Bruteforce attacks against popular software applications

Recently, there are lots of botnet attacks against the administrative sections of WordPress and Joomla sites. These are brute-force attacks -- the bots attempt to "guess" the administrative passwords. The goal is to use the account's resources for malicious purposes, such as sending spam and distributing malware. Besides the risk of having the site hacked, the attack also brings severe load on shared-hosting servers due to the huge amount of requests coming from a vast number of different IP addresses.

To protect the sites of our customers and the stability of our servers, we have implemented a mechanism that triggers a security feature when there are too many unsuccessful login attempts against a WordPress or Joomla administrastive interface. Any further login attempts are redirected to a static page.

In case you see this page when you try to log into your site, this means that the administrative interface of your software is probably bruteforced -- there have been more than 20 unsuccessful login attempts for the last 15 minutes.

You have the following two options:

  • Allow some time to pass. Your login page will return to a normal state within 10 minutes after the login attempts stop.


  • Protect your administrative interface with an additional Apache password protection. The bots will not be able to reach it at all, thus not being able to make login attempts to it directly.

If you want to go for the second option, you need to do the following, depending on the software you are using:

Joomla: You can protect the /administrator folder of your installation with an additional password. This password protection can be done at the Protection -> Web Access protection section of your webhosting Control Panel.

WordPress: It is the wp-login.php file that needs to be password-protected. To do that, you need to follow these steps:

1) Go to the Protection - Web Access Protection section of your webhosting Control Panel

2) Locate the folder of your WordPress installation. The interface should list the subfolders (wp-admin, wp-content, etc.) as well as the wp-login.php file.

3) Use the Plain or Digest buttons next to the wp-login.php file, and add a user for it.

This will password-protect only for the wp-login.php file. Allow 10-15 minutes to pass, and then you can attempt to log in to your WordPress administration. First you will have to supply the username and password that you set at the Protection section of your hosting Control Panel. Then you will see your WordPress login screen.


Article last updated: Sep 20, 2014