Padlock on a door
| | |

WordPress Security: How to Protect Against Brute Force Password Attacks

Padlock on a door
Padlock on a door (credit: linder6580/stock.xchng)

WordPress has become the world’s most popular blogging system since its first released in 2003. It is now powering over 60 million websites worldwide.

No surprise that WordPress becomes hackers’ attack target. Reported by TheNextWeb, there’s serious brute force attack against WordPress sites across the Internet.

The requests, which are targeted at administrative accounts, appear to be coming from a sophisticated botnet that may be comprised of as many as 100,000 computers, based on the number of unique IP addresses the attacks are coming from.

The brute force attack is targeting WordPress admin panel and try to login using “admin” as username and trying thousands of passwords using unique IP addresses.

Simple WordPress login limit plugins won’t work because those plugins are blocking multiple login attempts from the same IP address. They won’t work for attacks 90,000 unique IP addresses (each IP attempts to login one time).

Fortunately, you can easily protect your WordPress blog against 99% future brute force attacks by applying following security recommendations:

1. Use a strong password

Your WordPress password (in fact, your any password) should be a strong password that’s long, including numbers and symbol. Don’t need to scratch your head to think one, there are many online password generators can help you.

2. Do not use default admin username

Old WordPress installation default to first username as “admin” and you cannot change it from Admin Panel. Recent WordPress versions force you to create a unique username.

If your WordPress username is “admin”, it is time to change that. You can either modify WordPress database entry (not recommended), create a new admin user, or install a WordPress plugin to change the username to anything you like.

While you cannot change WordPress account’s username, but you can create another user account.

We can create a new WordPress admin user, delete the old admin user (username “admin”), then assign all posts by ‘old admin user’ to the ‘new admin user’.

  1. Login WordPress admin panel.
  2. Goto Users > Add New
  3. Fill in the form and choose “Administrator” in the “Role” drop down menu. (Remember to use strong password)
  4. Click on “Add New User” button to add a new administrator account.
  5. Log out WordPress admin panel.
  6. Log in WordPress admin panel using the newly created administrator account.
  7. Goto Users > All Users
  8. Hover the old admin user (username “admin”) and click on the “Delete” link.
  9. On the “Delete Users” page, you will asked to what should be done with posts owned by the “admin” user. Select “Attribute all posts to:” and select your new Admin user.
  10. Click “Confirm Deletion” to delete old “admin” user and assign all posts to new Admin.

If the above 10 steps instructions look too complicated for you, you can install a WordPress plugin like “Admin username changer” to rename administrator username.

3. Update WordPress

Every new WordPress version fixes many bugs and exploit holes and new features to protect your WordPress against attackers. You should always keep your WordPress installation up to date. WordPress Automatic Update feature simplifies the process into a 2 minutes work.

4. Use CloudFlare

CloudFlare is a CDN & security & website optimizer service. It has effectively blocked 60 million brute force attacks against its WordPress customers in a single hour. Sign up free plan to protect your website now.


Things like using a strong password, do not use default username, keeping software up to date are basic and effective methods to protect against attackers.

Perhaps they are too basic that people are often not aware about them. Hopefully this article helps you to secure your WordPress site.

How do you protect your WordPress site? Please share with us in the comment below.

Share this:

Similar Posts