Currently a large distributed brute force attack against WordPress sites has been occurring. A large botnet with more than 90,000 servers is attempting to get into the WordPress admin dashboard by cycling through different usernames and passwords. The attack is widespread and very vigorous. This attack seems to be so powerful that it is affecting almost every major web hosting company around the world.
Similar large-scale attack had occurred in October of 2012 when WordPress.com disclosed that some 50,000 sites were compromised.
What should we do ?
1. The FIRST step is to login to your WordPress and change your password to something very secure. Here is a guide on selecting a strong password.
2. Install the Limit Login Attempts plugin. This will prevent from the attackers to login after certain attempts even if they manage to determine the combination of your login details.
3. Allow access to wp-login.php only to specific range of IP using .htaccess