Massive Bruteforce attack on WordPress websites

By Martin Quinn (Principal Consultant) 29 July 2013

In the past few months there have been massive bruteforce attacks on wordpress sites, utilising  huge bot-nets, bot-nets upwards of 90,000 zombie hosts. Over 30 million wordpress websites and blogs have been compromised.

So what is a bruteforce attack?  A bruteforce attack is simply an attacker throwing every combination of dictionary words, numbers and special characters at your website until it exhausts all possible values and results in systematically deciphering your password.

Why would my site be targeted?  The reasons for targeting sites vary, but can be narrowed down to the following; sending spam, cause denial of service, proliferate malware/Trojans/viruses or to steal personal or customer data.

To protect your wordpress site there are several steps you can take, most are technically simple to implement but do require some knowledge of how your wordpress site works to setup up correctly and often involve renaming certain files or adding additional plugins that monitor or block bruteforce activity. WordPress recommends the following steps (, and these are all good practices.

For me the simplest way of securing your wordpress account was to use two factor authentication or 2FA. Many readers would have seen this in some form or another and 2FA is often equated with banking accounts or financial institutions.  What is 2FA? 2FA a secondary authentication mechanism which combines your username/password (something you know) with something you have (sometimes referred to as a token). This foils the attacker by adding a further secret item to your password and is often randomised and time limited. Making it near impossible to guess.

Intact Security uses Duo Security 2FA for our website and recently JobReady have also implemented Duo Security 2FA on their website too. If you would like further information on how this can help you secure your website, please contact Intact Security on (02)9227 8201.

Relax. Your security is Intact

Author: Intact Security

Posted on by Martin Quinn in Security Blog