How to Protect WordPress From a Brute Force Attack

24 hours ago I started receiving a Brute Force Attack on one of the WordPress sites I have. The site was somewhat protected but that protection wasn’t as well tuned as I would have liked. I’ll share what I did to improve it so you can take action and protect your site in a better way.

The main defense I use against most attacks is the iThemes Security plugin, the free version. This awesome tool offers many ways to detect attacks and protect your site from hackers and automated malicious robots, but it isn’t enough to just install it and leave it with the default settings.

How to detect a Brute Force Attack

The way I noticed I was getting attacked was that I started receiving several and frequent emails from this plugin notifying me that all of the users of the site were being locked out of the administration panel, meaning that they were supposedly trying to log in and repeatedly failing because of a wrong password.

These real users where not actually trying to access the site at that time so this only meant an automated robot was repeatedly trying to break into the admin panel by trying several different passwords using the real usernames from different IPs in Russia.

How to protect your site from a Brute Force Attack

  1. Remove or rename the “admin” user

    The default administrator user for every WordPress installation is “admin”, this means everyone already has the username for the most important user in your site. It’s very important that you create a new user with another name, give him the administrator role and then delete the “admin” user.

  2. Hide the login page

    There’s another WordPress default option that makes it a bit insecure: its user login page. It’s always http://yoursite.com/wp-admin/index.php or http://yoursite.com/wp-login.php. If you change this URL, you’ll make it a lot harder for automated robots to find your login site and start their Brute Force Attack. iThemes Security provides an easy option to do this without any coding.

  3. Limit login attempts

    There’s another very useful setting with almost any security plugin and that is limiting the login attempts per user and per host. Use a number smaller than 10 for both these options and you’ll make it harder for hackers.

  4. Set a strong password

    This is probably the most obvious advice but actually few administrators take it into account. Use uppercase letters, numbers and symbols always. By doing this, the time they will take to guess your password can go up to many many years even with the fastest computer.

  5. Add your own IP to a whitelist

    After implementing these security measures, the last thing you want to do it to lock yourself out of your own site. To prevent this, most plugins allow you to add your IP to a whitelist, so you’ll always be able to login without any problems.

  6. Enable a blacklist

    With so many hackers and machines dedicated only to attack other sites, there are a lot of known malicious IPs and hosts. iThemes Security allows you to enable a blacklist option that will automatically ban these IPs and hosts to access your site. This is a very good start but you can also enter IPs manually if need it.

You can never be 100% free of online attacks but with these simple and free security measures you’ll protect your site from the vast majority of Brute Force Attacks. 

Leave a Reply