How to Secure WordPress from Brute Force Attacks

There is no such thing as an impenetrable system on the Internet. From small businesses to government installations, online weaknesses are often exploited by hackers. One of the more common of these threats is the “brute force” attack.

In fact, your site probably experiences thousands of these per day without you realizing it.

And because of how often these attempts happen, it’s always a good idea to secure WordPress from brute force attacks.

Remember, an ounce of prevention is worth a pound of the cure. Which means a few moments today will save you from a massive migraine later on.

Today, I’ll show you how to add WordPress brute force protection and greatly reduce your risks to online threats.

What is a Brute Force Attack?

A “brute force” attack is when a hacker or bot will attempt a plethora of usernames and passwords until the correct one is found. And most will start with the most common default login username: “admin.”

Depending on the difficulty level of the login credentials, it could take seconds to literally days for a brute force attack to eventually gain access.

However, many systems nowadays will monitor rapid attempts like this and blacklist the incoming IP address of the attacker. This means he or she will have to use another Internet access point to try again.

Once the hacker has the login credentials of the administrator account in WordPress, he or she can cause all kinds of havoc.

So, how do you add security to WordPress to limit brute force attacks?

WordPress Protect: Enhanced Brute Force Login Protection

WordPress Protect

One of the more powerful options is that of WordPress Protect. It’s a system we developed at GreenGeeks with system administrators and external vendors which protects all WordPress sites on our servers.

In 2017, we found the platform not only protected against 180,000 brute force attemps per day, but it also reduced page load times by 13%.

If you use GreenGeeks to host your WordPress website, you won’t have to do anything. It’s an automatic addition which doesn’t require any action from yourself.

The system works by keeping track of how many login attempts are generated within a specific time frame. If the attempts fail too often, the connection will be throttled.

Essentially, it’s a shield from brute force that is always on…keeping our customers protected at all times.

Use WordPress Brute Force Plugins

Brute Force Firewall

Plugins are the life-blood of WordPress. Using the best WordPress brute force tools will greatly diminish threats to your site.

One of my favorite security plugins is Wordfence. It’s a free tool that will monitor your site for a variety of different kinds of security threats including brute force attacks.

However, Wordfence isn’t the only excellent plugin available for WordPress. There are a number of extremely popular and high-rated tools you can install right now to start immediately protecting the site.

And most of them offer brute force protection for free.

Use Two-Factory Authentication

A very effective method of preventing unauthorized access to WordPress is that of using two factor authentication. This is when a hacker will need your credentials as well as an external method to access the site.

In many instances, people will use SMS text messaging as part of the login process. This is because it’s very unlikely a hacker will gain access to your site from a brute force attack while holding onto your smartphone.

In reality, a lot of big companies will use two factor authentication in some form or another. For example, the Steam gaming platform will use a smartphone app to verify you’re logging into the website.

Hide or Move the WordPress Login Screen

WPS Hide Login

Hiding or moving the WordPress login screen eliminates most automated brute force attacks. That’s because you change the default URL that is used when WordPress is installed.

If hackers don’t know the address, they can’t very well knock on your door.

You can customize the URLs when installing WordPress manually. But what if you already have a site that’s up and running? That’s when you’d use plugins like WPS Hide Login.

Some of these plugins will give you the opportunity to customize the URL of your login page to something completely random or something more unique for your needs.

Use Custom Admin Login Credentials

By default, WordPress creates an “admin” account when installing. Now you can change this admin account to any other name you wish, and I highly suggest doing so.

Why is that?

Because “admin” is the most common username. It’s a default account and usually the first thing hackers attempt in a brute force attack. In other words, you’re handing them half of the login credentials right off the bat.

Personally, I remove the “admin” account and create something unique for every site I manage. Sometimes I’ll even add numbers among the letters of the username just to make it more difficult.

Password Protect Admin Directory

Directory Privacy

Another common method to secure WordPress is to password protect the admin folder. If you use something like cPanel, you can use “Directory Privacy” to prevent access to the login screen and other admin resources.

This means hackers will have to know the credentials to the directory before even seeing the login screen for WordPress.

Think of it like adding a deadbolt to your front door. While it may take a few additional moments to turn both keys, it’s still superior protection versus the one lock on your doorknob.

Plus, most automated brute force bots will skip this process because they are specifically looking for the login page URL of your website.

Always Keep WordPress Updated

WordPress Updates

A good rule of thumb for protecting WordPress is to always make sure the core, plugins and themes are current and updated. While this may not prevent brute force attacks such as the methods I mentioned above, it’s a good practice to maintain.

This is because hackers are looking for any exploit of a website. Outdated or incorrectly programmed files can open the door for hackers to insert their own login credentials into a database.

So instead of a brute force attack, they can simply log in as administrators themselves.

Luckily, you can set WordPress to update files automatically in a variety of ways so you don’t have to remember to do so. This gives plugin and theme developers a chance to fix any exploits and help keep your own site protected.

This includes setting the core files of WordPress to update automatically as well.

Always Keep a Backup

Backup Plugins

Another good practice to get into is always making sure you have a current backup of your website. This is a “just in case” measure, and hopefully you’ll never have to restore from a backup.

However, being able to recover quickly after a brute force attack will save you in lost time and data.

You have a lot of options for backup plugins in WordPress. Some will even save files directly to Cloud storage platforms like Dropbox, Google Drive or Microsoft OneDrive.

Any of these systems will give you a redundant method to recover your site in the event a hacker succeeds with a brute force attack. Just remember to plug up any holes in the site to prevent the hacker from succeeding again.

Never Underestimate the Need to Secure WordPress

Any one of the above methods is extremely helpful. However, you shouldn’t limit yourself to just one or two of them. The more effort you put in, the more protected the site becomes.

WordPress is a solid system for creating websites. But never assume it has enough protection to keep your files and visitors ultimately safe. Spending a few moments now to lock down the site is worth the effort when compared to what you can lose.

What WordPress security plugins are your favorite? How often have you traded out old, unsupported plugins for newer versions?

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.