WordPress Brute Force Attacks

– Posted in: Plugins, Security, WordPress

This has been an incredible week for brute force attacks on the Internet. Email flooded my inbox, websites slowed to molasses-slow.  I had just finished putting security plugins in place on all of my WordPress sites after being attacked only a couple of months ago.

I had been patting myself on the back for securing all known vulnerabilities on my websites and was finally trying to get some real work done when I noticed I was getting hit hard with notifications of login attempts to all of my websites. Of course, the first thought I had was that my plugins were faulty and needed some attention. I went to the forums supporting the plugins I use and found others complaining of the same thing… We’re getting blasted with email alerting us of login attempts and 404 error pages.

Truthfully, I see login attempts all the time on all my sites, but it’s normally only a handful of attempts and they eventually go away after I block their IP addresses. However, this was insane! I couldn’t keep up with blocking, and quite honestly, I felt like a fish out of water even trying. I couldn’t figure out why I was so special to gain the attention of these attackers. As I sifted through all my web logs, I began to notice something strange. There was only one file attacked… wp-login.php .  My plugins worked nicely at blocking the brute force attacks, but the log files were huge!

Finally, I woke Friday morning and went to check on some of the heavier hit sites. I began to see every one of my websites go down. It took my tech team all day to get us all back online. I’m very thankful for their hard work!

Hosting providers and security networks across the Internet found a large botnet with more than 90,000 servers had released against WordPress websites. The attackers cycled different user names and passwords to try and gain access through WordPress admin access points.

Sucuri, a security firm that blocks various types of Internet attacks, reported statistics of just how badly this particular week has been. They announced that in April 2013, brute force attacks had increased from nearly 40,000 attacks per day to nearly 100,000 attempted attacks per day, just in this last week.

In their report, they found that some of the top user names attempted was:


The top passwords tried were:


Here are some things you can do to protect your website from a brute force attack.

  1. Do not use “admin” as your user name.

One thing that I have learned since working so hard to secure my websites is to NOT use any form of “admin” for a user name.  That is the top user name tried in a brute force attack. If you currently have “admin” as your user name, you’ll notice that WordPress will not let you change it inside your dashboard. However, you can change this using myPHPadmin and accessing your database.

Warning, messing around with you WP database could cause loss of data and other problems.

I will assume that you know how to get to your myPHPadmin panel. So, from here, chose the WP Database. WordPress sets up the database as something like “_wrdp1.” Unless you have purposefully changed it to another name, that’s what it is named. Click on that database name which would be listed on the left.

myPHPadmin image

Example 1: myPHPadmin Sidebar


Once you choose your database, a list of tables will show up. Find the table that says “wp-users.” Then click “Browse.”

wp-users image

Example 2: ‘wp-users’ Table


Next, click on the option that lists the user_login as “admin,” and change it to something else.  See example.

user_login image

Example 3: User-login


  1. Choose a very strong password.

It is important to change your passwords. I cannot stress enough to change your password often and make it strong! Remember to use numbers, letters (including capital letters), and symbols in your password. Make it a MINIMUM of 8 characters. The more characters you use, the harder it is to guess. If you have a difficult time creating a tricky password, then use a good password generator to help create a unique and random password. Personally, I like to use phrases, more than one word for my password. This makes it more difficult to crack.

  1. Installing a plugin like Better WP Security or Wordfence can help close up other vulnerabilities to your WordPress site. It will create a stealth login, lock down .htaccess and wp-config.php files, and limit login attempts.

Remember, YOU the user, are the biggest vulnerability to your WordPress website!

If you have problems with securing your WordPress, maybe you just don’t understand all this technical mumbo jumbo, I can help! If you need advice or would like to hire me to help out, feel free to contact me

2 comments… add one
setting up google authorship June 4, 2014, 11:56 pm

Hey there! I just wanted to ask if you ever have any trouble with hackers?
My last blog (wordpress) was hacked and I ended
up losing many months of hard work due to no data backup.
Do you have any solutions to protect against hackers?

Heidi Hafner June 5, 2014, 12:28 am

Yes, I have had troubles with hackers in the past. They’ve injected code into many of my pages and buried code deep in folders I rarely access. However, since installing several different plugins, I still have bots trying to break in, but they haven’t gotten past my security measures. I use two plugins, Wordfence and iThemes. These are free plugins but both do have a premium service if you want it. I don’t have the premium. However, I also have Sucuri Security keeping things clean. Best investment I have ever made!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.