Table of Contents 5 sections
What Is Credential Stuffing?
Credential stuffing is an automated attack in which criminals take username and password pairs that leaked from one data breach and replay them against a completely different site. Because a large share of people reuse the same password across multiple accounts, a small percentage of those stolen credentials will unlock accounts on your WordPress site.
Unlike a brute force attack, which guesses passwords from scratch, credential stuffing already knows a real password. It simply hopes the same person used it on your site too. That makes it quieter, faster, and harder to detect.
How Credential Stuffing Works Against WordPress
- A criminal obtains a list of leaked credentials from an unrelated breach. These lists contain billions of email and password pairs.
- They load the list into an automated tool that rotates through thousands of proxy IP addresses to avoid simple blocking.
- The tool sends login requests to
/wp-login.phpor the/xmlrpc.phpendpoint, one credential pair at a time. - Most attempts fail, but a fraction succeed because the account owner reused a leaked password.
- Successful logins are collected and either sold or used to inject spam, steal data, or install backdoors.
Why This Attack Is So Effective
- Password reuse is common. Many users protect their WordPress account with a password they also use for email or shopping sites.
- Low request volume per account. Because the attacker already has a valid password, they may only need one attempt, which slips under rate limits tuned for brute force.
- Distributed traffic. Requests arrive from thousands of IP addresses, so blocking a single address does little.
- Valid usernames are easy to find. WordPress author archives and the REST API can expose real usernames, giving attackers half of each credential pair for free.
How to Prevent Credential Stuffing
For Site Owners
- Require two-factor authentication. This is the strongest defense. A stolen password is useless without the second factor.
- Enforce unique, strong passwords. Encourage a password manager so no account shares a password with a breached service.
- Check passwords against known breaches. Some security plugins block passwords that appear in public breach databases.
- Add rate limiting and device fingerprinting. Slow down logins from unfamiliar devices even when the credentials look valid.
- Hide usernames. Disable author archive enumeration and restrict the REST API users endpoint so attackers cannot harvest valid usernames.
For Developers
- Disable XML-RPC if remote publishing is not needed, since it is a favorite endpoint for automated login abuse.
- Add a CAPTCHA or proof of work challenge on the login form to raise the cost of automation.
- Log and monitor failed logins with the source IP, and alert on unusual patterns.
How to Detect Credential Stuffing
Regular monitoring reveals the signs early. Watch for a surge in login attempts across many IP addresses, repeated failures against valid usernames, and logins from unexpected locations. Our WordPress Security Scanner flags exposed usernames, an open XML-RPC endpoint, and missing login protection so you can close these gaps before an attack succeeds.
Run a free scan on your site to check for these and other vulnerabilities.
FAQ
Frequently Asked Questions
Credential stuffing is an automated attack where criminals take username and password pairs leaked from one website breach and try them against many other sites, including WordPress logins. Because people reuse passwords, a small percentage of these attempts succeed.
A brute force attack guesses passwords from scratch, testing many combinations against one account. Credential stuffing does not guess. It replays real passwords that already leaked from other breaches, so it needs far fewer attempts per account and often slips past simple rate limits.
They come from data breaches at unrelated services. Billions of email and password pairs circulate on criminal forums and paste sites. Attackers load these lists into automated tools and point them at WordPress login and XML-RPC endpoints.
Yes. Even when an attacker has the correct password, two-factor authentication blocks the login because they cannot provide the second factor. This is the single most effective defense against credential stuffing.
Look for a spike in login attempts from many different IP addresses, a high number of failed logins against valid usernames, logins from unexpected countries, and unusual traffic to wp-login.php or xmlrpc.php in your access logs.
Tags
Related Posts
Zero-Day Plugin Exploits on WordPress: Attacks Before a Patch Exists
A zero-day plugin exploit attacks a flaw before the developer has a fix. Learn what makes them dangerous and how to reduce your exposure to the unknown.
Cryptojacking on WordPress: When Hackers Mine Cryptocurrency With Your Resources
Cryptojacking hijacks your server or your visitors' browsers to mine cryptocurrency. Learn how to spot the signs, clean the infection, and prevent it.
Card Skimming and Magecart on WordPress: How Attackers Steal Payment Data at Checkout
Card skimming injects invisible code into your checkout to steal customer payment details. Learn how Magecart-style attacks hit WooCommerce and how to stop them.