I received an email from WordFence this morning. You might have received it as well if you have installed the WordFence plugin on your WordPress website.

“As of 11am eastern time this morning we are monitoring the largest distributed brute force attack on WordPress installations that we’ve seen to date.”   click here to read more

It is in the best interest of your website and business to monitor your website over the next couple of days and to use best security practices.

In the article below, I have listed 5 ways on how to prevent a brute force attack on your WordPress site:


When a new version of WordPress is available, you will receive a notification from your hosting company and you will see a notification in the WordPress dashboard/admin area. To update, log in to your WordPress dashboard and click the “Please Update Now” hyperlink listed at top of the browser. See screen shot below.

PHYLLIS garland marketing services

For security purposes, always make sure your website is up to date with the latest version of WordPress

Make sure you have a back up of your website. When you are ready, click the blue button “UPDATE NOW” to proceed with the upgrade.


The plugin for Duo Two-Factor Authentication is now available and the developers offer a FREE personal edition for up to 10 users. I just discovered and installed this plugin which enables a two-factor authentication for you before logging into your WP dashboard. You can read more about it at WordPress.org or at the developer’s website: https://www.duosecurity.com/editions


Have you installed the “captcha” plugin yet? For extra added security install the CAPTCHA plugin. CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” You can read more about it at the following link: http://wordpress.org/extend/plugins/captcha

Unfortunately, Bots have become so sophisticated that they are able to get through the CAPTCHA so make sure you have a SUPER STRONG PASSWORD!!!


Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this.   Make sure your password is at least 12-20 characters long using a combination of lower and upper letters, number and symbols.   This is a sample of what I use for a password:   WPmdn!B0B0$$    It may mean nothing to you but it is actually an acronym for me which makes it easy to remember:  My Dog’s Name Is B0b0 (the 0’s are zeros).  I attach  WP (for WordPress or FB for Facebook or T for Twitter, etc. ) to the front of the password and usually add $$  to the end of it. This password will take 344 thousand years to crack according to How Secure is Your Password.


If you are still using “admin” as your username, change it now!  To Change your “ADMIN” username, log onto: http://wordpress.org/extend/plugins/admin-username-changer/


  • Wordfence is the Leading Cyber Security solution for WordPress. They  provide a Complete Anti-Virus and Firewall Package for your WordPress Website including Two Factor Authentication, a Firewall incorporating Machine Learning and Tools to help Recover from a Hack. Wordfence Security is available for free. Simply sign into your WordPress website, Go to Plugins > Add New > And search for ‘wordfence‘ without quotes. http://www.wordfence.com
  • Sucuri monitors malware, blacklisting, DNS, WHOIS, SSL Certification, and site changes. If one of the monitors is triggered you will be notified by three distinct communication methods: direct message via Twitter, email or RSS feed. When you are alerted to an issue you submit a removal ticket. This process continues until all infections are removed. There is a small annual fee but having a peace of mind is worth every penny.  http://sucuri.net.
  • The Acunetix WordPress Security plugin is the ultimate must-have tool when it comes to WordPress security. The plugin is free and monitors your website for WordPress security weaknesses that hackers might exploit and tells you how to easily fix them. You can see all your security alerts from your WordPress dashboard.  http://wordpress.org/extend/plugins/wp-security-scan

Here is a list of plugins I strongly encourage you to install to keep your WordPress website/blog free of Malware, Viruses and Hackers.

SPAM is a four-letter word!  Security for your blog posts.

  • Akismet: Possibly the best way in the world to protect you from web spam. Akismet filters out your comment and track-back  spam for you, so you can focus on more important things.  http://akismet.com/

Backup your site.  Test your backups.

Backup your website, FREQUENTLY!

  • BackUp Buddy – Back up your entire WordPress installation. Widgets, themes, plugins, files and SQL database – the entire package! Just like your laptop or desktop computer, you should be doing regular backups of your website. With BackupBuddy you can schedule backups and have them sent off-site to Dropbox, Amazon S3, Rackspace Cloud, an FTP server, or your email. Or download them right to your desktop. This plugin/software is $80 but it is worth every penny!  http://ithemes.com/purchase/backupbuddy.

Additional reading on ways to harden your WordPress website

Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken. This article will go through some common forms of vulnerabilities, and the things you can do to help keep your WordPress installation secure.  http://codex.wordpress.org/Hardening_WordPress

{No warranties on any of these plugins.}

Here is the email I received from WordFence…..PLEASE READ

UPDATE on Feb 10th at 11am EST: As of 11am eastern time this morning we are monitoring the largest distributed brute force attack on WordPress installations that we’ve seen to date. The real-time attack map on www.wordfence.com became so busy that we’ve had to throttle the amount of traffic we show down to 4% of actual traffic.
A brute force attack is when an attacker tries many times to guess your username password combination by repeatedly sending login attempts. A distributed brute force attack is when an attacker uses a large number of machines spread around the internet to do this in order to circumvent any blocking mechanisms you have in place.

If you’re using the free or paid version of Wordfence you should have the option to “Participate in the real-time Wordfence security network” under ‘Other options’ enabled. This will immediately block any attack originating from an IP address that has attacked other WordPress sites using Wordfence. This is an effective defense against this kind of attack.

We recommend that until this passes you monitor your WordPress websites closely for unusual activity including logins, account creation or changes to the public facing website.

If you found this alert helpful, please give us a 5 star rating on WordPress.org on the right of the page.
Mark Maunder
Wordfence Creator & Feedjit Inc. CEO.

PS: If you aren’t already a member you can subscribe to our WordPress Security and Product Updates mailing list here. You’re welcome to republish this email in part or in full provided you mention that the source is www.wordfence.com. If you would like to get Wordfence for your WordPress website, simply go to your “Plugin” menu, click “add new” and search for “wordfence”.

Are there any plugins or suggestions you would like to add to the list? Please leave a comment below. Thank you!

If you enjoyed this article, please subscribe to my feed and share it on your favorite social/bookmarking site. Thanks!
Subscribe in a reader

Follow me on Twitter! Follow Phyllis Garland on Twitter