WordPress wp-login Attacks

Please click here if you wish to skip the document updates section and jump to the start of the article.


News article first published: 23 May 2013 19:02

26 June 2013:
Server automated defences improved with a system that monitors access to wp-login.php and automatically blocks (and releases) IPs based on our own custom ruleset.

7 August 2013:
Blocking access to wp-login.php file across our general shared hosting service based on IP location. Only specific countries are allowed (the list was generated based on our client contact address information). IPs from countries being blocked will receive a 403 error from the web server when attempting to access wp-login.php.

8 August 2013:
Our UK shared hosting has supported the use of the wp-fail2ban plugin since the automated defence updates in June and now following a PHP upgrade to the shared hosting service in the US, this is now enabled across the board on our shared hosting platform (see item 6 in main article below).

18 October 2013:
This is still a live ongoing threat and we strongly recommend WordPress users read the information below and take steps to help protect their website.

What is happening?

Over the last several months we have noticed a significant volume of brute force attempts to break into WordPress sites by directly posting login data to the wp-login script. These attacks are coming from tens of thousands of IP addresses around the world.

Our response:

During our initial response we blocked a number of the most prevalent IPs in our firewalls. Blocking IPs in this way is not a cure though and will only help limit the volume of traffic we’re seeing by a fraction in reality.

Since our initial response we have also implemented several security system enhancements to specifically targeted at this attack as well as others we are seeing on a regular basis.

As always, we continue to monitor our server security, but there is only so much we can do at the network level.

The attackers are also known to change their methods in response to the measures people are using to try and block them.

You can read more about these attacks and why we’re unable to really stop them at a server level on the Sucuri.net blog here:


In addition to our response, there is a lot more WordPress site owners can do themselves to help secure their sites.

What you can do to help secure your site:

There are various steps you can take to help mitigate the chances of your WordPress site becoming a victim in these attempted hacks.

The first three are by far the most important and you should be doing these things anyway.

1) Remove the user named “admin”.

Simply create a new user (you’ll have to use an alternative email address, or change the email address on the admin user first) and give the new user full administrative rights.

Then, login with the new user and delete user “admin” and choose the option to assign all posts to the new user in the process.

2) Change your password to something extremely secure!

Passwords should be a random set of characters with a mixture of uppercase, lowercase, numbers and special characters and at least 10 characters in length.

Do NOT use dictionary words or substitute letters for numbers (e.g. 13tt3r instead of letter is not good – password crackers will spot these in seconds).

You can read about how to choose a secure password in our other recent article here:

3) Keep your WordPress install up to date at all times!

This (and your password choice) is absolutely critical.

WordPress developers act quickly to fix security vulnerabilities discovered in their code. For your part, you must ensure your WordPress installation and all themes and plugins are maintained with current release versions at all times.

If you would prefer to have someone do this for you, our friends over at Skye Websites have some pay monthly packages that cover backups, updates, security, monitoring and more:

4) Consider the possibility of protecting your wp-login script using .htaccess directives.

If you have a dedicated IP address on your broadband connection, it is possible to allow access to wp-login.php from only your own IP address and block everyone else.  This would obviously be a negative thing if you were wanting to login from multiple locations and/or over mobile connections, but if you always login from the same computer, this would be good option.

Example code:
<FilesMatch "wp-login.php">
Order Deny,Allow
Allow from a.b.c.d
Deny from all

Replace a.b.c.d with your IP address.

You could also protect wp-login.php by adding an additional layer of security via Apache httpd password protection. This way you would need to enter the httpd password before you can access the wp-login.php screen and login to WordPress.

Example code:
<FilesMatch "wp-login.php">
AuthType Basic
AuthUserFile /var/www/users/username/htpass/.htpasswd-wordpress
AuthName "Authorised Users Only"
Require valid-user

Either of these would prevent anyone except authorised users from ever seeing your wp-login.php file at all.

Disclaimer: If you do not understand the use of .htaccess, how to create a .htpasswd file or what these directives mean, please do not implement them without consulting your web developer as we cannot be responsible if you mess up your WordPress setup!

Some relevant Apache httpd documentation pages:

5) Delete all unnecessary plugins.

Slim your plugins right down to the absolute minimum you can live with. Less plugins will make your WordPress site run faster and presents a lower attack surface thereby reducing security risks.

In general, most sites really only need a few essential plugins to get the functionality they require. Some plugins might sound like a good idea, but if you rarely or never use their functionality in reality, then drop them.

Also consider how well you’ve checked out the authors of the plugins you are using. Do you know the developer of your security plugins (or any plugin for that matter) is trustworthy? It’s not inconceivable for a plugin to masquerade as a security enhancement or any other useful feature whilst actually housing a back door to your web site and hosting space.

6) wp-fail2ban plugin.

Our shared hosting web server systems are configured to support the use of the wp-fail2ban security plugin:

All you need to do is add this to your WordPress setup and enable it, the server will take care of everything else.

To install: Login to your WordPress system, click on Plugins -> Add New and type "wp-fail2ban" into the search box and select the "WP fail2ban" plugin by Charles Lecklider.

Using this plugin enables a more targeted blocking mechanism whereby a number of failed login attempts (over a much longer period of time than our more generic blocking for wp-login.php accesses) will cause a lockout for that IP. The information gathered from this plugin benefits all users on the same shared host, so the more people using this, the better the protection for everyone.

Some final thoughts:

There is only so much we can do as the hosting provider. Our systems are as secure as we know how to make them, whilst still providing the functionality our clients require.

The bulk of the security responsibility lies with you, the end user, in the passwords you choose, your house keeping, the frequency you check and run software updates to the code on your website and so on.

Additional article from Sucuri.net regarding WordPress’ true largest vulnerability; end users:

We hope you found this article useful.

If you require coding assistance with your website, please contact your web developer or our web development partner and WordPress expert Tim Davies at Skye Websites:

This entry was posted in News, Security News and tagged , , , . Bookmark the permalink.

Comments are closed.