Last updated on
Brute-force attacks pose a real and very dire threat to WordPress users. These attacks rely on various brute force methods. If someone manages to figure out your username and password, your site may be damaged, or all of its content will be deleted instantly.
If you also lose access to your email, you will not be able to return to your account to restore your website.
There are several ways to block your site and make it more resistant to potential attacks.
It is better to take security measures now than wait until you lose access to your account. With the right tactics, successful brute-force attacks can be stopped, or most attempts can be prevented altogether.
What is a brute-force attack?
There are many ways to hack someone’s account.
- find a vulnerability on a website,
- trick someone into giving up their password, or
- install a keylogger on a computer and steal data.
The problem is that all these actions are expensive.
Instead, attackers usually resort to a much simpler method: guessing. And you will be surprised how effective it can be; many people have usernames and passwords that are very easy to guess.
Guessing is a tedious process, which is why attackers usually use automated programs that can guess hundreds of combinations in one second. These programs are launched through a list of common passwords.
If the attempt fails, they either move on or resort to random combinations of words, letters, and symbols until they get the right solution. A weak password can be cracked in as little as 29 milliseconds.
An essential difference between brute force attacks and other forms of password theft is that they do not involve spyware, social engineering, or manipulating vulnerabilities on your site.
Manually or with a program, they try to guess the usernames and passwords until they breakthrough.
What makes WordPress Vulnerable
WordPress is powered by 37.6% of all websites. It’s a boon in many ways – an active community makes it the most accessible CMS.
Unfortunately, this makes it available to attackers who want to take advantage of its ubiquitous distribution.
Security vulnerabilities in WordPress are universal – they apply to all the websites it runs on. One tiny hole in a system can affect millions. All attackers have to guess the username and password, and they have access to all content.
By default, WordPress has several security flaws:
- The admin login screen is always in the same place.
- Older WordPress installations used the default username “admin,” which means hackers only had to guess your password.
- Anyone can try to log in as many times as they want.
- If someone from a new IP address logs into your account, you will not receive a notification, and no code is required to do so.
- Multiple admin users mean several potential ways to hack your backend and mess things up.
- By default, WordPress doesn’t come with a firewall. Many do not even know that they need it.
All you have to do is find out if you are using WordPress (which is trivial: there is a site that defines WordPress ) and could be a victim of any of these vulnerabilities.
How to Protect your WordPress site from brute-force attacks?
Using WordPress might give you extra scrutiny from hackers, but you’re not entirely vulnerable. The platform comes with some security measures to protect you. Take a few extra steps, and you will deflect the brunt of these attacks.
It is difficult to prevent someone from deciding on access to your account since they already know all these tricks.
There is no guarantee they won’t find a way out. But doing something is better than doing nothing, and most hackers give up when faced with any significant obstacle.
Let’s know these 7 perfect ways to protect your WordPress site from brute-force attacks.
1. Use a strong Username and Password.
81% of hacks use stolen or weak passwords. They will try the most common credentials and move on to an easier target.
A strong username and password will stop most attacks. Here are some tips for choosing them:
- The length is at least six characters, ideally more than 15. The longer, the better.
- Use a mix of uppercase and lowercase letters, numbers, and symbols.
- Do not use the same password on multiple websites – if one of them gets hacked, the other could suffer its fate.
- Avoid common passwords like “parol”, “abc123”, “qwerty” or simple words. Avoid usernames such as “user”, “username” or “admin”.
- Do not enter personal information like your name, address, or even your pet’s name. This will be the first thing attackers can try.
- Gibberish passwords are difficult to remember but secure. Try using a password manager for tracking.
To change your password, go to the Users> Your Profile page. Scroll down and click Create Password. You can save or enter a new one and then click Update Profile.
Unfortunately, it is not possible to change your default username. If you want a more secure one, you can try the Username Changer plugin or create a new admin and delete the old one.
You can also change the name directly in the database using phpMyAdmin.
2. Secure accounts of other users
While your administrator account is by far the most critical to blocking out, it is not the only login. If another user with edit rights is compromised, your site may be deleted or damaged.
There is no way to check any of your users’ current passwords as WordPress encrypts them. But you can change them yourself to keep them safe.
Just go to Users> All Users and find the account you want to change. Scroll down to generate a password.
Enter your own or use a random one that WordPress generates. Be sure to inform the user that their old credentials will not work.
Again, changing the username is not possible without editing the database or plugin. If you want to change it without these methods, create a new user account and delete the old one. Be sure to transfer his articles to your new account.
3. Install a firewall
Any site without a firewall is vulnerable not only to brute attacks but other forms of hacking that exploit holes in your security.
A firewall cannot wholly stop brute-force attacks by method, but it can detect malicious traffic and provides tools to block suspicious IP addresses.
Other useful features might include strong passwords, CAPTCHAs, and geo-blocking for countries commonly involved in hacker incidents.
It may also have a blacklist of IP addresses known to be associated with suspicious activity. Installing a web firewall application can have a massive impact on the number of attacks.
Wordfence is a well-known security plugin that comes with a firewall and can defend against brute force attacks. Sucuri is another excellent option, although its firewall isn’t free.
All In One WP Security & Firewall / is 100% free and has brute-force protection and many other features.
4. Turn on two-factor authentication (2FA)
While a strong password is your best defense, and a firewall is a great security tool, implementing two-factor authentication is the next critical step that makes you immune to account loss.
2FA adds an extra step to log in. One option: asks a security question. While it may help, the best solution is to send the code to your email or phone. Without a code, no one can enter.
Using another device, such as a phone, is the best way to prevent rude coercion. Get the code sent to you, and unless you have malware on your phone or someone hasn’t physically taken over your phone, your account is pretty much secure.
But, like any other method of protection, it is not 100% reliable. Sometimes there are ways to manipulate the server to get through the 2FA, and you can always fall prey to social engineering.
It can also be annoying to have to open your email or look at your phone every time you sign in. But the benefits far outweigh this slight inconvenience.
Among other security features, the Wordfence plugin includes two-factor authentication. If you’re looking for something a little more focused, try Google Authenticator, which works with the popular 2FA or Two-Factor app.
5. Limit login attempts
Brute-force attacks rely on the ability to test tens or even hundreds of username and password combinations as quickly as possible. In a clean WordPress install, the only thing stopping this is the capacity of your server.
By restricting login attempts, anyone who uses the wrong password multiple times in a row will be blocked. If the attackers get just a few tries, the chances of guessing correctly are minimal.
Disadvantage: It will bite you if you forget your password, and this annoys legitimate users. You can always have less stringent settings with less blocking times and increased security when you notice suspicious behavior from a specific IP.
Limit Login Attempts Reloaded and WP Limit Login Attempts do their job well. These plugins are not reliable. If hackers use a VPN, reset their IP address, or use a program that attacks multiple IP addresses, they can easily bypass it. This is why it is essential to add multiple layers of security.
6. Hide login page
WordPress’s big problem is that it’s easy to find the login page and start executing a password cracking script. Just add / login, / admin or /wp-login.php to any WordPress site URL, and you will receive a login prompt.
The change in location won’t fool everyone, as there are other ways to detect it, but it can stop multiple attacks or delay them.
WPS Hide Login allows you to change the URL of the login page. No one will be able to access the regular login pages. While workarounds exist, changing the login page will put an end to most hacking attempts.
7. Update WordPress
In 2018, 44% of WordPress hacks happened when using outdated software. Brute-force attacks don’t usually exploit such vulnerabilities, but it’s worth mentioning how important it is to keep WordPress up to date.
Go to Dashboard> Updates now and make sure you are using the latest version of WordPress.
You should also back up your site manually or with a plugin like UpdraftPlus. If someone manages to log in, they can delete articles and pages, modify them by inserting unnecessary images and text or even inject malicious code into your theme.
With a backup, you can press a button and restore everything to normal. Without such a copy, you will have to manually go through the entire site and fix anything they might break. Anything deleted will be lost forever.
Summary – Stop brute-force attacks in WordPress
If your site has been hacked, the recovery process can take days or weeks. Attackers can delete articles, delete users, spoil your home page, or insert malware into your site, which is very difficult to fix. And if your email gets hacked, you could lose everything.
Creating a good password is the best way to prevent a hack, but there are other, more technical methods you can try to block login.
Installing a security plugin or firewall, enabling two-factor authentication, and limiting login attempts will give you the best chance to survive a brute-force attack or prevent it altogether.
Now let’s hear your story in the comments: Has your WordPress site been hacked? What happened, and how did you manage to regain access?