WordPress Sites Exploited Through Brute Force: 3 Simple Ways to Protect Yourself from the Attack

During the past week we noticed an abnormal increase of brute force attacks targeting WordPress applications.

The attacks use automated scripts that attempt to login to WordPress default admin page using common usernames and passwords.

The brute force attacks originate from a large number of sources consisting of both legitimate web servers and private home computers. Several reports have been published which have positively identified almost 90,000 attacking sources.

Once a username and password is successfully guessed by the attacking script, it uses the gained admin credentials to upload a malicious script to the compromised server.

While many of the brute force attempts were unsuccessful in guessing the admin credentials, the high volume of the attacks has caused excessive resource utilization to the servers hosting the WordPress applications, resulting in unresponsiveness to legitimate users for the duration of the attack.

Mitigation Recommendation

In order to mitigate the attack, WordPress servers are encouraged to use the following preventive measures:

Our ERT team confirmed 2 additional protection methods that may effectively mitigate the attacks. Since the attacks use common wordlists to perform the brute force, one method is to use JavaScript Web Challenges. This method has been proven to be successful in dropping the automated brute force tools while allowing legitimate JavaScript compliant clients to access the site. (Note that it is important to verify that legitimate clients support JavaScript in order to prevent false positives).

The second is to use an abnormal applicative behavior detection appliance that secures Web applications. This can block these brute force attacks by detecting multiple unsuccessful login attempts to the WordPress login page originating from the same source in a short time period. The malicious sources can then be suspended or blocked for configurable timeframes.

Additionally, in scenarios where shared IP`s are used (i.e proxy servers), a Throttling policy can also be applied in order to allow legitimate users to access the login page while effectively blocking malicious requests originating from that same IP address.

Yaniv Balmas

Yaniv Balmas is a Security Researcher at Radware with over 8 years of experience in the cyber security field. In his current role, Mr. Balmas is responsible for analyzing cyber-attack tools and techniques, as well as searching for more effective methods to help protect against them.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center