How To Protect Your Blog Against A Brute Force Attack

How to Protect Your Blog Against a Brute Force Attack

Shannon is the person who helped me escape the snowy winters of Minnesota for the sandy beaches of California. She will always have a special place in my heart, so I was happy to help bring her dream of The Heavy Purse to life, which included designing and maintaining the website. It’s a pretty stress-free job, but this past Labor Day, I woke up to more than 2,000 emails, and I don’t even know 2,000 people! A quick glance at my inbox confirmed my suspicions—The Heavy Purse was in the midst of a brute force attack.

The attack started a little after midnight and didn’t end until about 9:00 AM. Since then, we’ve undergone about 3-4 more attacks. It’s a bit nerve-wracking and annoying, but if you run a blog, at some point, you will be on the receiving end of a brute force attack. Today, I want to share a few things you can do to to protect your blog.

What Is a Brute Force Attack and Why Should I Care?

At its most basic form, a bot is trying to hack your blog through continuously inputting various usernames and passwords. They are typically looking for the low-hanging fruit. Bloggers who leave their username as admin and use very common passwords, such as password or 123456. We may not even realize we’ve been hacked until Google sends us an email saying our site has been compromised and we’re being blacklisted. Eek.

Use Hard User Names and Passwords

Approximately 90% of the usernames attempted are admin or some variation of the word, including: Admin, admin, adm, Administrator, administrator, User (and User1, User2), tester, test.

Most of us breathe a small sigh of relief when we see those usernames, because we’re not using them. Good for you. Here’s another one they used: theheavypurse.

Uh-oh. That’s far more specific than admin. And it wouldn’t surprise me to learn that some bloggers do use their blog name as their username, especially those who blog anonymously.

Here’s another doozy: tanya.

Yup. They tried using my name. Thankfully, I changed my username a long time ago … but still. They are obviously getting smarter. So let’s not make it easy for them and use stronger usernames and passwords.

How to Change Your User Name in WordPress

Log onto WordPress and go to Users. Click Add New. Type in your new username.

Input New User Name

I strongly recommend that you use both upper and lower case letters and numbers. At this time, I don’t believe you can use symbols in your username. Do NOT use your name, blog name and ideally avoid using a REAL word. Real words are always easier to break.

Insert Name for Public Viewing

Next, add your email address. I don’t believe you can reuse the email address you have linked to your Current User Name. Put in a real, but temporary, email address and we will swap it out later. Now type in the name that you want to show publicly with your posts. This can be your real name or your blog name.

Create a Strong Password

Now it’s time to create a STRONG password. You want it to be at least 12 characters in length. Again, use a combination of upper and lower case letters, numbers and symbols. You MUST use all three! I would again avoid using real words.

Select Role

Select Administrator for the Role and save. Log out of WordPress and log-in under the new user you created for yourself.

Delete Your Old User Profile from WordPress

Go back to Users and click on All Users.

Delete Old User

Hover over your old User Name and Edit or Delete should appear. Click on Delete.

Attribute posts to New User

It will ask you if you want to delete all posts or attribute posts to the New User. Choose to attribute posts to New User. Confirm deletion. Go back to Users and All Users. Select edit your profile and update with your email address, if necessary. Many bloggers have a gravatar associated with a specific email address and you will need to make sure that email address is the one linked to your profile if you want your gravatar to appear.

Whew. I’m Safe Now. Right?

Well, I hate to be a Debbie Downer, but I’m not sure if you can ever be 100% safe against hackers. But you have certainly made it a little bit harder to breach your security through your username and password.

As I mentioned earlier, I received email notifications for failed log-in attempts, which is how I realized The Heavy Purse was under a brute force attack. I’m sharing how to use limit log-in attempts on my blog, Eat Laugh Purr, so please be sure to visit me there for some additional tips on how to protect your website. And if you have any questions about changing your username, please leave them in the comment section below. I will do my best to answer your questions.

TanyaTanya is a freelance writer, web designer and blogger. You can find her at Eat Laugh Purr where she and her ginger tabby, Max, enjoy simple pleasures every day and at TV Fanatic reviewing Madam Secretary and more. Connect with Tanya on twitter and Pinterest. And please, no judgement on the number of cat pins I have.

Images courtesy of

October 25, 2013  •  22 Comments  •  Tips

Leave a Comment


  1. Friday, October 25th, 2013
    Great breakdown Tanya! We have been under a few brute force attacks and they're never fun. We went so far as adding an additional login before you even get to the main WP login. A strong password is so important to have as it just makes it more difficult to crack. Having worked in the financial services industry, it's amazing the number of people who use "password" as their password.
    • Friday, October 25th, 2013
      Thanks, John! I've been contemplating adding another login as well. It seems like a bit of a pain to have two logins but it definitely adds another layer of protection. We put so much work into these sites that it's worth it in the end. It's a little scary how weak some passwords are. I understand with all the many passwords we need these days to make it simple and reuse it, but it definitely makes you vulnerable.
  2. Friday, October 25th, 2013
    Wow, who would even think to attack this great little pink blog. I'm not sure what they really earn from that, other than to say they took it down, I suppose. It's also a good idea to back everything up. I had so much spam at the beginning due to trackbacks, so unfortunately I had to shut that off, so it's hard to know whenever I'm mentioned or not, but I think I'd rather do without the 20-50 emails a day. Thanks for the limit login plugin on your site, by the way :)
    • Friday, October 25th, 2013
      I know, right! The Heavy Purse is adorable and harmless. :) Sadly, sometimes fun is the only reason they do it, which makes back-ups even more important. A clean back-up can make the recovery a lot easier. Spammers seem to be getting more clever too. Askimet has done a great job overall capturing it. The Limit Login Attempts is a handy little plugin and installs nicely too.
  3. Friday, October 25th, 2013
    Great stuff Tanya. This is the kind of thing I know absolutely nothing about, so I'll definitely reference this if I ever need it. The username tip is a good one.
    • Friday, October 25th, 2013
      You're welcome, Matt. Brute force attacks are becoming more of a common problem so a strong username and password are a must have these days. It's unfortunate that we need to worry about being hacked but it is the reality today. A little prevention can help you from being the low hanging fruit. :)
  4. Friday, October 25th, 2013
    Excellent step by step instructions Tanya!

    The more complicated a username and password is the harder it will be.

    The hackers do not earn anything from doing these attacks other than fun.

    For them it is like any other computer game. And when they win they can add all kinds of funky posts to your blog, mess with your code and pretty much put you out of business. That is their goal.
    • Friday, October 25th, 2013
      Thanks, Sicorra! It is a fun game to most of them, especially those targeting bloggers who don't offer the windfall of a financial institution or government agency. But it's certainly no fun for the blogger. It can cost you money from clean-up and a loss of revenue.
  5. Friday, October 25th, 2013
    Great tips Tonya I definitely need to do this with my site.
    • Friday, October 25th, 2013
      You're welcome, Chris! Yes, definitely harden your username. Let me know if you have any questions. :)
  6. Friday, October 25th, 2013
    Thanks for the great tips Tanya! I hope that never does happen to me but you can never be 100% prepared like you said. I'll add "tightening up my security" to my long blog to-do list. :)
    • Saturday, October 26th, 2013
      You're welcome! I hope it never happens to you either but it's definitely best to prepared. LOL! My blog to-do list is never done either. :)
  7. Friday, October 25th, 2013
    Wow, that's crazy and I would've freaked to receive so many messages! Glad to hear it didn't affect you or Shannon's site, and thanks for the tips, Tanya!!
    • Saturday, October 26th, 2013
      I was a little freaked out. Previously we'd get a few attempts a week but never anything like this. A pain but also a reality these days.
  8. Friday, October 25th, 2013
    Thanks so much Tanya! This is really valuable information. Thankfully I changed usernames quite some time ago, so I should be good. I haven't been hit with a brute force attack, but it's definitely something to watch out for.
    • Saturday, October 26th, 2013
      You're welcome, DC! I'm glad to hear that you had already changed your username. From what I've been reading brute force attacks used to be less common but have been increasing in frequency the past few months. A strong username and password can definitely help you survive one.
  9. Saturday, October 26th, 2013
    Wow Tanya those people should really get a life! Glad you were able to keep it under control. I will go change my password right now! is I8freakinghackers!!! a good one? :)
    • Sunday, October 27th, 2013
      I agree, Pauline! Use those skills for something positive. :) LOL! I suspect that password is about to become popular!! :D
  10. Sunday, October 27th, 2013
    This article could not have been written at a better time for me! I was reading it, totally unaware of what a brute force attack was, and while reading it, felt smug that my username and p/w were pretty random and strong, up until the time I remembered making a new profile for another author with a ridiculously easy combination. Wooh! Just in time. So thanks!!!!
  11. Sunday, October 27th, 2013
    Thanks for the info. I think I have a pretty good passwork, but you never know. How often do you suggest changing passwords?
    • Sunday, October 27th, 2013
      You're welcome, Kim! I would suggest changing passwords every 3 months or so. It's a pain to remember to do but far easier than cleaning-up after being hacked!
  • Meet Shannon

    "As a Certified Financial Planner, it is my passion to help individuals and families build a healthy relationship with money. I look forward to helping you raise financially confident kids.” - Shannon Ryan