WordPress Brute Force Attacks

This entry was posted by on Friday, 12 April, 2013 at

Cloudflare have released a blog post discussing a spate of wordpress  brute force attacks currently taking place. Their post mentions the mitigation put in place by Cloudflare to stop these attacks and how all sites using their service are now protected which is really great news for those sites using their service.

If you’re not using their service however there are still some very easy things you can do to help protect your system, in order below from trivial to easy they are as follows:

  1. Have a decent password or passphrase – this site will create some complex and easy to remember passphrases for you.
  2. Change* your default user from admin to something else (*Change is maybe the wrong word – check here for further details)
  3. Install some plugins to help, for simplicity I like:
  4. Use a .htaccess file to block your important directories like wp-admin – there’s a great plugin for this as well though it also requires Allowoverride All in Apache configuration.

There are a great deal of other steps to take which are very well documented but the above will help mitigate against today’s problem. For further reference, this site is very useful while the wordpress hardening document from wordpress themselves is very detailed.