In October 2012, an attack was occurred on WordPress compromising some 50,000 sites. In the similar way a major and distributed brute force attack on WordPress-based sites by a large Botnet was noticed recently. It is being said that, the botnet attempted to get into the WordPress admin dashboard targeting the users having a username “Admin” with more than 90,000 IP addresses.
The attack occurred on WordPress this time is widespread and so potent that it has affected most of the WordPress web hosting provider in the world. The attack took place a week after when WordPress founder Matt Mullenweg introduced their “Two Step Authentication” login option to improve WordPress security.
According to the stats on WordPress site, currently there are 64 million websites running on WordPress. Also, as mentioned by BBC.co.uk in one of their news that around 17% of websites in the world are powered by WordPress, according to the W3Techs survey website.
Recommendations by WordPress
Matt Mullenweg, founder of WordPress recommends on this personal blog that “If you still use “admin” as a username on your blog, change it, use a strong encryption password, if you’re on WordPress.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress”.
According to him, IP Limiting or using a Limit Login Attempts is not going to stop attacks, they could try from a different IP address every second as they are having around 90,000 IPs.
Another way, is allowing access to wp-login.php from .Htaccess only to those IPs through which your contributors and fellow employees contribute to your WordPress sites.