Snappy, The HostGator Mascot

Gator Crossing

The Official HostGator Company Blog!


Global WordPress Brute Force Flood

Written by Sean Valant

Thursday, April 11th, 2013

As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence.  This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.

At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website.  These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).

You have now changed your WordPress password, correct?  Good.

The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning.  No one knows when it will end.  The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in.  In some instances your site could even intermittently go down for short periods.

We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done.  The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.

If you are hosted on a VPS or Dedicated server and you would like for us to take a more severe, heavy-handed approach to mitigate this attack, we can do this via means such as password-protecting (via .htaccess) all wp-login.php files on the server.  If you would like our assistance with this, please contact us via normal support channels.

Again, this is a global issue affecting all web hosts.  Any further information we could provide at this moment would be purely speculation.  Our hope is that this attack ends soon, but it is a reminder that we must all take account security very seriously.

We will update this blog post when we have further information.



If you have just a few WordPress sites, you can add the additional layer of security mentioned above, as well as block this attack, by following the instructions outlined in this article from our KnowledgeBase:


Try HostGator Today!

Posted in

News Bites, Web Hosting News

117 Responses to Global WordPress Brute Force Flood

  1. Kerry Finch says:

    Thank you for the heads up! You guys really know how to look after your clients.

    • HostGator says:

      We do what we can, Kerry. We certainly like to get the information out there and assist our customers in helping themselves as much as possible.

  2. I installed this plugin and it’s already blocked 18 IPs in 9 hours:

    • HostGator says:

      That’s pretty significant number of IPs, but only a drop in the bucket as far as what we’ve seen. Seems like a great plugin to install at this time, though.

      • I have load monitoring widgets on my desktop and I haven’t had any issues since. 90,000 IPs….unbelievable!

        • Marvin Scott says:

          To those interested, Limit Login Attempts didn’t work for me. They still hammered my sites even after “lockout”

          I recommend Better WordPress Security. Enable permanent blocking via htaccess after 3 or so attempts.

          • Amber Lea Starfire says:

            Last year, I was seriously hacked and blocked from my site — had to restore from a back up and even then had difficulty. I’ve been using Better WordPress Security and have had good success with it since. In addition to blocking sites, it has a number of other security enhancing features.

        • Phil Elmes says:

          Not clear on this, Scott. Which plug-in are you recommending?

    • Same here. I have already blocked 2,000+ with this.

    • Jim Lynch says:

      Oops, didn’t realize you had already posted it. I installed it on all of my blogs and, yes, it’s catching quite a few IP addresses and banning them.

  3. HostGator says:

    At this moment, your guess is as good as ours, Jedediah. It is certainly the actions of individuals who desire to cause disruption on a large scale.

  4. What if I already have a strong password?

    • HostGator says:

      Then you certainly have a head start, Tyronne. Keep an eye out for any unusual slowness and if you experience anything odd, go ahead and change that password if you don’t want to presently.

    • They may not get in, but they will hit your server HARD. My load average jumped up to 40 last night and slowed everything else on my server to a horrible crawl

    • Jon says:

      If it ain’t broke don’t fix it. Keep an eye out.

  5. Manuel Lopez says:

    Thanks i have more thar 35 sites with wordpress in hostgator :D

  6. Mike McKee says:

    Get a copy of Spyder Spanker Pro.

  7. Ravenwing says:

    Thanks for letting us know! HostGator is amazing for the level of support we get. I switched from another host to HG about four months ago and I’m glad I did.

  8. HostGator says:

    Should be, yes. Other than potential slowness you may experience due to less secure WP installs on the server.

  9. Michelle Sullivan says:

    I have a lot of sites on HostGator, but for most of them I can’t even get to admin – it’s timing out.

    • HostGator says:

      Sounds like your server is heavily under attack at this moment. We appreciate your patience while we work to mitigate the situation; you should be able to log into your sites shortly.

      • Marvin Scott says:

        Michelle, don’t believe your server is under heavy load. My admins are timing out too and my VPS reports 7% CPU. HG can’t you admit you are blocking us from accessing our admins?

        • HostGator says:

          Marvin, we understand your frustration, but your particular circumstance isn’t necessarily everyone’s circumstance. If there was a lack of communication between the time you added a plugin and we implemented a fix that we knew worked, then it is possible that you’ve found yourself locked out, which we are happy to resolve for you, and I will personally take care of it you provide your ticket ID, bear in mind that we have an unusually high ticket queue due to this attack and therefore you may be experiencing a delay in response, which again i will bypass for you. Thank you in advance for no longer replying to comments with information that is not conducive to a proper resolution.

    • Jon says:

      I suggest that you check your site from pingdom tools which is an online load of your site, it will display the objects loaded, if any of them look dodgy then you may have an issue. You can also use to view admin page just to see if the issue is traffic or a hack.

  10. Marvin Scott says:

    I’ve already implemented effective Brute Force blocking solutions on my WP sites. My server load dropped to almost nothing lately. Yet still, I get up this morning and find that HostGator support had blocked access to all my wp-admin files for every site on my VPS. Guess I’m out of work until you fix this!

    HostGator, this is not providing me the service I paid for. Please address my support ticket and re-enable administration of my WP sites.

  11. Mark Harbert says:

    How do we change the password when we can’t even get to the page to do it? I can’t even reach the login page at the moment to try and change the password. Any suggestions??????

    • Marvin Scott says:

      Mark HG is blocking your access to WP Admin. A simple email to notify us of this would have saved me hours of troubleshooting and even made me think someone had actually gained access to my sites.

      • HostGator says:

        This circumstance isn’t necessarily as indicated here; it could very well be a result of the server load causing the inaccessibility. No matter the cause, we are very diligently working at this very moment to get everything under control and restore proper access to all customers.

        • Marvin Scott says:

          Then HG, are you saying you are not blocking access to wp-admin’s? My VPS CPU is 7% and I’m still unable to access my admins. Should I worry that a hacker has hijacked my wp-admins?

          • HostGator says:

            Marvin, I cannot provide specific information relative to your particular account or server. I can tell you we did not do any type of wide-spread lockout of customers form their sites, but when situations like this are triaged there can sometimes occur thigns of this nature, which will be resolved quite literally as soon as humanly possible. I have escalated your ticket.

  12. Nick says:

    We felt the full force of this yesterday, it overloaded the server and caused our VPS to crash several times. One very helpful HG tech suggested we install the Better WP Security plugin which allows you to change the admin url. Once we did that for all of your WP sites the attacks stopped.

    • Marvin Scott says:

      Nick, I agree. Better WP Security worked great for my WP sites. It reduced server load to very normal ranges. I set up to give three login attempts and then permanently block the ip via htaccess. It really worked.

      I also enabled 404 blocking for people scanning for vulnerable files.
      I continued to see many attempts, but they are blocked after just 3.

  13. Austin ☃ Passy says:

    Literally working on a plugin to block access to the wp-login.php page. This is a small add-on module to my current free WordPress Custom Login plugin in the WordPress repo (for version 2.0) dropping soon.

    Not going to help the current status, but for future use… ;)

  14. Kayla Fay says:

    Our passwords are very good. (Patting myself on the back.) I’m intimidated by the instructions to edit the wp-login.php file. Will installing limiting login attempts protect us in the short run?

  15. b5 says:

    I tried your solution from
    and it works for shared hosting, but no luck with dedicated hosting. Getting “wrong redirection message” in FF for wp-login.php and 404 redirect to wordpress page for /wp-admin/.

    • HostGator says:

      Correct, this solution will not work on a Dedicated server. However, we do have a dedicated solution. May I have the IP of your dedicated server, please?

      • b5 says:

        Can I do it myself? I will rather contact live support than provide my IP to public in this situation.

        • HostGator says:

          It’s an internal script that executes an .htaccess
          block for wp-login.php, not something we can instruct you to do yourself ..please go ahead and create a support ticket for us to do this for you, we presently have all hands on deck working these WordPress tickets as a priority, so we will get to your ticket very soon.

  16. Tony Santos says:

    I can’t even get into my busiest sites to implement Better WP Security!! What do I have to do to be able to even get in?? I’ve already denied all ip’s on .htaccess except for mine. And still nothing. Need some help here…

  17. Alejandro Amo says:

    all our wordpress installations already secured… check.
    thanks guys.

  18. sombokit99 says:

    Thanks for your Info.

  19. YammerHammer says:

    Admit it…you guys WAY oversell server space. That is a large part of the problems your users see. Show us the respect of not trying to deny it. Your new owner is known for that sort of practice.

  20. how do I delete a website and my Url on wordpress? or just what do I have to do? the website is dead and want to start something totally differant.

  21. Linda Sherman says:

    Thank you for staying on top of this HG!

  22. Vajrasar Goswami says:

    I would suggest the use of all these measures together on your WordPress installation (s) –

    1) strong VERY strong password

    2) Limit Login Attempts (WordPress Free Plugin)

    3) Stealth Login Page (WordPress Free Plugin)

  23. TaiwanFriendFinder says:

    can we use cloudflare to block it ?

    or it won’t works ?

  24. Never ending…Thanks for the heads up..

  25. Auctionbunker USA says:

    Been having extremely slow or time page loads on server: gator677

  26. Absurd Human says:

    You can also simply require that all requests to wp-login.php come from your site – this will stop a large amount of these automated attacks:

    Unfortunately a lot of the accounts hit are being successfully compromised. If you have been attacked (which is likely if you have a WordPress site), this guide shows how to clean up as well as add the .htaccess block to prevent automated logins:

  27. Thanks so much ! I have no fear with Snappy standing guard !

  28. Diana says:

    My site is still down, I can’t even log in to my control panel or my wordpress site to change any passwords and tech support has no info for me…………what now?

  29. This destroyed my birthday yesterday. Over 350 sites we host were affected. Not fun.

    • harry wiston says:

      Invest with just 100usd today and get 5000usd in return after 3days of business,This has really help many people out of their difficulties you can also be one of the part taker today.the higher you invest is the higher you will also get in return after 3days, contact us today via email…

  30. IAbdussamad says:

    I wrote a blog post on how to stop brute force login attempts:

  31. Max Katz says:

    The mixture of uppercase, lowercase, etc. is NOT effective security countermeasure against a simple brute force attack. What you need is a longer password. Consider using a pass phrase such as a complete sentence. For instance, today’s quote of the day on is “Where love is concerned, too much is not even enough.” Using a complete sentence like this is much easier to remember and many orders of magnitude more difficult to brute force, rendering your password mathematically unbreakable.

  32. Ashish Gill says:

    Thanks for this useful info. Really helpful.

  33. these was the relevant reason staying at the planet dallas, U rocked gator!
    so far, i’m placing htaccess file at wp-admin folder, and deny other IP than me to access admin page login

  34. Techalam says:

    This is really not a good news. Thanks for providing some useful tips and security measurements. Hope this issue ends soon. You guys are really supportive, glad to be Hostgator customer. Thanks :)

  35. Ryan Kearney says:

    HostGator, in addition to telling users to change their password, perhaps you should consider not storing users main cPanel password in plain text. Requiring users to provide their cPanel login to make changes to their account, and then storing it in your ticketing system is just nonsense.

  36. Nancy Barth says:

    Well, I went to my account settings and changed the password and now I can’t log into one of my blogs. I get this message.
    Server error
    The website encountered an error while retrieving It may be down for maintenance or configured incorrectly.
    Here are some suggestions:
    Reload this webpage later.
    HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request.

  37. Heather Jane Blythe says:

    I’ve was attacked this morning. Locked out. A huge shout out to Joshua in support for promptly looking into it and getting my questions answered. Great service support

  38. Corey Kretsinger says:

    Thank you very much for this update. Now I understand some of what I’ve been noticing. Great job. Hostgator is still the best.

  39. Sue Cockburn says:

    I’ve been dealing with HostGator for more than a year now and their service is absolutely second to none!! I’m not encouraging you to raise your prices but your service is worth twice what we pay. Seriously, I LOVE you guys!!!

  40. Wolf says:

    I red your article from Knowledgebase and now I can access to the backend of my wordpress sites but there is still a issue: with chrome is all right but if I use Internet Explore I get a 406 http error page. Can you help me? Thank you.

    • HostGator says:

      That is an unusual error, Wolf. If you are still experiencing it, please join us in LiveChat so that we can take a good look and assist you in realtime.

      • Wolf says:

        I joined LiveChat but the operator told me that with that .htaccess I cannot access by I.E. but Chrome and FireFox

  41. TysonChamp says:

    As i’m a hacker i will recommend other wordpress users to take advantage of security plugin available in wordpress plugin directory. also do not use the default admin profile… 1st login with the default admin username and then create another administration profile and then login with this new administration profile… after loged in delete the default admin profile…

  42. Breaking News: Egyptian Inventor
    Invents a New Source of Clean Energy TAKE LOOK AT

  43. Frank Woodman Jr says:

    Sadly we will only see more and more of such issues in the future so as you say we all need to take security very seriously. I set up sites with strong passwords and use any encryption that a site allows. One can’t be too careful as it’s never good to think that by not being security conscious you might cause others harm or inconvenience. .

  44. Bob says:

    I changed my .htaccess to allow only my ip.

  45. WendyMusica says:

    Well my site has been down twice this week and I’m not using wordpress, I’m using Drupal, do you know something about it?

  46. chrismonty says:

    I’ve been using Login Lockdown plugin for years. It works wonders.

  47. Nick Ker says:

    Well this explains a lot. Have had several brute force attempts showing in Better WP Security plugin logs in the last few days.
    I’ve got login attempts limited, no Admin, limited 404s… everything but the .wp-admin protection advised by HG which I will do now.
    So far so good and best of luck to all.

  48. Jim Lynch says:

    You might also want to consider this plugin:

    It limits login attempts and lets you ban IP addresses.

  49. Keliweb says:

    very interesting topic, we experienced this with some blogs of us… thank you :)

  50. JB says:

    “…If you are hosted…and you would like for us to take a more severe, heavy-handed approach to mitigate this attack, we can do this… via password-protecting (via .htaccess) all wp-login.php files on the server. If you would like our assistance with this, please contact us via normal support channels….”
    “…we must all take account security very seriously.”

    Um, Hostgator? I just paraphrased what you said. You have said that you have a solution that is severe and heavy-handed, but you’ve simply decided that you’re not going to apply it unless we pay. Well, we already pay. We pay for you to host our web sites, and that means applying fixes, any and every time, your systems are compromised. You’ve decided that you’re not going to unless we want to pay for to protect your own systems. You then state that we all need to take account security very seriously. How, exactly, do we protect YOUR systems? You need to apply your severe, heavy-handed approach to my e-commerce site. You have no right to keep your wash you hands of this and tell me that for yet more $$, you can put a Lo-Jack on my site. Here’s an idea. Go ahead and throw us a friggin bone and do your job, as an ISP, and appy any severe, heavy-handed approach that you might have, to you client’s sites.
    Here is the very simple business model:
    -I pay HG to host my e-commerce site
    -I make money from said site.
    -my site is compromised by an attack that I dont know about because I’m busy making money from the website HG is hosting. HG could keep my site more secure, but has decided not to.
    I get attacked. I dont make money- which means I cant pay for your service

    • HostGator says:

      JB, it is unfortunate that you inferred that there would be a cost associated with the aforementioned measure that is available to VPS and Dedicated servers. By and large, there is no additional cost whatsoever for the support we provide. This is simply something we leave up to the VPS and dedicated customers due to the fact that they have root access and may very well be taking their own precautions that we do not want to interfere with on the assumption that they would want this action taken on their behalf.

  51. HostGator says:

    Yes, this is true. It is also true that you cannot change the username of admin. What you can do is create a new user with admin privileges and then log in as that user and delete the admin user; this accomplishes the same goal.

  52. Ernest Burnett says:

    Thanks for the press release – I polled around for different web hosts and asked whether host gator would be able to verify twitter attacks on mail accounts hosted via host gator, and was pleased to hear you guys are able to check on this – (mention of strong passwords) here’s a link for a good client-side, javascript strong password generator –

  53. Kickmag says:

    I’m with a different hosting company but I think I’m switching to Host Gator.

  54. Nathan Reimer says:
  55. Josh Rich says:

    Would you happen to have any updates to this issue? Is the attack still ongoing?

  56. patscomputerservices says:

    A question. I have my wp-admin panel set up, so that I have to log in twice when accessing it from a web browser. Does that mitigate this attack, or are they able to bypass this?

    Thanks, and have a great day.:)

  57. NickZoom says:

    I’ve switched to Hostgator too, as my sites were hacked on the other host and are still being attacked as I haven’t moved them all. They kept going down everyday first once every few days then daily then they would redirect. yesterday was advertising .com domains for $3 but the site was taken over and my computer security block it, you could see the site was not fully displaying as it was a phony site copy that would appear when the real address was in the browser firefox

  58. ed says:

    We think we’ve found a way to stop the attacks killing our server, I’ve written a guide

  59. Cory Church says:

    so its been over a month. Whats the status of this attack? still going strong?

  60. Jason Lemington says:

    Great post! Thanks for the info Sean. Kindly check Good plugin for your photos and images.

  61. Ethan Green says:

    How do you know if you’ve been hacked?

  62. Peter says:

    This is a very intresting article…great content i’m really impressed by your thoughts thanks for sharing your experience

  63. Jason Marks says:

    the support is great, but there’s no way currently in place to fix these problems. i’d appreciate if there was a way to quickly save everything to one file locally, purge and open a new account on a new server and reupload without downtime. PLENTY of places follow this protocol.

  64. Rajesh Deepak says:


    Several times some one write something better in their blog but no one observe this and post his comments…….now i started to write the article on my blog with authenticity and in unique mode…..please post your comments and suggestion if you like it……… URL are undermentioned…..

    Rajesh Deepak

  65. Rajesh Deepak says:

    A New Blog With Unique Comments….

    Rajesh Deepak

  66. uproview says:

    Uau. Is there a way to resolve this.

  67. Airat Zakirov says:

    I wrote simple and really useful plugin – Securitron.

  68. Linda Woodard says:

    Is there something going on with Word Press today 7/25/13? I cannot access my website nor can I get into the back administrative office of my website.

  69. Karen D. Clawson says:

    Saw a message where the attacks have launched again; our website host is trying to take the remedial action outlined here, but so far no luck in getting us logged back in. Before, if I attempted several times, I’d be successful, but not this time!