WordPress wp-login.php Brute Force Attacks

The WordPress login form is located at: site.com/wp-login.php and brute force attacker will send login requests to this address to get login credentials.

In majority of cases brute-forcers try to guess the password for most popular users: admin, user, author, editor etc.

Brute-forcers use list of common passwords  to crack the username. For example:

  • letmein
  • password
  • p@$$w0rd
  • 12345
  • qwerty
  • qwerty12345
  • s3cur3p@ss

Your website will be hacked if the brute-forcer will guess the combination of username and password.

To protect your website you can:

  • Rename/delete commonly used usernames
  • Choose a strong password – for example try to avoid using common English words
  • Install a plugin to protect your website

By default these brute force attacks are invisible and do not leave any traces.
Once the attackers get the proper username and password pair – they can install malware on your website, add spam links etc.
And also each brute force request loads whole WordPress website and draining hosting resources.

I created the Silver-Bullet Pro plugin to block brute force attacks in a smart way. Plugin change the address of the login form and adds htaccess redirect for wp-login.php page for not loading WordPress on every brute force request.


Leave a Reply

Your email address will not be published. Required fields are marked *