Breaking: Aggressive WordPress Brute Force Attack Started

Tag Archives: Wordpress

Breaking: Aggressive WordPress Brute Force Attack Started

A massive distributed brute force attack campaign targeting WordPress sites started this morning at 3am Universal Time, 7pm Pacific Time. The attack is broad in that it uses a large number of attacking IPs, and is also deep in that each IP is generating a huge number of attacks. This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour.

The campaign continues to ramp up in volume during the past hour as we publish this post. A graph of the attack volumes is shown below which shows the number of attacks per hour and the number of attacking IPs that we see each hour.

Image source:

This all happened unattended early Tuesday morning. We continue to monitor the attack and are analyzing its origin and who is behind it.

What we know at this time:

1. The attack has so far peaked at 14.1 million attacks per hour.

2. The total number of IPs involved at this time is over 10,000.

3. We are seeing up to 190,000 WordPress sites targeted per hour.

4. This is the most aggressive attack we have ever seen by hourly attack volume.

A possible explanation for this new massive increase in brute force attacks

On December 5th, a massive database of hacked credentials emerged. It contains over 1.4 billion username/password pairs. Approximately 14% of the database contains credentials that have not been seen before. The database is also searchable and easy to use.

Historically, brute force attacks targeting WordPress have not been very successful. This new database provides fresh credentials that, when matched with a WordPress username, may provide a higher success rate for attackers targeting sites that do not have any protection.

Protect yourself:

We deeply recommend installation and activation of the following WordPress plugins:

1. Rename WP login plugin for renaming the login url to your website dashboard.

2. Disable XML-RPC protocol plugin

3. Wordfence plugin

4. Additionally, and/or optional, you can install and activate JSON API plugin.

Of course, change of your default WordPress username (admin) and password is highly recommended. Vs

With every passing day, WordPress is growing and growing profoundly. With over 50,000 websites added daily, people are increasingly confiding in WordPress for their content management needs.

Simple and easy to use, presenting all the essential features; WordPress is widely used to create blogs and websites in virtually no time. Available in the form of and, you can pick either of them as per your need and convenience.

With, you get to enjoy all the useful features. Adding new and customized themes, integrating plugins to add more functionality and monetization of the blog are some of the notable features that you get by default.

The initial setup of the blog requires you to look for hosting provider and domain registration and also periodic maintenance but that’s worthwhile for the reciprocal value you get in the form of some excellent features. is more suited to individuals and entities that have little time on hands and want someone to be managing things for them. With, you get that comfort.

Addition of custom themes and putting add-ons is however restricted. Using your blog for monetization purpose is also limited unless you upgrade for added features. Files and access to data is also in their hands but maintenance is not a worry.  

All in all, they have their own advantages and limitations.

Spending a few minutes on this wonderful infographic would certainly make it easier to understand and decide –


Subscribe Now

10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!