Massive attack on WordPress based websites!



Is your website, like this one, based on the WordPress CMS/Framework, whether self-hosted or using your own hosting platform? Then you need to think very hard about your WordPress admin security, as currently there is a absolutely massive (some 100,000 computers appear to be involved at this stage), bonnet attack being targeted at WordPress based websites.

The attack is quite simple, it attempts to login to your website using the username “admin” and then using a dictionary brute force system to attempt to “guess” the password. Once it’s got the correct one, it’ll then try and exploit the WordPress platform to gain control of the server itself.

As it stands, it doesn’t appear whoever is behind these attacks is trying to disrupt the individual websites, but are rather trying to gain access to the server resources that the websites are based on. However, there are a few simple steps you can take to make your WordPress installation a little bit more secure;

For the next 72 hours, I am happy to answer any requests submitted via my contact form and confirmed by followup email for me to look at your WordPress website and tell you how the security could be improved on your website. FREE OF CHARGE! (Limited to the first 100 people only.

UPDATE 13/05/2013 11:19: I am very happy that several of the website hosting providers I am regularly involved with have taken the decision to protect their customers en-masse. Some of them have done it better than others, by adding a generic HTACCESS password solution as recommended in my blog post above. Others have simply blocked access to the WordPress admin area entirely, meaning that users cannot update their website at all. This is not really a good thing, especially when there are other, more simple solutions which do not involve compromising functionality.


The plugin I use for security for my WordPress based websites is called Login Security Solution, and the plugin page is available at You can download it from within WordPress, or by downloading it from the plugin website and uploading it to your WordPress based website.

If you are using the platform to host your WordPress website, then you can enable two-factor authentication. This means that you have a code sent to your mobile phone every time you or someone else logs in using the correct password. Once again nothing beats having a secure password.