Brute force attacks are common against web services. Any website is a potential target. However, criminal actors usually choose the most popular to increase their chances of success. WordPress is one of their favorite targets. This platform is so popular that out of one million top websites on the Internet, over 75% are created using WordPress. Being such a strong market leader makes WordPress an attractive target for attackers. One popular type of attack is password brute force on WordPress websites.
One of the methods many hackers use to access a WordPress site is to launch a brute force attack. Like any hacking attempt, these attacks are intended to allow hackers to access the system so that they can delete content, add their own content, or perform other Machiavellian actions. A brute force attack is one of the easiest ways to access a system.
What is Brute Force Attack?
A brute force attack is a method of trying every possible combination of characters until the correct password or encryption key is found. This can be done manually, but it is more commonly done using automated tools. Brute force attacks can be very effective, especially if the target website has weak passwords or security measures.
Here are some examples of brute force attacks:
- Trying all possible combinations of letters and numbers to guess a password
- Trying all possible combinations of IP addresses to find a vulnerable server
- Trying all possible combinations of characters to decrypt an encrypted message
Brute force attacks can be used to attack a variety of targets, including websites, email accounts, and computer systems. They can be used to gain access to sensitive information, such as passwords, credit card numbers, and Social Security numbers.
7 solutions to protect yourself against brute force attacks on WordPress
Use a complex login and password
Let’s start with a basic tip: use a strong username and password.
For the login, forget about the classic “admin” of your site to make the attackers’ work harder (this also applies to its derivatives like “test”, for example).
You already have an account with the “admin” login? Here is how to delete it:
- Create a new user with a login that is difficult to guess. If you’re not sure, use this kind of generator.To do this, go to the menu Users > Add New.
- Delete your admin account by assigning all the content associated with it to the new user you have just created.
Let’s move on to passwords. Forget the classic “123456”, “123456789” or “password”, which are among the most used – and therefore most hacked – across the planet.
To generate a strong password, apply the following best practices:
- Use a combination of numbers and letters (upper and lower case, numbers and punctuation marks).
- Forget common passwords such as “1234”, “0000”, your first name or your pet’s name.
- Choose a long password, longer than 10 characters.
- Don’t use the same password you use for other sites (e.g. email, bank, etc.). If possible, use a unique password.
To generate passwords as strong as an ox, there are different options to help you, if you are stuck:
- This powerful generator, which offers different filters.
- A password manager such as Dashlane, which automatically suggests passwords and stores them in a secure safe.
Finally, even if your password seems to be very secure, remember to change it from time to time, it is always better.
Change the administration login page
Limiting admin login attempts is highly recommended, but it is possible to go even further. Since you’re interested in getting in the way of malicious bots and human hackers, make their lives even more difficult by changing your administration login page.
If you’ve been following along, you’ve read that it’s very easy to find the admin login page for a WordPress site. Just type either of the following URLs in your navigation bar:
yoursite.com/wp-adminyoursite.com/wp-login.php
Now, if the classic login page is no longer accessible by going to one of the above URLs, the bots and other attackers are screwed!
To move your login page to the URL of your choice, go back to iThemes Security. A setting is available in the advanced settings:
At the configuration level, you will need to specify a login slug. From then on, the wp-admin directory and the wp-login.php page become inaccessible. Remember to note your new URL in several places. For example, you can bookmark it on your browser for easy access.
You can also specify a redirection URL (e.g. https://yoursite.com/404), which will be sent to the bot or hacker who is not logged in and wants to access your login page.
Update WordPress regularly
Even if you equip your site with multiple security plugins, your efforts may not make much of a difference if your WordPress installation is out of date. In fact, using an old version of WordPress core, themes, or plugins opens up unpatched security loopholes, making it easier for intruders to attack your site.
WordPress is extremely popular. Therefore, the platform faces many bugs and hacks that might compromise its security. The good news is that developers work hard to discover these vulnerabilities, so each WordPress update usually includes new security patches. You can check for available upgrades via the Updates section in your admin dashboard:
In an analysis of hacked websites, Sucuri found that 61% of successful attacks in its sample happened because of outdated system versions [2]. Even established sites like Reuters have fallen victim to malicious attacks due to an outdated WordPress installation. Therefore, it’s smart to take advantage of new version upgrades as soon as they are available.
Updating your WordPress site and associated tools will likely benefit your site’s performance and user experience (UX) due to new features and system improvements. However, if you’re worried that updating your site might affect its functionality, you can typically defer new major updates (version X.X) for 30 days while you identify potential conflicts. However, you should always apply minor security updates right away (version X.X.X).
Also, it’s smart to always back up your website before you proceed with any changes.
Install a WordPress firewall plugin
Our next recommendation is to set up a WordPress firewall plugin. In short, a firewall is a type of software that protects your site from unauthorized access using pre-configured rules.
For instance, you can limit the number of users who can simultaneously enter your site, which keeps you safe from distributed denial of service (DDoS) attacks. A DDoS attack attempts to disrupt your server, simulating unexpected traffic jams that your bandwidth can’t handle.
As a result, your website may go down, or you may experience account suspension if you’re on a shared hosting plan. This can be extremely frustrating and costly, so it’s smart to protect your site from DDoS attacks.
Some hosting providers might already include firewall services in their packages. Otherwise, installing a plugin such as All In One WP Security & Firewall will get the job done. Apart from the firewall feature, this tool also gives you other security perks, such as spam prevention, ‘login lockdown’ to prevent excessive login attempts, and more.
Note that for this method to be effective, you’ll need to configure your firewall correctly. Therefore, it’s smart to consult relevant documentation or consult your hosting provider.
Limit the Number of (Failed) Login Attempts
WordPress sites are vulnerable to brute force attacks because there is no limit on the number of login attempts allowed by default. This means that attackers can keep trying different combinations until they succeed. It’s similar to hitting a wall repeatedly until you find a weak spot to exploit. Allowing unlimited login attempts increases the risk of unauthorized access and potential malware infections.
However, an easy and effective solution to this problem is to limit login attempts. Using plugins like Limit Login Attempts or Loginizer prevents repeated login attempts and significantly reduces the chances of a successful breach. This practical measure adds an extra layer of protection, making it more difficult for malicious actors to access your site.
Strongly Avoid Using “Admin” as a username
Before WordPress version 3.0, the Content Management System (CMS) was initially installed with the default and widely known username “admin.” However, with subsequent updates, new installations now allow users to set a custom username during the installation process. Despite this improvement, many site owners still neglect to change the default “admin” username, which poses a significant security risk. The primary concern lies in the vulnerability to brute force attacks, as hackers already possess half of the required login credentials – the username. In fact, it is advised that site owners promptly replace the default “admin” username with a unique and unpredictable combination of words, numbers, and characters.
By changing the default username to something more obscure and personalized, website owners can significantly diminish the potential threat of brute force attacks. Adopting a distinctive and unpredictable username makes it exponentially more challenging for attackers to target a specific account successfully. A robust combination of letters, numbers, and special characters enhances the complexity of the login credentials, maintaining the site’s defenses against malicious intrusions.
Password Protect Admin Directory
One way to make your WordPress website more secure is to password-protect the admin folder. Using tools like cPanel’s “Directory Privacy” feature can help restrict access to the login screen and other important admin resources, adding an extra layer of protection. Think of it as adding a sturdy deadbolt to your front door – while it may take a little longer to unlock, the added security is worth the effort.
What’s even better is that this method can outsmart automated brute force bots that often target login pages. By requiring valid credentials for the directory, potential hackers won’t even have a chance to see the WordPress login screen. Essentially, it’s like having a reliable defense mechanism that effectively deters unauthorized access, giving you peace of mind and better safeguarding your WordPress site without causing any significant inconvenience to legitimate users.