Recently, many web hosting companies have reported brute force attacks being launched against websites using WordPress and Joomla. Attackers are using massive botnets which included more than 90,000 servers to break into the websites’ administrator panels by attempting to “guess” the username and the password. From a website owner prospective there are few things that you could do to make it complex to attackers.
More than 90,000 botnets servers attempting to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin.
Security experts experienced 30 to 40 thousand attacks per day in last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days.
Top usernames being attempted in brute force attacks
Hence, if your username is pretty different from admin, administrator, root and test, you are actually on the safe side and in comparison your website isn’t likely to be hit.
Most common passwords used in brute force attacks
Top 30 malicious IP addresses being used in attacks
For WordPress and Joomla website owners it is strongly recommended to change the admin password and make it very complex.
Use WordPress limited login attempt plugins.