Starting today, 18th of December, 2017, at 3am UTC, there was an unprecedented attack on WordPress based websites. Most of these hacks consisted of mass connection of IP’s mostly originating from Russia and China, flooding WordPress websites throughout the world. The IP’s attempted to access the admin panel and login via bruteforce attack methods. A WordPress defense plugin called this the biggest attack they’ve ever seen since.

 Breaking: Massive Bruteforce/DDoS Attack on WordPress Websites

At 7pm Pacific time, Wordfence reported that there were 14 million attacks per hour on WordPress based websites. This attack is mostly likely attributed to a recent database leak , where over a billion plaintext usernames and passwords were being transferred, sold, bought and shared on underground forums and communities. Hackers, armed with plaintext username and passwords likely created an enormous botnet with the intention of testing these usernames/passwords against WordPress admin logins.

Nearly 200,000 WordPress Websites Are Being Targeted Per Hour

If you are the administrator of a WordPress website, chances are you’ve seen a gigantic increase in IP’s to your website since the 18th of December, 2017, at 3am UTC. Our team at CustomDesignPartners have been combing through our hosted WordPress websites and our IT team has noticed 3 behaviors of the attackers:

  1. 90% of all IP’s are sourced from the Russian Federation.
  2. The bots are crawling through most pages of the website, likely in an attempt to find the admin panel.
  3. Some of the smaller, shared hosted websites have suffered from an indirect DDoS (distributed denial of service) due to the amount of IP’s accessing the site at once.

Protecting Against WordPress Bruteforce

There are plenty of ways to protect yourself against bruteforce and other methods of attacks if you’re using WordPress:

  • Firstly, make sure you have a security plugin installed. We highly recommend WordFence.
  • Plugins like WordFence and others allow you to change the admin login URL. Usually, by default, it’s /admin-login/. By changing this to something unique, bots are less likely to find the admin login subfolder.
  • Make sure your site is SSL secured (HTTPS), which adds an extra layer of encryption and protection.
  • Finally, make daily backups of your WordPress site. YES, some people still don’t do this!

If you think you’ve been hacked, or, need assistance setting up software on WordPress (or any other CMS) to protect your website, contact us. If you have any news you’d like to share regarding this current enormous attack, please let us know.


Marketing Director

Custom Design Partners