Wordfence, a popular WordPress security company, posted this evening that that at 7:00 PM Pacific time Dec 17th, 2017, they notice the largest and most aggressive brute force WordPress attack in the company's history, peaking at 14 million attacks per hour. They report:
The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012.
When I learned about the attack, I immediately contacted Flywheel, our web host of choice at Karvel Digital. I wasn't too worried, since Flywheel is pretty serious about security.
I contacted support at 6:20 PM on Monday evening and had a reply back 6 minutes later:
Thanks for contacting us! We are aware of the aggressive brute force attacks today and our security team is actively working with our infrastructure provider to monitor any malicious traffic. If any of your sites are attacked, we do have alerts in place.
Some good tips to prevent brute force attacks would be to install a captcha plugin for the wp-admin login page.
Let us know if you have any other questions!
When people ask me why I recommend they pay up for managed hosting, THIS is why. Freedom from worry, knowing that someone else is protecting my vital business assets, 24/7.
What to Do if Your Website is Unprotected
If your WordPress website is hosted on an unmanaged web host, especially a cheap shared one, here are some quick things you can do to protect your site:
- Install a security plugin like Wordfence or Succuri ASAP. There are free versions of each that will serve you well to monitor any malicious activity.
- If your site is not regularly backed up automatically, now would be a great time to make a backup, and set up automated backups going forward with something like Updraft Plus (Also free).
- Add a Captcha plugin to limit login attempts for your website.
Once you've done some triage, consider upgrading your WordPress hosting, so you don't have to worry about this in the future.
And if you're not going to keep your site code and plugins up-to-date yourself, I highly recommend the fine folks at GoWP, who have taken care of all my sites for almost 3 years.
Good luck and stay safe out there.
Featured image by R. Crap Mariner on Flickr