Massive Brute Force Attack on WordPress Websites

Anonymous hackerBack in December there was a massive brute force attack on WordPress-based websites. Around 190,000 websites were attacked, from 10,000 different IP addresses, and up to 14 million attacks were made, per hour.

This was one of the largest attacks ever, and I learnt of it from the Wordfence blog – you will find the full details there.

What is a brute force attack?

A brute force attack is one where the hacker attempts to guess your username and password in order to gain access to your WordPress website so they can add it to their assets.

These assets are then used to carry out whatever cyber-crimes the hacker is planning.

Major brute force attacks like this one are carried out by bots – computer programs that will try out millions of username/password combinations per hour until they get the correct combination and gain access to your site.

And remember: it doesn’t matter how small your site is – the hackers just want control of as many sites as possible to add to their assets.

As I’ve written before, the best defence against brute force attacks is to use not only long and complicated passwords, but complicated usernames that bear no relation to your name or the site name, and include spaces and symbols.

The passwords generated by WordPress when a new user is set up are the best ones to use because they are random and use characters that all hosting providers recognise. (I had trouble with one hosting provider some time ago because I was using the dollar sign ( $ ) in the password and it was preventing me from logging in – the dollar sign is used in PHP to denote a variable).

WordPress usernames can include letters, numbers, symbols and spaces and, by default, all sites that we set up at Abledragon are set up with usernames that contain all these characters.

Using a simple username, that’s related to your own name or the site name, is very tempting, but right up front it gives the hackers 50% of the information they need to access your site.

Better not to give them anything…!


Attacks like this are on the increase.

Every time there’s a successful hack where large amounts of personal data are stolen (Yahoo, Uber, LinkedIn, Equifax) you can expect that to be followed with an upturn in brute force attacks on your WordPress website and other online assets.

The details that are stolen in those major hacks are sold over and again to actors involved in cyber-crime. So, whenever you read of a successful hack on a service that you use it’s sensible to change your existing passwords on your other accounts, not just the one that was hacked.

This is particularly so if you use the same password on more than one site. Discover the danger of doing that – click here.

For more information on how we can help to strengthen the protection of your WordPress website against hackers, and get you back up and running again quickly if they are successful, click the button below:

There are more articles on ways you can keep your WordPress website safe here.

Keep well, and keep safe !

Martin Malden

About the author: Martin Malden owns Abledragon, a WordPress agency that was established in 2009. Today it serves customers in Hong Kong, Australia and the UK. Abledragon websites are built for today’s Internet, with the mobile user in mind, and are known for security and speed. Successful Abledragon projects.