WordPress is one of most famous CMS on the internet which means it comes with its drawback also. There are many hackers who look for vulnerabilities in WordPress and attack it with different mechanisms. Here is how you can protect your WordPress Blog from Brute Force Attack.
WordPress is one of the most famous CMS and around 35% of the world’s website runs on it. But that means any vulnerabilities in this CMS exposes around 35% of world’s website to that security threat.
One of the ways to exploit weakness is brute force attack where hackers try to guess the password of WordPress user by trying some random passwords.
Last few days, I have faced brute force attack on this blog and have taken some preventive measures to stop that.
I use Jetpack plugin which comes with a module to stop Brute Force Attacks. I have noticed a significant increase in Jetpack module for a number of block attempts.
A day before that number was somewhere around 3000 and suddenly over a night, it has jumped to 33000.
When I saw that kind of effort being put for cracking the password, I knew it’s time to take some action.
Table Of Contents
How To Block Brute Force Attack on WordPress
There are many preventive measures which you can take to protect your WordPress site from Brute Force Attack. So start with the steps mentioned below and make your WordPress installation more secure.
Remove Admin Username
The first thing you should do is making sure you don’t have any admin user with the username “admin”. Sounds silly right? But most of the WordPress installation will still keep the username admin.
This means that you have made it little easier for the hackers as now they only need to guess the password. Let them do some extra work by looking for your username.
If you are using AWS LightSail WordPress Installation, they have already changed the default username to “user”. I would still recommend to delete that account and create a different admin user account.
This way hackers have to look for the username and it will make it little hard for them to hack your blog.
You also need to make sure that the username and display name is not same because it will defeat the purpose. Hackers can easily get your username from display name.
I usually recommend to create a separate Admin account and not use that account for any other activity like writing posts. So that there are no visual clues for your admin username.
Suggested Read: Designrr Ebook Creator For Professionally Designed Ebooks
Have a Strong Password
A key to surviving any brute force attack is a strong password.
The idea of brute force is to guess user password by trying multiple passwords. Most of the brute force scripts just keep generating passwords and try to log in until they find a correct password.
So, a strong password will make sure that it needs a lot of time to find it which can give you a time to react.
What is a strong password?
A strong password is usually long, alphanumeric with mixed case alphabets and special characters. It should be random in nature and should not be based on any words.
They should not be based on any personal information because that will make it easy to guess.
Here is an example of strong password
xv8X#bdT4WYRM48ZpzB2*%ta/>bpDT
Can you remember this password? How many passwords like that you can create and remember?
That’s where most people have a problem, they usually create one or two passwords and use them for all logins.
Another bad idea, this means once someone cracks one password, he can guess passwords for all other logins.
So, if you actually want to secure your logins, you should use any password manager to create and remember passwords. This way, you only need to remember one key password and password manager will remember all other passwords.
1Password
This is my preferred choice for the password manager. It allows you to create and store passwords, you can define the criteria for creating passwords like length, number of special characters and numbers.
It can support multiple vaults so you can organize your passwords. You can also sync your passwords across devices including Android and iOS and it is also available as an extension for most of the browsers.
This is one of the good ways to make sure that you have unique and strong passwords for your logins.
Get It For Mac Get It For Windows
LastPass
This is another good password manager which is available on most of the platforms. It also provides a way to share your passwords over clouds and generate random strong passwords.
They offer a free version for 1 user and premium feature starts from as low as $2 per month. It also has a family option if you are planning to use this for up to 6 family members.
Use any of the above-mentioned password managers but make sure that you use strong passwords which are minimum 15 characters long and hard to guess.
Use WordPress Roles
One of the biggest threat to security is excessive and unused privileges. It means that all of your users should only have privileges which are required to do their work, not a single extra access. It is called a principle of least privileges.
WordPress comes with user roles and you should make sure that your users are assigned to correct privileges. There are roles like Admin, Editor, Author, Contributor & Subscriber.
You need to make sure that many people don’t have admin access to your blog and other writers are also divided between editor, Author & Contributor.
Check this WordPress Support Article to understand the difference between different roles.
Default User Role
WordPress allows people to register on your blog, so you need to make sure that it is controlled according to your need.
You can change the settings in your WordPress Admin Dashboard at Settings -> General
You should deselect Membership option if you are not expecting anyone to come and signup on your blog.
Also, update the new user default role to the subscriber so they don’t have any extra privileges. You can change the user role later on once you are sure what authority your user needs.
Limit Maximum Number of Failed Logins
One major characteristic of brute force attack is too many failed logins. Hackers are trying too many different passwords to guess your login information, which means they will try many combinations.
You can limit the number of failed logins so that if a user tries to log-in too many times, it will be blocked for some time. You can use a WordPress plugin to do that work.
Limit Login Attempts Reloaded
Limit Login Attempts was the best plugin to get this work done but it has not been updated for long. This WordPress plugin takes care of that, it is based on the original plugin and gets updated constantly.
The plugin allows you to define the number of retries and lockout time. You can also define the lockout time increase in case there are multiple lockouts from the same IP.
It also comes with Blacklist and Whitelist IP options, which can be used in case you are getting multiple Brute Force attack from the same IP.
Get Limit Login Attempts Reloaded
WP Limit Login Attempts
This is another WordPress plugin which will allow you to limit the login attempts. There are not many settings associated with it unless you go and buy the pro version. For the free version just install and activate and it will protect your admin login.
Default mode allows 5 failed login attempts before locking the user out for 10 min. It will also show a CAPTCHA after 3 failed login attempts. If you want to change any of this, you need to purchase a pro version.
Get WP Limit Login Attempts Plugin
You can use any of the plugin mentioned above and protect your blog from brute force attack.
Enable Two-Factor Authentication
Two-factor authentication is one of the good way to remove complete dependency on the password. It means even if you have a weak password which hacker is able to guess, they still need an access to additional security measure.
In most of the cases, your users will be able to enable an authenticator app which will generate a token based on already decided algorithm. You need to provide the token every time you login from a new device. It will allow you to login from the same device for up to 30 days without the token.
If you are wondering how you can setup two-factor authentication for WordPress, we have an easy to use guide for you. Please use our Two-Factor Authentication WordPress setup guide and secure your installation.
Your users can install an authenticator app like Google Authenticator or Microsoft’s Authenticator for the additional security token. This also means that any brute force attack will now need to provide additional parameter which will be only valid for a minute. So it becomes harder to guess for the brute force attacks.
Change WordPress Login URL
One of the major drawbacks of the CMS like WordPress is that everyone knows the basic structure of your site. Hackers know that default WordPress login page is WP-Admin, so they will just go there and try to break the password.
This can be avoided by changing the login URL from wp-admin to your chosen URL. This means that the hackers now have one additional task of guessing the login URL.
This strategy will work if you don’t have many users or you are running your blog by yourself. If you allow people to register on your blog, then they all need to remember the URL or you have to provide a hyperlink. Hyperlink defeat the whole purpose as hackers can follow it and asking many people to remember the URL is not practice.
There are many plugins available in the WordPress repository which can do this work for you.
WPS Hide Login
WPS hide login allows you to define the slug for your login URL. It will disable the wp-admin URL so anyone coming to login will get a message that the login service is blocked. They need to know the slug for login and go there to login.
You can decide on the slug and keep it any word or combination of words. The plugin adds an additional setting in Settings -> General tab, where you can define the login page slug.
Make sure that the word you choose it not just “login” which is the default slug for the plugin. Make it hard for hackers to guess and easy to remember for you.
Even if the hackers figures it out, you can just login to WordPress and change it again.
Install WordPress Security Plugin
Those days where the hacking attempts were less known are gone. Nowadays, you have to protect your blog otherwise everyone will come looking for it.
WordPress has many plugins which allow you to secure your blog and restore WordPress core files in case of any mishaps. Some of those plugins come with a firewall feature which can block traffic from known bad IP’s.
Sucuri Security
Sucuri is not only a security plugin but also a firm which works on finding a lot of vulnerabilities for WordPress. They keep updating their plugin with new findings.
Their plugin comes with a firewall feature which allows you to block the specific IP’s in case of any issues. It can also protect you from many known IP addresses of hackers.
It will also scan your WordPress installation and will suggest changes based on best security practices.
All In One WP Security & Firewall
All in one WP security plugin not only comes with firewall feature, it also has login lockdown feature. So you don’t have to install multiple plugins.
You can also hide the admin login page which will make it tough for hackers to attack your site. This plugin combines some good feature into a single plugin, so if you are planning to implement multiple solutions I would recommend installing this plugin.
Get All in One Security & Firewall
You can use these tips to protect your WordPress site from brute force attack. Let us know in comments if you are facing any specific issue regarding brute force attack.
If you got problem with brute force attack then I believe changing the password and making it a strong password is a good way but if you want to avoid brute force attempt, you can hide your admin login and change the URL of it. There are several working plugins if you are using WordPress. Hope this comment has been helpful and have a great day!
Hi Paul,
If the website does not need member login, hiding the login page is best practice. Even if we need a user to login, we should setup a separate page rather than a regular login page.
– Sanjeev
Hi Sanjeev,
I never would have thought of these amazing security measures you provided in this article. From installing sucuri to changing Admin logging name, and slug. It is terrific. I’m heading over to schedule this post for post across social media sites.
I read your comments on Ryan Biddulph’s article on Ms Ileane space at BasicBlogTips and decided to check out your site. I’m glad I did.
Thanks for sharing in insightful article!
Hi Moss,
Welcome to MetaBlogue. These are some of the necessary steps which one should take to protect their sites, I am glad that you liked the article. Thanks for the share.
– Sanjeev