The Brute Force WordPress Attacks

(written 04/12/2013) Earlier this week, I was introduced to breaking news of a massive attack on WordPress sites. An ecommerce site that I’d worked on was experiencing broken code. I contacted hosting’s tech support and they let me know they had been experiencing hack attacks on their servers. In order to keep all their servers running, they had to tighten the server’s security, which in turn, broke my client’s ecommerce site.

That situation has been contained. Unfortunately, the brute force hacks continue to crash servers and gain strength. As I write this, attacks have tripled within the past month.  I’m enclosing a number of links below that give more detail to the situation.

It’s very important for you to make sure your website does not fall into the hands of these hackers. Below the list of articles, I’m enclosing a to-do list of procedures that should be performed. I am currently performing these tasks on my current websites, the process takes about an hour and a half per installation.




Breaking News:

Wired Magazine – 04/22

Statement from Homeland Security – 04/15

ABC News – 04/15

Hackers Point Large Botnet At WordPress Sites To Steal Admin Passwords And Gain Server Access – 04/12

Check your security settings: Brute force attacks against WordPress and Joomla sites have tripled – 04/12

Brute Force Attacks Build WordPress Botnet – 04/12

Major brute force attack against WordPress underway – 04/12

Webhosts Address the Hacks:

IX Hosting





Webhost Technicians Working Together to Stop the Attacks:

Web Host Forum (This reads like the command center in a war room)



>>> These brackets = “you should at least do this”


– Install “BackWPup” plugin and configure it to make a backup of all your files and your MySQL database. This plugin will continue to make a backup 4 times a year. It will also delete the previous backup once the new compressed file is created, so you will not run out of hard drive space.


– Install “Better WP Security” Plugin

>>> Create a new admin user with a special name (not “admin”)

>>> Your password should be 12 characters have upper and lower case, a number and a symbol.

>>> Change all WordPress user passwords.

>>> Delete the user called “admin”

– Change the default prefix “wp_” of the mysql tables

– Delete old WordPress themes that are not in use

– Check the permissions of directories to make sure only a logged in admin has access to write and save files (this should be fine, but it should be checked)

– Update WordPress and it’s plugins to the most recent software


– Change FTP password to something that does not use words. Your password should be 12 characters have upper and lower case, a number and a symbol.

– This is an important step! This will notify the server of any brute force attempts, before your wordpress system is triggered by the bot. Using the server “Cpanel”, click “Web Protect” (or “File Protect”), find the directory used to log into WordPress (“wp-admin”), create a password to access that directory. Test the url, if a prompt for a user name and password comes up, the site is secure. If you get an error or the prompt doesn’t come up, there is a conflict with the .htaccess file in the root directory. Contact tech support to have the web host fix this. They should be able to resolve it within a few minutes.


Let’s hope this virus is contained before it damages all our hard work.


Random Testimonial

Terry has been an incredible asset to us as we build both our nonprofit and our event. The website we created with him has been an invaluable, changing tool that grows along with us. As the outward face of PDX Bridge Festival, it is very important that our website reflect our overall aesthetic and values, and it has been very fun and easy to work with Terry to develop that symbiosis of functionality and good looks. As a new business, building a web presence became one of our first priorities, and we hired Terry at a time when we had very little resources to work with. That investment has given us great returns and we look forward to maintaining this partnership well into the future!

Tucker Teutsch 3.0
Founder and Creative Director
PDX Bridge Festival

More Testimonials...


Your Email

Your Message

Please enter text below