This week has seen a spike in the number of what are called “brute force” password guessing attacks aimed at WordPress websites. (This site is run on WordPress.) There’s some evidence to suggest that sites running on Joomla may also be at risk. A “brute force” attack is, quite simply, when someone tries random username/password combinations over and over again hoping that one of the guesses will happen to be right.

You might think, So what? You’d have to guess millions of username/password combinations in order to get that lucky, and who has time to sit in front of a screen guessing millions of times? But, with a little easily available software, you can have your computer try a few million guesses in a pretty short amount of time. A password of 8 characters can be guessed in about a half hour. And it gets even easier if you’re using common words and phrases as your password.

In all, it’s estimated that some 90,000 webservers have been compromised (broken into) so far.

Fortunately, there are a few very easy ways to stop this kind of attack. The first one is simply to install a plug-in from your WordPress administration panel that limits the number of times someone can attempt to log in before getting cut off for a long time. It’s the same thing most banks and other high-security sites do. You mess up the password more than 4 times in a row and you get locked out. In this way, you guarantee that it’ll take years to make those millions of guesses. Here’s how you do it:

  1. Log into your WordPress administration panel as usual.
  2. On the left sidebar menu, go to Plugins > Add New.
  3. Enter “Limit Login Attempts” into the search box and search.
  4. Find the plugin called “Limit Login Attempts” by Johan Eenfeldt. (The current version is 1.7.1 as of today.) Click “Install Now” and then “OK” when the “Are you sure?” box pops up.
  5. When the plug-in is installed, click “Activate” and you’re done.

Now that you have that out of the way, the next thing is to make sure that your username/password can’t be guessed within 4 guesses. Of those 90,000 hacked sites, most of them had pretty easy passwords. Passwords like “admin” or “password” or “123456.” Passwords that match your username, “Ben/Ben” for example, are pretty easy.

Computer systems are pretty good at protecting themselves with encryption and other safeguards. The weakest link tends to be the humans who use them. Do yourself a favor, and use strong passwords. The longer the better. With every additional character you use, the number of possible combinations needed to guess it goes up exponentially. Adding special characters (!@#$%^&*) also increases the difficulty of guessing by a huge factor. You can guess an 8 character password in a half hour, but a 24 character password takes days, if not weeks.

The most common reason for people using easy passwords, of course, is that humans tend to forget things. You want a password that you can remember. The trick is to find a password you can remember, but nobody else will guess. Try this:

Pick the first few words of your favorite song, or a nursery rhyme, or something your mother used to say all the time:

“You get more flies with honey…”
(… than with vinegar.)

Leave out the spaces and switch out the os with zeros, the is with !s the es with 3s, and the ls with 1s, and you get:


There’s a 23-digit password that’ll take forever to guess, but you’ll hear your mother talking to you every time you go to log in. All you may need is a sticky note on your monitor with a reminder: o – 0 i – ! e – 3 l – 1 (which, if someone finds it, isn’t going to mean anything by itself, either).

Computer security is pretty easy for the computers. They just need a little help to fix their weakest link. Make sure that link isn’t you!