Brute force attacks are the most common type of attacks on internet. The main agenda of brute force attack is to crack down your password and enter the system. Brute Force attack is a trial and error system. In this attackers use tools which try multiple combinations to guess the password of your account. Brute Force attack can have other outcomes too. Like when it is happening it can slow your website down or totally take it down. And WordPress is so widely used, attackers target WordPress sites more for their Brute Force Attacks.
So there are may way you can protect your WordPress Website From Brute Force attacks. Some of them are really simple and for some you might need to access you Control Panel.
Strong Password
I know it’s obvious but sometimes user don’t use strong password or they use the same password every where.
Having same password every where can be risky. As attacker might already have your password that you use. They can get your passwords if you used the same password on other site and that website face a security breach. So the first thing they will do is try those passwords making it far easy for them to get in.
So you should use a strong and unique password every where. I do know it’s difficult to remember passwords. To solve that issue you can either use password manager or Password less login. For password less login I have a plugins that you can use that is Loginizer
Changing the Admin Username
As you know admin is the user name what you mostly get when you install WordPress. Keeping your user name admin helps the attacker as it solves the puzzle for them. As now they just need to predict the password. So I advice you to change the user name just when you create a WordPress account.
I know you can’t change the username. So if you have just setup an WordPress account follow these steps
- Create a new user and give the user role of an Administrator.
- Now once you are done creating the user and have verified the new Admin delete the admin with the admin username
I know that is really simple.
Now for those who have been using their WordPress account for a while, you can rename the username using a Plugin named Loginizer. Protecting your WordPress site from Brute force attacks isn’t a hard task it fairly simple.
Lockout Account
Lockout account if there is a repetitive login fail. This feature does not comes baked into WordPress but you can use a plugin Limit Login Attempts Reloaded. With this plugin you can configure lockout settings and they are straightforward.
Blocking IP’s
You can block the IP’s that you see to be fishy. You will need a plugin if you don’t know how to change .htaccess file. Here I will suggest you use Loginizer. Limit Login Attempts Reloaded have this feature too, but in my opinion Loginizer’s user experience is better.
reCAPTCHA and 2 Factor Authentication
reCAPTCHA and 2 Factor Authentication is important now as they add extra layer of security to the login. Even if the attacker is able to crack the password, 2 Factor Authentication will protect you and reCAPTCHA makes it difficult for bots to verify . As mostly Brute Force attacks are done using tools, they may fail to complete CAPTCHA hence they fail at first step.
Disabling XML-RPC in WordPress
It’s a way other systems or applications use to communicate with WordPress. Like the WordPress app or Jetpack to name a few. But now that communication has been shifted to WordPress REST API which is a more secure method. And xmlrpc.php has vulnerabilities that expose it to DDOS attacks and WordPress Brute Force attacks. So its better to keep it disabled as it is of no use now. And it’s just been included in WordPress for backward compatibility.
Backups
You might think what will a backup do in case of Brute Force attack. As the chances of brute force attack succeeding in getting access to your account are really low. But just in case they succeed for any possible reason we should have a B plan. And Backups help no matter what the attack is. Because at last you know you will able to recover your data if you lose it.
And Backups are always a reliable B Plan. So there is nothing to explain about that it’s straight forward. You can either create Backups from your Control Panel or through WordPress Plugins. The plugins we suggest are Updraft, Jetpack(by WordPress), BackWPup, All-in-One WP Migration, Backuply and more…
You can look into the above mentioned and choose as per your liking they all work well.
There are other ways too like changing the login slug and admin slug. Which you get only after getting Pro versions of Loginizer or Limit Login Attempts Reloaded.
Other Resources
We would like to suggest some other good resource that you can read and implement.
WordPress Brute Force Guide( for advanced users as it requires updating the .htaccess file)
Sucuri Security’s handling Brute Force Attack
WpBeginners Guide to Protect Your WordPress Site From Brute Force Attack
I hope this article helped you learn how to protect your WordPress site from brute force attacks.