WordPress Global Brute Force Wp-Admin

This morning when open my e-mail, I got important news from my hosting provider that nowadays there’s WordPress Global Brute Force Wp-Admin. I try to googling it for a while and I found that this attack is started from (around April 6, 2013).

Here’s the report about WordPress Global Brute Force Wp-Admin from Hostgator:

As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.

At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).

You have now changed your WordPress password, correct? Good.

Word Press


The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning. No one knows when it will end. The symptoms of this attack are a very slow back-end on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods.

We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done. The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.

If you are hosted on a VPS or Dedicated server and you would like for us to take a more severe, heavy-handed approach to mitigate this attack, we can do this via means such as password-protecting (via .htaccess) all wp-login.php files on the server. If you would like our assistance with this, please contact us via normal support channels.

Again, this is a global issue affecting all web hosts. Any further information we could provide at this moment would be purely speculation. Our hope is that this attack ends soon, but it is a reminder that we must all take account security very seriously.

We will update this blog post when we have further information.

I think maybe this is the reason if last week (and nowadays) you cannot log in to your wordpress.

There are several ways to mitigate this WordPress Global Brute Force Wp-Admin, such as this tutorial that already made by hostgator team.

If you haven’t applied the security enhancement for your wordpress website/blog, it’s better to start it right now because the wordpress team also haven’t release the update because of this case 🙂

Here is simple step by step from me to protect your wordpress from WordPress Global Brute Force Admin:

1. If your password wasn’t long and complex enough, it’s good if you change it for more complex combination. Adding some special characters such as @#*$&%^! is a good idea.

2. Remove the “Drop” privileges on your MySQL user.

3. Install wordpress plugin to tighten your WP engine, such as WP security scan, WP firewall 2, TimThumb vulnerability scanner, Exploit Scanner, SI Captcha.

Another method to mitigate WordPress Global Brute Force Wp-Admin you can use Htaccess Password protect:

1. Generate the password file here: http://www.htaccesstools.com/htpasswd-generator/ and save in your wordpress folder as .wpadmin.

2. Insert this code in your .htaccess file.

ErrorDocument 401 “Unauthorized Access”
ErrorDocument 403 “Forbidden”
<FilesMatch “wp-login.php”>
AuthName “Authorized Only”
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user

change /home/username/.wpadmin to your folder structure.

hope it useful


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s