes to your WordPress blog, be sure to back it up properly.

Messages for April 13, 2013

By the author of NumPy Beginner's Guide, NumPy Cookbook and Instant Pygame. If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
This entry was posted in Uncategorized. Bookmark the permalink.