There is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; seen over 90,000 IP addresses involved in this attack.
At this moment, I highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on http://en.support.wordpress.com/selecting-a-strong-password/. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).
You have now changed your WordPress password, correct? Good.
The main force of this attack began last week and then slightly died off, before picking back up again yesterday morning. No one knows when it will end. The symptoms of this attack are a very slow back end on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods.
Web Hosting Service Providers are taking several steps to mitigate this attack throughout their server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done. The servers might experience service interruptions, due to the incredibly high load this attack has been seen to cause.
Again, this is a global issue affecting all web hosts. Any further information we could provide at this moment would be purely speculation. There is hope that this attack ends soon, but it is a reminder that we must all take account security very seriously.
Solution of This Issue is As Follow.
Wordpress Login - Brute Force Attack
There is a worldwide, highly-distributed WordPress attack that is ongoing. This attack is known to be using forged or spoofed IP addresses. The following step can be used to secure (by password protection) wp-login.php for all WordPress sites in your cPanel account:
How to Password Protect the wp-login.php File
There is a step to accomplishing this. First you need to define a password in the .wpadmin file, and then you activate the security in the .htaccess file.
Step 1: Create the Password File
Create a file named .wpadmin and place it in your home directory, where visitors can't access it. (Please note there is a period preceding the wpadmin in that file name.) The following example is for cPanel. Plesk would require placing the file in /var/www/vhosts or /var/www/vhosts/domain.
EXAMPLE: /home/username/.wpadmin (where "username" is the cPanel username for the account.)
Put the username and encrypted password inside the .wpadmin file, using the formatusername:encryptedpassword
EXAMPLE: john:n5MfEoHOIQkKg (where "john" is a username of your choice, and the password shown is encrypted.)
Option: Generate Password File & Uploading Via File Manager
One way to do this is to generate the file using the website linked below, and then upload it to your site via FTP or File Manager. In the directions below, we will use File Manager, but you could use FTP instead, for those of you familiar with FTP.
· Use the form to create the username and password.
· Login to cPanel in another window.
· Click on File Manager
· Select "Home Directory"
· Check "Show Hidden Files (dotfiles)" if not already checked.
· Click on the "Go" button.
· Look for a .wpadmin file.
1. If one exists, right click on it and select "Code Edit" to open the editor. Click on the Edit button to edit the file.
2. If one does not exist, click on "New File" at the top of the page, and specify the name as .wpadmin(with the dot at the front) and click on the "Create New File" button.
· Paste the code provided from the website in step 2.
· Click on the "Save Changes" button when complete.
· You can "Close" the file when finished.