Brute Force attacks using over 90,000 IP addresses are being used to crack into administrative WordPress accounts. Brute Forcing is a method of gaining access by using wordlists consisting of a wide variety of passwords or by generating random passwords to attempt to “guess” the password of an account.
- Change passwords to meet at LEAST minimum security requirements of eight characters including lower case letters, upper case letters, numbers and special symbols (!@#$%^&*). No common words or phrases should be used as more “predictable” passwords can be found in Brute Forcing wordlists and thus make the account vulnerable.
- Keep WordPress up to date as much as possible.
- If using a WordPress version between 2.8 and 3.3.2, the plugin Limit Logon Attempts can prevent a brute force attack by locking access after a set number of failed attempts.
- If using a WordPress version between 3.4 and 3.5.1, the plugin better-wp-security can prevent brute force attacks by locking access and can also provide other security features such as changing urls for sensitive pages and logging any malicious activity.
- Create rules on the webserver itself to prevent multiple logon attempts within a short timeframe.