Brute force attacks against WordPress sites

We talk a lot about the importance of using strong passwords, but sometimes it it hard to see how important it really is, or what can happen if we do not use a strong one. Most people only realize this after they have been compromised for the first time.

Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and never changes it.

Why is it bad that the password is easy and never changed?

There is a technique known as brute-force attack. Like the name implies, access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..). Yes, the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware roaming the interwebs.

Because of the consistency and prevalence of these attacks, we decided to test it for ourselves. We created a couple different honey pots with the intent of identifying the types of passwords being used, and to better understand the anatomy of these attacks. It didn’t take long. Within a few days, we had captured so much data that we had to share it with you.

Here is what we found…

Anatomy of the attack

Just in the last few days we detected more than 30 IP addresses trying to guess the admin password on our test WordPress sites (wp-login.php). Each one of those tried from 30 to 300 password combinations at each time. Sometimes they would mix that with a few spam comments as well. Example: – 32 attempts – 47 attempts – 211 attempts – 39 attempts – 105 attempts – 40 attempts

And many more IP addresses. We will adding all of them to our IP blacklist and Global Malware view.

Another interesting aspect of the attack is that it wasn’t in parallel, but each request had a 2 second delay from each other. Our theory is that the attackers are doing this to trick tools that look for this to avoid getting blocked, in essence, evading detection. This in turn is giving them free reign, allowing them to try continuously until they win.

Passwords attempted

On all the requests we logged, they only tried to guess the password for the user “admin”. Of the attacks we analyzed, these were the top ranking passwords in each attack:


Every time, without fail, they tried these. Yes, we’re not making this up, these attacks each had this list of passwords in common. In addition to these, we saw a couple others such as the ones below:


And many more.

The Take-Away

You might find yourself laughing, or rolling your eyes every time you hear a presentation about the importance of using strong passwords or updating your passwords. This is why though, it does not matter how often it’s talked about it, it’s still very prevalent, and the attackers know it. It’s why they are looking for it.

Here are things to consider:

  • Get rid of the default ‘admin’ user.
  • Use a password generator if possible.
  • Check with all the site contributors that have access to your admin panel, ensure they are using password generators.
  • Look at the permissions for each user, everyone does not need to be an admin.

Thought of the day: Web security begins with you!

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site or on Twitter: @danielcid

  • InfoSec

    What about your honey WP install made it so desirable/appealing to brute force hackers?

  • Pothi Kalimuthu

    Along with your list of things to consider, I’d recommend a plugin that locks down forced login attempts such as Login Lockdown.

  • Pingback: A Closer Look At Brute Force Attacks Against WP Sites()

  • Randy

    I manage around 70 WP websites and I have found 4 this year that were hacked. Every single one that was hacked was due to a poor password. I always tell people, if you can remember it, it probably isn’t strong enough! The first thing this hacker did in each case was install 2 plugins. These plugins modified all the index.php files and from that point…well, you can imagine.

    I am in the process of creating a WP plugin that notifies me when ever a new plugin is activated. I am hoping that will at least let me know before the site gets indexed as a malware site.

  • Pingback: Defying Brute Force Attacks on WordPress Logins « Lorelle on WordPress()

  • Josh

    My site was hacked 3 days ago.. Still trying to fix it.. even my WP Admin area is hacked.. Can’t un install plugins or anything… Anyone able to help me with this?  I’ve check through the index.php and a few other places and can’t find anything..  My site gets redirected to a Drugstore!! 

    • Mike

      Can you restore the database from a backup using PHP admin? or ask your hosting service to do so from one of their site backups.

      • Josh

        Being new to building  site.. i do not have a back up.. Now i know to do so.  I use siteground and they have been working on it since yesterday.  I looked and problem is in my .htaccess  file.  They fixed it and my site was good for 2 minutes then back to being redirected..  Also In my WordPress Admin panel, I can not even hit some links like “plugins” due to it will redirect from there.   I am hoping for the best…Everything is updated. i’ve changed all passwords for everything as well..

  • Dennis

    We are being hit with a brute force attack as we speak. Very annoying!!

  • James

    How are you logging the IP addresses for failed logins? And once you have a black list of IPs – how would you restrict them to the login page?
    Noob questions!

  • Pingback: DVWA Vulnerability: Brute Force()

  • Caitlin Roberts

    I have found User Locker WordPress plugin very useful to stop brute force attacks, five wrong attempts and the user is disabled, I think that it should be added to the list:

  • Wanikadai


    hi,good job,was intresting and helpful for us,thanks for giving such an useful information.

  • Pingback: Så attackerar hackaren din WordPress-blogg | Binero blogg()

  • James

    Very interesting, I’ve recently had three brute force attacks from the same IP according to the logs.

    How did you discover what passwords were being used during each attempt? 

  • Pingback: WordPress Security Tip: Do This Now! – Part 2 | I'm Not Marvin()

  • OfficeSupplyGeek

    I think dual authentication is the best solution. This plugin essentially adds a second password to your WP login screen, and then the corresponding app for your phone generates a random number as the additional password. Whenever you log back in you need to get the new # from your phone.

  • Pingback: Change your admin user in Wordpress - One Day Website()

  • Pingback: Working On Your Website – Delete That Admin Account! » Vita Images()

  • wiki

    today, my wordpress web is also effected with this attack, it also damage the database now i cant do any posting on wordpress. any one have idea how i can recover my database.

  • landgraaf

    because i live in holland i can use this trik

    $io = strip_tags(addslashes(htmlspecialchars($_SERVER[“REMOTE_ADDR”])));
    $host = gethostbyaddr($_SERVER[‘REMOTE_ADDR’]);
    $land = substr(strrchr($host, “.”), 1);
    if ($land != “nl”) {exit; }

    and the last one i put in htaccess code 😉

    deny from

  • Pingback: Dissecting a WordPress Brute Force Attack | Sucuri Blog()

Share This