Brute force attacks are a real and very scary threat for WordPress users. If someone else manages to figure out your username and password, your site could be defaced or have all its content wiped overnight. And if you lose access to your email as well, you may not be able to get back into your account to recover your website.
Though it can be terrifying when your website is the target of a brute force attack, you’re not left completely to the mercy of those trying to get in. There are multiple ways of putting your site on lockdown and make it more resilient to potential attacks.
As usual, it’s better to take security measures now than to wait until you’ve lost access to your account. With the right tactics in place, you can stop brute force attacks from succeeding, or even prevent a majority of the attempts in the first place.
What is a Brute Force Attack?
There are many ways of breaking into someone’s account: finding a vulnerability in a website, tricking someone into giving up their password, or installing a keylogger on a target’s computer and stealing it. The issue is, these all take a lot of work.
Instead, attackers commonly resort to a much simpler method: guessing. And you would be surprised how effective it can be; many people have usernames and passwords that are very easy to guess.
That’s what “brute forcing” a login is: an attacker will try common username and password combinations over and over until they make it in.
Of course, that’s a tedious process as well, so they usually make use of automated programs that can guess hundreds of combinations in a single second. These programs run through a list of common passwords. If the attempt fails, they may either move on, or resort to random combinations of words, letters, and symbols until they get it right. A weak password can take as little as .29 milliseconds to crack. Others, just minutes.
The important difference between brute force attacks and other forms of password stealing is that it doesn’t involve spyware, social engineering, or manipulation of vulnerabilities in your site. Manually or with a program, they just try and try until they break through.
What Makes WordPress Vulnerable to Them?
WordPress runs over one third of the web. In many ways this is a blessing, the active community makes it the most accessible CMS out there. Unfortunately, it also makes it accessible to attackers looking to take advantage of its ubiquity.
Security vulnerabilities in WordPress are universal — they apply to all websites running it. One tiny hole in the system can affect millions. That makes targeting WordPress users much more lucrative. Plus, all they have to do is guess a username and password, and they have access to everything.
And by default, WordPress comes with a few flaws in its security you might not be aware of:
- The admin login screen is always located in the same place.
- Older installations of WordPress used the default username “admin”, which means hackers only had to guess your password.
- Anyone can attempt to login as many times as they want.
- If someone from a new IP logs into your account, you get no notification, and it requires no code.
- Multiple users with admin privileges means several potential ways to break into your back end and mess something up.
- By default, WordPress doesn’t come with a firewall. Many people don’t even know they need one.
All anyone has to do is figure out that you’re using WordPress (which is trivial; there’s even a WordPress-detecting website) and you could fall victim to any of these vulnerabilities.
Protecting Your WordPress Site from Brute Force Attacks
Using WordPress may open you up to extra attention from hackers, but you’re not completely vulnerable. The platform already comes with some security measures in place to protect you. Take a few extra steps and you’ll ward off the brunt of these attacks.
It’s difficult to stop someone determined from gaining access to your account, as they know all these tricks already. There’s no guarantee they won’t find a way through. But it’s better to do something than nothing, and a majority of hackers will give up and find a less secure site once they meet any significant obstacles.
1. Use a Strong Username and Password
The best way to stop a brute force attack isn’t to install firewalls, move your login page around, or any other complicated trick. It’s actually very simple: just use a strong username and password.
81% of hacks use stolen or weak passwords. No one is going to leave their password-guessing tools running for days or weeks unless they really have something against you. They’ll try the most common credentials and move on to an easier target.
A strong username and password will stop a majority of attacks. Here are a few tips for choosing them:
- Make it at minimum 6 characters long, ideally over 15, the longer the better.
- Use a mix of capital and lowercase letters, numbers, and symbols.
- Don’t use the same password across multiple websites — if one becomes compromised, another could be too.
- Avoid common passwords like “password”, “abc123”, “qwerty”, or simple words. Avoid usernames like “user”, “username”, or “admin”.
- Don’t put in personal information like your name, address, or even the name of your pet. This will be the first thing someone who knows you will try.
- Gibberish passwords are hard to remember, but very secure. Try using a password manager to keep track.
To change your password, in your back end, go to Users > Your Profile. Scroll to the bottom and click Generate Password. You can keep this, or type in a new one, then click Update Profile.
Unfortunately, changing your username isn’t possible by default. If you need a more secure one, you can try the Username Changer plugin, or create a new administrator user and delete the old one. You could also change the name directly in the database with phpMyAdmin.
2. Secure Other User Accounts
While your admin account is definitely the most important to lock down, it’s not the only way in. If another user with editing privileges gets hacked, your site is still in danger of being deleted or defaced.
There’s no way to check any of your users’ current passwords, as WordPress encrypts them. But you can change them yourself to ensure that they’re secure.
Just go to Users > All Users and find the account you want to edit. Scroll down to Generate Password to change it. Type in your own or stick with the random one WordPress generates. Make sure to let the user know as their old credentials won’t work.
Again, changing usernames isn’t possible without database editing or a plugin. If you want to modify it without these methods, make a new user account and delete the old one. Make sure to transfer their articles over to the new account.
3. Install a Firewall
Any site without a firewall is vulnerable not just to brute force attacks, but other forms of hacking that take advantage of holes in your security.
A firewall on its own won’t entirely stop brute force attacks, but it can detect malicious traffic, as well as give you the tools to block suspicious IPs. Other helpful features may include enforcing strong passwords, adding CAPTCHA, and geoblocking for countries commonly involved in hacking incidents.
It may also have a blacklist of IPs known to be involved with suspicious activity. Installing a web application firewall can have a big impact on how many attacks even make it to your door.
Wordfence is a well-known security plugin that comes with a firewall and can protect against brute force attacks. Sucuri is another great option, though it’s worth noting that its firewall isn’t free. Last is All In One WP Security & Firewall, which is 100% free and does come with brute force protection, plus many other features.
4. Enable Two-Factor Authentication
While a strong password is your best defense, and a firewall is a great security tool all-around, implementing two-factor authentication is the next major step — it essentially makes you immune to losing your account.
2FA adds an extra step to logging in. One less secure version just asks a security question. While that can help, the better solution is to send a code to your email or phone. Without the code, no one can log in.
Involving another device, like a phone, is the best way to prevent brute forcing. Have a code texted to you, and unless you have malware on your phone or someone physically takes it from you, your account is pretty much impenetrable.
But as with any security method, it’s not 100% reliable. Sometimes there are ways to manipulate the server to break through 2FA, and you can always fall victim to social engineering.
It also can be quite annoying to have to open your email or get out your phone every single time you log in. But the benefits far outweigh this small inconvenience.
Among its other security features, Wordfence includes two-factor authentication. If you’re looking for something more focused, try Google Authenticator which works with the popular 2FA app, or Two-Factor which comes with many settings and options.
5. Limit Login Attempts
Brute force attacks rely on the ability to test dozens or even hundreds of username and password combos as quickly as possible. In a clean installation of WordPress, the only thing stopping this is your server capacity.
By limiting login attempts, anyone who uses the wrong password a few times in a row will be locked out. If attackers only get a few attempts, chances of guessing correctly are extremely low, and they’re going to move on fast.
The downside: it can come back to bite you if you forget your own password, and it can also annoy legitimate users. You can always have less strict settings with a lower lockout time, and tighten security when you notice suspicious behavior from an IP.
These plugins aren’t foolproof. If hackers use a VPN, reset their IP, or use a program that attacks with multiple IPs, they’ll be able to circumvent this easily. That’s why it’s important to add multiple layers of security.
6. Hide the Login Page
One big issue with WordPress is that it’s so easy to find the login page and start executing a password-cracking script. Just add /login, /admin, or /wp-login.php to any WordPress site’s address, and you’re presented with a login prompt.
Changing the location won’t trick everyone as there are other ways of finding it, but it can stop a few attacks from happening, or delay one in progress.
WPS Hide Login allows you to change your login page URL, simple as that. No one will be able to access the normal login pages. While there are workarounds, this will put a stop to most hacking attempts.
7. Keep WordPress Updated
In 2018, 44% of WordPress hacks happened while running outdated software. Brute forcing doesn’t usually make use of such vulnerabilities, but it’s worth mentioning how important it is to keep WordPress up to date. Go to Dashboard > Updates now and make sure you’re running the latest version of WordPress.
You should also backup your website, manually or with a plugin like UpdraftPlus. If someone does manage to get in, they’ll be able to delete articles and pages, modify them to insert unwanted images and text, or even inject malicious code into your theme.
With a backup, you can just click a button and have everything restored to normal. Without, you’ll have to manually go through and fix whatever they might have broken. Anything deleted will be lost forever.
Stop Brute Force Attacks in WordPress Now
If your site gets hacked, it could take days or weeks to repair the damage. Attackers may delete articles, remove users, deface your homepage, or even embed malware on your website that’s difficult to extract. And should your email get hacked too, you could lose everything.
Creating a better password is your best bet to preventing hacks, but there are other, more technical methods you can try to lock down your login. Installing a security plugin or a firewall, enabling two-factor authentication, and limiting login attempts will give you the best chance at surviving a brute force attack — or stopping it from happening in the first place.
Now let’s hear your story in the comments: Has your WordPress site ever been hacked? What happened, and how did you manage to regain access?