The latest global wave of WordPress massive Bot Attacks has been a stark reminder of the importance of taking the necessary measures to protect our CMS installations, in this case WordPress.
WordPress Founder Matt Mullenweg has provided the following advice:
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.
He also acknowledges that:
Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
These type of Bot Attacks usually result in an increased memory consumption on targeted servers increases greatly, leading to a degradation of performance and unresponsiveness, due to a high volume of http requests which can cause some servers to start swapping memory to disk, and in some cases run out of memory altogether.
There are several ways of minimizing the rates of success of these type of attacks at server level, such as implementing a ModSecurity rule that blocks further http requests to a WordPress login page (wp-login.php) after a number of failed login attempts.
As a WordPress administrator you also have several plugins that serve the same purpose, such as WordFence. Bear in mind that brute-force attack is just a relatively unsophisticated attack where one or more remote computer bots try to guess your password. These type of activity is constantly ongoing, with crawlers looking around for vulnerable installations. This is simply an increase in frequency and reach.