We’ve seen this before.. it just appears this is a bigger storm. How can we avoid being a part of it? The article from ARS gives some good advice. Let me sum it up with what I do. First.. brute-force attack means there are lots of sites using your standard login to make guesses at your ‘admin’ password. That won’t work if you don’t have an ‘admin’ account. I create an account with my name and delete the admin account. The next step is a little trickier. And I learned it from Chris Coyer of CSS-tricks.com from his book Digging into WordPress. Move your WordPress installation! You make a folder that is some nonsense name you make up and put your WordPress installation in it.. except for the lowest copy of index.php. In that index.php file is a simple instruction to require a file that is basically loading the entire website.
if your folder holding your website files is ‘stinky’, then you change that line to
Now your site is protected!.. and a bit broken. One more change! You can do this before the file move in your setting/general of your dashboard. Look for ‘WordPress address’. This is you telling WordPress(again) where you put all the files.
Note that yours probably won’t be ‘https’, just ‘http’.
If you want to change it in the database(and you know how) look for ‘siteurl’ in table ‘wp_options’ and change it to the exact same thing as above. That’s where WordPress stores that option in the database.
There really isn’t a great analogy for this but I will try. Thieves are trying to break in to your house. First we change the keys to the lock and hide the front door. Then as an added precaution we hide the whole house. Yup.. that made no sense. Sorry!