Five methods to protect your WordPress website from brute force attacks

Brute-force attacks are widespread on WordPress for a straightforward reason. Everything about WordPress is always the same. The directory structure, the user base, the login, and the backend. Everyone knows where exactly the weak points of the CMS are, which is why automated brute force attacks always promise potential success.

This makes them tempting, especially since they can be largely automated, as WordPress uses the same structure for every installation. Attackers know this and exploit it.

Today we look at how you can prevent such brute force attacks and what helps to secure your WordPress website.
Five methods to protect your WordPress website from brute force attacks

WordPress hacks have a long history. The content management system is vulnerable to attacks for one main reason: it is very widely used and, more importantly, it is used all over the world.

The proliferation of WordPress is enormous, and with that comes the fact that a potential hack could potentially be successfully executed on many different installations. Mainly because most WordPress websites use similar plugins. Therefore, a vulnerability in such a plugin or theme means a lot of potential attack targets.

To make WordPress more secure against brute force attacks, it helps to introduce several measures. Some can be easily and quickly regulated via an additional WordPress plugin, while others require a snippet or more detailed settings.

I will present my five favorites to protect your WordPress website from brute force attacks to you and explain their implementation a bit.

1.limit login attempts

It is essential with WordPress to limit login attempts. If this is not done, it is possible for attackers without blocking to test thousands of passwords via script or bot automatically. If there is no limit, the brute force method leads with high probability of success and above all, takes place almost continuously, which then also goes on the performance of the respective website.

So the first step to protecting against brute force attacks is to limit the login attempts in WordPress and block IP addresses that exceed the set limit for a certain period of time. In this way, persistent brute force attacks can be warded off. The Limit Login Attempts Reloaded plugin helps with this.

With the extension, it is possible to define the number of allowed login attempts and set the time for which conspicuous IP addresses should remain blocked. In addition, the processes can be logged so that logs are created in which suspicious activities are listed in a traceable manner.

Five ways to protect your WordPress website from brute force attacks – Limit Login Attempts Reloaded

2.disguise login URL

WordPress is under heavy and often automated attack mainly because the structures are the same for all WordPress installations. If the attacker knows WordPress, he thus knows in advance where what is located and can launch appropriate attacks. With WordPress, everything is always the same, and this is a potential security risk.

Unless you make sure that any URLs are rewritten, then, for example, the login is accessible under a URL that the attacker can not find out. You, on the other hand, know your login address and thus prevent direct brute force attacks on the login.

The WordPress plugin WPS Hide Login takes care of this problem and redirects the login to a new URL. The extension is not overloaded, is well maintained, and is currently already in use on over a million websites. The URL can be set by the user so that attackers no longer have a chance to recognize it easily.

3.two-factor authentication against brute-force attacks

Two-factor authentication adds an additional layer of security to the login with a username and password. So instead of just using a login, there is another identification check in the form of a verification code. This can be done by email or SMS and should be as far as known by the bank, PayPal, or other services

Therefore, everyone who wants to log in needs a verification code, which will be sent to him accordingly. For WordPress, there are plenty of plugins that add this feature. Among others, Wordfence Login Security. The extension integrates authentication via Google Authenticator, Authy, 1Password, or FreeOTP.
Five methods to protect your WordPress website from brute force attacks – Two Factor

However, as mentioned, there are many more WordPress plugins that can then add other authentication methods such as SMS or email. If you have a choice, you are spoiled for choice.

4.set up a firewall

Basically, a firewall is an essential thing—both on a server basis as well as directly within WordPress. The firewall shields the CMS from malicious access detects brute force attacks and can block the corresponding IP addresses temporarily or permanently. In addition, there are many other features, such as blocking known bots, user agents, or crawlers.

If you are looking for a great and effective web application firewall (WAF) for WordPress, Sucuri is more than a good choice. All others will find a kind of low-budget solution with Ninja Firewall. There are many other firewalls for WordPress, but I can recommend these two to you from my own experience.

Five ways to protect your WordPress website from brute force attacks – Ninja Firewall

5.lock backend completely

When I use WordPress exclusively myself, without external authors or admins, I always lock the entire backend as a matter of principle. I don’t use a plugin for this but handle this quite classically and effectively via a so-called .htpasswd, i.e., a file that prohibits access at the server level.

Five methods to protect your WordPress website from brute force attacks – lock the backend completely

This method then also replaces plugins that protect the login etc., as this is no longer accessible at all. This requires a password. Otherwise there is no access to the WP admin directory. To create a .htpasswd, there is a handy online tool. This generates such a file and additionally lets you choose the mode to provide even more security.

The file itself goes into the root directory, while within WP-Admin, a new .htaccess (or an existing one supplemented) with path and reference to the security check is deposited. How exactly this works and what you have to pay attention to, I have already described in detail in this article. There you will find further instructions.

Why brute force attacks are so harmful
Brute force attacks are very simple attacks in their form, but they often get through because they are underestimated. Among other things, WordPress makes it easy for users to run their own blog without necessarily having to know anything about the technical side. Every brute force attack also leads to success at some point, if you will. It’s just a matter of time and computing power. Therefore, it is essential to protect against such attacks.

This includes the measures mentioned above, such as protecting the login or admin area, installing and configuring a firewall, and, if possible, a functioning two-factor authentication. If you already take the proper steps here, you are well protected against brute force attacks, even if security is never something one hundred percent.

However, it is definitely essential, as it reduces the risk of falling victim to a hack. The performance also suffers under brute force attacks, which is why the performance of the actual website often improves after the appropriate protective measures have been taken.

Leave a Comment

Your email address will not be published. Required fields are marked *