Every day, thousands of websites are compromised by internet hackers. You may think that your website cannot become a target, but, in fact, any weakness is a potential opportunity for hackers. There are special automated tools that crawl the web in search of insecure platforms.
WordPress is highly vulnerable to hacker and bot attacks. Wordfence reports up to 90,000 attacks on WP platforms every minute. One of the most common vulnerabilities for WordPress websites is a brute force attack.
The team at InternetDevels explains WordPress brute force attacks and some security measures that can help to cut them down.
What are WordPress brute force attacks?
A brute force attack is a method hackers use to gain access to the WordPress website. Instead of looking for the vulnerabilities in the software, a brute force attack tries to gain access by entering usernames and passwords until the combination is successful.
Brute force logins make several repeated HTTP requests and overload the hosting server’s memory. Even if the attacker cannot gain access to the website, the web server overload might result in a potential crash.
Top usernames being attacked:
Top passwords being attacked:
How to stop WordPress brute force attacks?
1. Create a unique administrator username.
When creating an administrator account for the WordPress platform, you should never use the username like ‘admin’ or anything similar.
WordPress brute force hackers use a list of most common usernames and passwords before proceeding to more complex combinations. To protect yourself from brute force attacks, opt for the random username with upper and lower case characters together with the numbers. The username is as important as the password.
2. Create a strong password.
The password is a key to gain access to the website. It’s vital to use strong passwords not only for your WordPress user account but also for FTP, database and web hosting control panel.
To create a strong password, you shouldn't use singular dictionary words, combinations of them or even sentences. A strong password is a combination of numbers, letters, and special characters.
3. Install WordPress brute force plugins.
WordPress brute force plugins are mostly aimed to ban IP addresses after X attempts to gain access to the website.
Professional hackers with access to thousands of IP addresses will easily overcome these plugins. That’s why you shouldn’t rely only on this solution.
Best WordPress brute force plugins:
4. Add two-factor authentication.
Two-factor authentication adds the additional security layer to your WordPress login page. Users will need their mobile phones to generate a one-time passcode along with their login data to access the WordPress admin area.
There are special two-factor authentication plugins that will help you take advantage of this feature. Adding two-factor authentication will make it more difficult for hackers to gain access to your WordPress website.
5. Limit access to wp-login.php.
Add password to wp-login.php to restrict access to the file and increase the security of your WordPress website.
- Create a .htpasswds file via your WordPress hosting service using htpasswd generator.
- Upload this file to your public web or root folder.
- After uploading the file, place this code in your .htaccess file:
# Protect wp-login
AuthName "Private access"
require user username
Now you wp-login.php is protected.
6. Limit access to wp-admin.
Blocking wp-login.php is more than enough, but to be 100% sure you can limit access to the entire WordPress admin folder by creating .htaccess in the wp-admin folder.
- Create a plain text editor called .htaccess
- Add this code to it
# Block access to wp-admin.
allow from x.x.x.x
deny from all
(x.x.x.x is your static IP Address)
Using this method, you can allow access to many different IP addresses
- Save the file and upload it to the wp-admin folder
7. WordPress Updates
Regular WordPress core, plugins and theme updates will ensure your website security. Brute force attacks often target vulnerabilities in older WP versions and the most popular plugins and themes. If you don’t update your CMS, you are under the risk of getting hacked and become a victim of brute force attack.
Note that updates should be applied carefully, taking into account compatibility between all the website components. It is better to entrust regular site updates to WordPress developers who operate the best practices.
8. Reliable hosting provider
A good hosting provider is a key to reliability and protection. Your WordPress site’s stable work directly impacts your reputation and customer satisfaction, as well as security. You never know what other platforms share hosting with you. However, Google knows and associates you with them. These websites could be anything from gambling to drugs. If one of the platforms on the server gets hacked, your website will become vulnerable as well.
To avoid brute force attacks from the side of your hosting provider, make sure you have a reliable web development company that can help you in choosing the best hosting package.
9. Backup your WordPress website
If your website got hacked after all, backups are your lifeboat. Maintaining regular backups will allow you to quickly restore all the damaged data.
Our team at InternetDevels can easily backup your WordPress website and restore all the damaged content.
Protect yourself from WordPress brute force attacks
Website security has to be a priority for any website owner. The mentioned-above tips will help you protect WordPress website from brute force attacks. Don’t forget to keep your WordPress core, plugins, and themes updated as any CMS updates are crucial for a website’s well-being.
Don’t forget that you can always rely on our WordPress support team regarding your website’s security.