Protecting Your WordPress Site from Brute Force Attacks

More than half the websites created around content management systems (CMS) are built on WordPress. It’s quite popular since it is relatively easy to install, use and customize. Unfortunately, that popularity has also seen it become the target of cyber attacks.

According to a Sucuri report, WordPress CMS has become the most common CMS to be infected, where infections rose from 74% in 2016 Q3 to a staggering 83% in 2017. These infections often lead to them being used as part of botnets in the attack of other websites. For example, in December 2018, Defiant began tracking one such campaign which was based on organized brute force attacks.

How Brute Force Attacks Work

Brute force attacks are one of the lowest level attacks that WordPress sites can face. Basically, attackers use methods (usually automated) aimed at gaining access to WordPress sites by continually trying to log in with commonly used usernames and passwords.

What attackers do is make use of a dictionary file that lists hundreds of top usernames and passwords and tries each one on a WordPress site. The attack script will do this over and again until either it gains access to your site with a matching combination of login credentials or the list of passwords is exhausted.

Unless you’ve put in preventive measures on your WordPress powered site, it only takes a few moments for such an attack to run its course.

What You Can do to Prevent Brute Force Attacks

The most dangerous thing you can do is to sit by and do nothing and that’s especially true with configurable software such as WordPress. Take for example the login page which you use to access your site – that’s the first place that an attack script will try to be to start its attack.

Let’s look at some of the things you can do to save yourself against brute force attacks on your site.

1. Change your login page URL

Most attacks that try to use brute force methods will try the default settings first. For WordPress, this means that to gain access to the login page they will try to access /wp-admin or /wp-login, which is where you usually enter your username and password.

Thankfully, WordPress is great because you don’t necessarily have to be an expert coder to do many things. To change your login page, all you need to do is use a plugin such as WPS Hide Login. This simple plugin is light and easy to use and changes your login URL to whatever you specify.

2. Look for a Secure Web Host

Most people will choose a hosting provider based on the parameters of performance and cost, but there is an increasing need to look out for another dimension – security. Reputable web hosting solution providers have been paying attention and are not only strengthening their internal solutions but advising their customers at the same time as well.

Take for example InMotion Hosting which has deployed not only increased security but is also helping their clients resolve issues with their sites being hacked.

In case you’re already on a hosting plan and find that it’s not to your expectations, don’t worry. Switching web hosts is easier than you think, and many top web hosts even help you migrate your websites for free!

3. Test Your Website Regularly

Aside from putting in preventative measures to guard your site against attacks, you should test those measures as well. Security audits and cybersecurity experts can cost a lot so you may need to use some tools such as WPScan. This free tool allows you to simulate either single or multiple username attacks on your site.

If you’re uncomfortable having to look for bits and pieces such as a password dictionary or using command line tools, you may also opt to use a vulnerability scanner like the one offered at Hacker Target.

They have a free online tool that you can use simply by entering the URL you wish to test, and it’s free for low impact tests.

4. Install a Good Security Plugin

There are tons of security plugins available for WordPress that can really enhance the defenses of your site. Look for one by a reputable company such as Malcare that can help you guard against multiple forms of attacks.

Malcare is an extremely comprehensive tool that offers enterprise-grade security features at prices from as low as $8.25 a month. Not only does it offer basic stuff such as brute force protection, but you’re also able to carry out activities such as IP blacklisting, website hardening, and firewall management.

5. Use Complex Passwords

To be honest I really didn’t think that this needs to be said again. Unfortunately, there are too many instances where I’ve seen people still using ‘Admin’ or ‘username’ as their usernames and it hurts.

Ideally, use a complex combination for your username and/or password. A good mix would include uppercase and lowercase characters, digits, as well as special characters. If remembering something that’s very complex is hard for you, try something unique like ‘P455Word!” at least. It’s not ideal, but it may help save your site.

6. Use 2-Factor Authentication

2-Factor Authentication (2FA) is a way that you can use to effectively double the security of your website. As the name implies, it involves checking your login credentials twice. Many banks and financial institutions today use this method of verifying their customers.

Take for example; you try to login to your WordPress site and that your username and password are correct. The system then sends an authentication code somewhere else that you would have access – an email address or mobile phone number – and you need that authentication code to log in.

This is a very effective means of defense against brute force attacks and WordPress has tons of free 2FA plugins you can use.

7. Use reCAPTCHA

There is a very simple and effective first line of defense for WordPress sites and that is the reCAPTCHA plugin by BestWebSoft. This is a verification method that makes sure you’re a human by requiring you to perform an additional task or activity during the login process.

For example, it might display an image-based authentication code which you’ll have to type out once it is displayed on the screen. These methods are used to help defeat automated attack scripts. Of course, it probably won’t work against an attack designed to overwhelm your site but it’s still a good initial defense mechanism.

8. Setup CloudFlare CDN

Cloudflare is a content distribution network (CDN), which helps serve your site content from multiple servers if its under heavy load. This also has an interesting side effect against brute force attacks. Although designed to gain access to websites, brute force attacks sometimes overwhelm websites with their login attempts.

Having a CDN like Cloudflare in place will mean your site becomes more resilient and offers the additional resources a brute force attack might be using up. It also has other features such as rate limiting which blocks users from trying to send too many login requests to a site within certain timeframes.

Conclusion

WordPress security is something that many people often neglect until it’s too late. Because its online and not physical, few people see the need for an additional padlock on a website where a door will apparently suffice.

Yet aside from potentially losing control of your own website, failing to properly secure your site can lead to it being used as a tool against others. Today, making sure your site is secure is more than a need, it is practically a responsibility.

There are more ways than I’ve shared here which you can leverage on to keep your site secure – many of which are free. I hope you’ll consider this seriously and take the steps necessary to make the web a safer place.

Last but not least, no matter what you do, make sure to keep backups!