On December 18, 2018, WordPress sites experienced the highest number of brute force attacks that happened as of that date. Mark Maunder, the founder and CEO of Wordfence, said that this aggressive campaign culminated with 14 million attacks on WordPress sites per hour.
You want your WordPress site to be protected from brute force attacks. Brute force attacks can slow your website down, stop people from visiting it, crack your password, and install malicious software on your site. This resource created by Hosting Canada identifies other important factors for maintaining security.
Defining a Brute Force Attack
This is a method of hacking that uses a trial and error system to compromise a network, a website, or a computer system. To accomplish this, hackers use automated software that sends huge numbers of requests against a specific system. The software is trying to guess passwords or PIN codes to gain access to the system.
When a brute force attack is successful, hackers could get access to your WordPress website’s admin area. They could install malware, they could steal your information, or they could even delete your entire site. Even if the attack is unsuccessful, when you get too many requests, your website’s hosting servers could crash, rendering them inoperable.
Now that we know what a brute force attack is, let’s examine a few steps you can take to protect yourself from it.
Use a WordPress Firewall Plug-In
When you use a website firewall solution, you are able to filter out bad traffic and prevent it from gaining access to your site. Website firewalls can be divided into two categories.
Application Level Firewalls
This type of firewall plugin examines traffic when it gets to your server. This happens before it loads the majority of your WordPress scripts. This is not considered the most efficient method of protection against a brute force attack because the server load could still be negatively affected.
DNS Level Website Firewall
This is the firewall that routes website traffic through cloud proxy servers. So only genuine traffic makes it to your main hosting server. An added benefit is that the speed of the site is given a boost.
Hide Your WordPress Login
When you set up your WordPress website, one of the first things you should consider is hiding the login area. By default, the login area of your WordPress page is available with:
If a hacker knows that you have a WordPress site and if you have not hidden your login area, it is easy for the hacker to find your login page and start a brute force attack. There are a number of plug-ins that you can use to hide your login area. Some of the more popular ones include:
- (PLUGIN) WPS Hide Login — A great little lightweight plugin that lets you change your login URL to anything you want.
- iThemes Security (Better WP Security) — Although it comes with a lot of different features iThemes is a great way to protect your WP login page. It also has 2FA for login, malware scanning and reCAPTCH functionality.
Implement Two-Factor Authentication
Two-factor authentication gives your website an additional layer of security. In addition to the credentials to sign into your website, you also need to give a one-time password. There are a few plug-ins that can help in this regard:
- Google Authenticator for WordPress — Protect your site with the one and only Google 2FA. This provides an extremely secure way to secure your site and all its content.
- Incapsula — While Incapsula does provide 2FA support, the power really lies in its ability to protect yourself from all manner of threads.
- SUCURI — Sucuri is a great way to avoid DDos attacks, protect your site at the DNS level and mitigate other security concerns. It also enables your applications to be protected via 2FA.
Protect WordPress Admin Directory
The majority of brute force attacks on WordPress are designed to gain access to the admin area. Your WordPress admin directory can be password-protected on the level of the server. This blocks unauthorized individuals from accessing your WordPress admin area. To do this, use the following steps:
- Login to the hosting control panel
- Click “Directory Privacy,” which is found in the files section
- Find the WP–admin file and select its name
- cPanel will request that the folder be given a name along with a username and a password
- Enter this information and click the save button to save your settings
Now, your WordPress site is password-protected. A new password will be requested the next time you visit.
Disable Directory Browsing
If the index file cannot be found, it will show an index page containing the directory. In a brute force attack, a hacker can review the directory to try to find weak or vulnerable files. To change this, you need to put “Options -Indexes” at the end of your WordPress .htaccess file.
The above-mentioned tips should help you secure your WordPress site in the case of a brute force attack. Have you been the victim of a brute force attack? What steps are you taking to secure your site? Let us know in the comments section below.