Ongoing Wide-Scale Attack on WordPress

As some of you may already be aware, there is an ongoing wide-scale attack on WordPress sites.

This is not an isolated event, and has been happening for quite a while, peaking just a little under a week ago.

*This is affecting everyone*

but is not a cause for alarm. With just a few simple precautions, you can protect yourself and your clients.

To put things in the proper perspective, we first want to inform you about the nature of the attacks. Potential hackers are
employing “Brute Force” methods to access your WordPress account.
Once they have gained access to your account, they can then use various hacks to take over or destroy your site.

What is a “Brute Force” attack? Very simply: it is a way of
guessing for valid passwords. It is not a very sophisticated
attack, and is not targeting anyone in particular. What makes it
dangerous is that it appears that they are employing massive
botnets–casting a very wide net so to speak, making no distinction
as to what kind of sites or businesses to target.

In response to this, we strongly urge you to take the proper
precautions towards making sure that your WordPress site is not
affected. There are some very simple ways to protect yourself which
you can actually do yourself:

Change Your Password:

Brute Force attacks are very resource intensive and only have a
chance of succeeding if your passwords are not secure. Change your
password right after reading this article. Make sure that it is a
secure password, you can use this link to help you generate secure

Secure Your Username:

The username is half of the equation – using a common username is
effectively giving malicious hackers that part of the
equation–making it that much easier for them. If you’ll login to
your WordPress dashboard and go to “users” on the left hand
navigation – you will be given a list of users.

If you see a user called admin (this is the default user) –
change the username immediately. (roughly 90% of all the successful
attempts are done through the ‘admin’ login)

Remove any other user that you are not familiar with.

*You may also want to change the password of the email that is
associated with the login. If they share the same password and your
WordPress site is compromised, then your email will potentially be
compromised as well.

Make Sure Your WordPress Installation is Up-to-Date:

Please take note however that updating your WordPress core could
break your site layout. This has happened to me before, so if its
a custom website based of a theme, you could run into issues if you
update the theme if its not a child theme.

Install Security Plug-Ins:

Security plug-ins can go a very long way towards securing your
site. One good example is WordFence – a free utility plug-in which
you can install on to your WordPress site.


Have multiple backups available:

Many times even these steps will fail because if a hacker
wants to get into a website, they can do it if they are skilled.

Make sure to store full backups:

Store full backups of your website on and off of your server.
You can have your hosting provider do this and you can have your
own automated solution with our software WP Backup Plus.