WordPress wp-login.php brute force attack.

Recently we have discovered that a widespread brute force attack has been taking place against WordPress sites.

The brute force attack is being executed through a large botnet which is composed of thousands of unique IP addresses all across the world. The attackers are attempting to guess the WordPress administrator panel username and password with their botnet again and again to try and gain access to the site.

The attack is not just isolated to HostMetro, this attack is happening on a global scale across multiple hosting providers.

We HIGHLY recommend updating your WordPress administrator password to something very secure.

Minimum password recommendations:
- At least 8 characters total
- Mixture of upper and lower-case letters
- Numbers and special characters, such as punctuation or other non-alphanumeric characters

Example of a weak password: password123
An improved strong password: Aath3iafoh@m

What we are doing:

When this issue first arrived we put in place security rules on all of our servers which would check failed login attempts to WordPress wp-login.php page. If there are more than 5 failed login attempts within 3 minutes, then any further login attempts will be blocked. This worked fine until the attack became much larger, due to the massive scale of the attack we were force to globally deny access to wp-login.php on our servers.

Regain access to your WordPress administrator panel:

If you are no longer able to login to your WordPress site due being blocked by our security rules, you can use your site's .htaccess file to only allow requests from your computer's local IP address.

If you have either a dynamic IP address, or you access WordPress from multiple devices, each IP address that you access WordPress with would also need to be allowed in your .htaccess file.

In order to find out your local computer's IP address, you can simply visit the following URL: http://www.whatismyip.com

After you have your local IP address, you can follow these steps in order to lock down your WordPress site to only permit logins from your IP address:

1. Login to cPanel.
2. Under the Files section, click on the File Manager icon.
3. From the Document Root for: drop-down, select your WordPress site.
4. Make sure that Show Hidden Files is checked.
5. Click Go.
6. Right-click on your .htaccess file, then click on Edit.
7. You may have a dialog pop-up from the text editor, go ahead and click Edit.
8. Now you can just paste in the following code, being sure to replace the x.x.x.x IP address with your own:


<Files ~ "^wp-login.php">
Order deny,allow
Deny from all

Allow from x.x.x.x
</Files>


9. You should be able to access your WordPress admin panel immediately.


If you have any questions or need assistance with this you will want to submit a ticket
to our Support department.
  • 66 Users Found This Useful
Was this answer helpful?