A new botnet called CrawlerX is brute-forcing WordPress admin accounts using half a million residential IP addresses. Unlike typical botnets that rely on datacenters or cloud providers, CrawlerX routes attacks through real home internet connections, making traditional IP blocking nearly useless.
Security researchers identified the botnet on April 23 after tracking a coordinated credential-stuffing campaign targeting wp-login.php and XML-RPC endpoints. The attack uses credentials from previous data breaches, trying thousands of username-password combinations against each target site.
CrawlerX botnet WordPress: Why Residential IPs Matter
Most brute-force attacks come from a handful of IP ranges. You block them in .htaccess or with a firewall rule, and the attack stops. CrawlerX is different because each request comes from a different residential IP, spread across 500,000+ unique addresses in multiple countries.
This makes rate-limiting by IP ineffective. If a botnet hits your site from 50,000 different IPs, each making one request per minute, no single IP triggers your rate limit. But collectively, they can try hundreds of thousands of password combinations per hour.
CrawlerX botnet WordPress: Attack Vectors: Wp-login.php and XML-RPC
CrawlerX targets two endpoints:
wp-login.php. The standard WordPress login page. The botnet sends POST requests with common username-password pairs pulled from breach databases. Admin, administrator, and common first-name usernames are the primary targets.
XML-RPC. The /xmlrpc.php endpoint is even more dangerous because it supports the system.multicall method. A single HTTP request can try hundreds of passwords at once, making it much faster for attackers. Many WordPress sites leave this open by default.
How to Protect Your WordPress Site
Here are concrete steps you can take right now to defend against CrawlerX and similar botnets.
1. Disable XML-RPC (or Limit It)
XML-RPC is an old WordPress API that most sites do not need. If you do not use the WordPress mobile app or Jetpack, disable it entirely. Add this to your .htaccess file:
# Block XML-RPC
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>If you need XML-RPC for specific plugins but want to block the dangerous system.multicall method (the one that lets attackers batch hundreds of login attempts in a single request), add this to your theme functions.php:
add_filter('xmlrpc_methods', function($methods) {
unset($methods['system.multicall']);
return $methods;
});This removes the multicall method while keeping normal XML-RPC requests working. No plugins needed.
2. Use a Web Application Firewall
A WAF blocks malicious traffic before it reaches WordPress. Cloudflare free plan includes basic WAF rules that can detect and block credential-stuffing patterns. Set up a rule that allows 20 login attempts per minute per visitor and blocks anything above that.
3. Change Your Login URL
Moving the login page away from /wp-login.php and /wp-admin eliminates a huge chunk of automated attacks. The botnet cannot attack what it cannot find. Set up a rewrite rule in .htaccess or use a security plugin with a custom admin URL feature.
4. Enforce Strong Passwords and 2FA
Credential stuffing only works with weak reused passwords. Enforce strong passwords for all user accounts and enable two-factor authentication for admin users.
5. Limit Login Attempts
Rate limiting at the application level slows down even distributed botnets. A login limiter blocks IPs after a configurable number of failed attempts. Install a security plugin with brute force protection, or use a server-level rate-limiting rule. It will not stop every request from 500K IPs, but it will slow the attack significantly.
6. Monitor for Breached Credentials
CrawlerX uses credentials from previous data breaches. If your users have reused passwords across sites, those credentials are likely in the botnet dictionary. Use a pwned password detection tool that checks passwords against the Have I Been Pwned database during login. These tools use k-anonymity – your password is never sent in full.
Do It All With One Plugin
If you prefer a single tool over manual config changes, Trusti Security handles most of these protections. The free version includes a custom admin URL, brute force protection with configurable limits, 2FA, and login monitoring. The premium version adds XML-RPC disable, pwned password detection, and automated integrity scanning. All of it is managed from one settings page with no .htaccess or code edits.
The Bottom Line
Botnets like CrawlerX evolve fast. The best defense is a layered approach: disable what you do not need, limit what you must keep, and monitor for suspicious activity. Most WordPress security incidents are not zero-days or advanced exploits – they are automated credential-stuffing attacks against unprotected admin panels.