password protection

How to Take Precautions Against WordPress Brute-Force Attack

Last week, there was brute-force login attack targeted at WordPress websites, a popular publishing platform. An estimated 17% of sites worldwide use the platform and its popularity makes it a constant subject of attempts to exploit vulnerabilities.

This particular case is a brute force attempt at a Denial of Service (DoS) attack. In particular, if you have “admin” as your username, change it and make you’re using a strong password. Do not use common passwords like “admin“ or “password123.” Create a strong password with a combination of upper and lower case letters, numbers, and symbols (like % or #). It’s also good practice in general, to keep your version and plugins up to date. WordPress updates often address potential hacking issues.

The nature of the attack impacted in memory consumption on targeted servers and in some cases resulted in degradation of performance and unresponsive servers. This is due to a high volume of http requests which can cause some servers to start swapping memory to disk, and possibly run out of memory. The most impacted servers tend to be those with limited memory resources, especially those with 1GB of RAM or less.

Here’s an interesting post on the topic from Matt Mellenweg, one of the founding developers of WordPress and an article from the BBC News Technology for additional information.

Basic precautions to implement now:

• Make sure your version of WordPress is current. To update, simply login to your admin. In the upper left, mouse over “Dashboard” and click on “Updates.” It will tell you if your site is using the latest version. If not, simply check the box to update WordPress.

password login screen
• Update plugins on a regular basis. This can be done from “Plugins” in the left navigation.

• Add a Recaptcha verification in order to login. Your web developer will be able to add this for you. It’s a small inconvenience that goes a long way towards preventing brute force attacks.

We’d love to discuss any security or technical website questions you may have! Call 630-964-6056 or send us a message.