{"id":208,"date":"2024-02-09T22:48:55","date_gmt":"2024-02-09T22:48:55","guid":{"rendered":"https:\/\/unlimitedhostingplan.in\/articles\/?p=208"},"modified":"2024-03-30T17:40:51","modified_gmt":"2024-03-30T17:40:51","slug":"protect-brute-force-attacks","status":"publish","type":"post","link":"https:\/\/unlimitedhostingplan.in\/articles\/protect-brute-force-attacks\/","title":{"rendered":"How to Protect Your WordPress Site from Brute Force Attacks"},"content":{"rendered":"\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#what-is-brute-force-attack\">What is Brute Force Attack?<\/a><ul><li><a href=\"#here-are-some-examples-of-brute-force-attacks\">Here are some examples of brute force attacks:<\/a><\/li><\/ul><\/li><li><a href=\"#7-solutions-to-protect-yourself-against-brute-force-attacks-on-word-press\">7 solutions to protect yourself against brute force attacks on WordPress<\/a><ul><li><a href=\"#use-a-complex-login-and-password\">Use a complex login and password<\/a><\/li><li><a href=\"#change-the-administration-login-page\">Change the administration login page<\/a><\/li><li><a href=\"#update-word-press-regularly\">Update WordPress regularly<\/a><\/li><li><a href=\"#install-a-word-press-firewall-plugin\">Install a WordPress firewall plugin<\/a><\/li><li><a href=\"#limit-the-number-of-failed-login-attempts\">Limit the Number of (Failed) Login Attempts<\/a><\/li><li><a href=\"#strongly-avoid-using-admin-as-a-username\">Strongly Avoid Using \u201cAdmin\u201d as a username\u00a0<\/a><\/li><li><a href=\"#password-protect-admin-directory\">Password Protect Admin Directory<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<p>Brute force attacks are common against web services.\u00a0Any website is a potential target. However, criminal\u00a0actors usually choose the most popular to increase their chances of success.\u00a0WordPress is one of their favorite targets. This platform is so popular that out of one million top websites on the Internet, over 75% are created using\u00a0WordPress. Being such a strong\u00a0market leader makes\u00a0WordPress an attractive target for attackers. One popular type of attack is password brute force on WordPress websites.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"480\" height=\"334\" src=\"https:\/\/unlimitedhostingplan.in\/articles\/wp-content\/uploads\/2024\/02\/CMS.webp\" alt=\"\" class=\"wp-image-209\" style=\"width:453px;height:auto\" srcset=\"https:\/\/unlimitedhostingplan.in\/articles\/wp-content\/uploads\/2024\/02\/CMS.webp 480w, https:\/\/unlimitedhostingplan.in\/articles\/wp-content\/uploads\/2024\/02\/CMS-300x209.webp 300w\" sizes=\"auto, (max-width: 480px) 100vw, 480px\" \/><\/figure>\n\n\n\n<p>One of the methods many hackers use to access a WordPress site is to launch a brute force attack. Like any hacking attempt, these attacks are intended to allow hackers to access the system so that they can delete content, add their own content, or perform other Machiavellian actions. A brute force attack is one of the easiest ways to access a system.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is-brute-force-attack\">What is Brute Force Attack?<\/h2>\n\n\n\n<p>A brute force attack is a method of trying every possible combination of characters until the correct password or encryption key is found. This can be done manually, but it is more commonly done using automated tools. Brute force attacks can be very effective, especially if the target website has weak passwords or security measures.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"here-are-some-examples-of-brute-force-attacks\">Here are some examples of brute force attacks:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Trying all possible combinations of letters and numbers to guess a password<\/li>\n\n\n\n<li>Trying all possible combinations of IP addresses to find a vulnerable server<\/li>\n\n\n\n<li>Trying all possible combinations of characters to decrypt an encrypted message<\/li>\n<\/ul>\n\n\n\n<p>Brute force attacks can be used to attack a variety of targets, including websites, email accounts, and computer systems. They can be used to gain access to sensitive information, such as passwords, credit card numbers, and Social Security numbers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"7-solutions-to-protect-yourself-against-brute-force-attacks-on-word-press\">7 solutions to protect yourself against brute force attacks on WordPress<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"use-a-complex-login-and-password\">Use a complex login and password<\/h3>\n\n\n\n<p>Let\u2019s start with a basic tip: use a strong username and password.<br><br>For the login, forget about the classic \u201cadmin\u201d of your site to make the attackers\u2019 work harder (this also applies to its derivatives like \u201ctest\u201d, for example).<\/p>\n\n\n\n<p>You already have an account with the \u201cadmin\u201d login? Here is how to delete it:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Create a new user with a login that is difficult to guess<\/strong>. If you\u2019re not sure, use this kind of generator.<br><br>To do this, go to the menu <em>Users > Add New<\/em>.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img decoding=\"async\" src=\"https:\/\/u9m4v4n3.rocketcdn.me\/wp-content\/uploads\/2021\/08\/add-new-user-brute-force-attack.png\" alt=\"User addition to protect against brute force attacks on WordPress.\" class=\"wp-image-64881\" style=\"width:597px;height:auto\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Delete your admin account<\/strong> by assigning all the content associated with it to the new user you have just created.<\/li>\n<\/ul>\n\n\n\n<p>Let\u2019s move on to passwords. Forget the classic \u201c123456\u201d, \u201c123456789\u201d or \u201cpassword\u201d, which are among the most used \u2013 and therefore most hacked \u2013 across the planet.<\/p>\n\n\n\n<p>To generate a strong password, apply the following best practices:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use a combination of numbers and letters<\/strong> (upper and lower case, numbers and punctuation marks).<\/li>\n\n\n\n<li><strong>Forget common passwords<\/strong> such as \u201c1234\u201d, \u201c0000\u201d, your first name or your pet\u2019s name.<\/li>\n\n\n\n<li><strong>Choose a long password<\/strong>, longer than 10 characters.<\/li>\n\n\n\n<li><strong>Don\u2019t use the same password you use for other sites<\/strong> (e.g. email, bank, etc.). If possible, use a unique password.<\/li>\n<\/ul>\n\n\n\n<p>To generate passwords as strong as an ox, there are different options to help you, if you are stuck:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This powerful generator, which offers different filters.<\/li>\n\n\n\n<li>A password manager such as Dashlane, which automatically suggests passwords and stores them in a secure safe.<\/li>\n<\/ul>\n\n\n\n<p>Finally, even if your password seems to be very secure, remember to change it from time to time, it is always better.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"change-the-administration-login-page\">Change the administration login page<\/h3>\n\n\n\n<p>Limiting admin login attempts is highly recommended, but it is possible to go even further. Since you\u2019re interested in getting in the way of malicious bots and human hackers, make their lives even more difficult by changing your administration login page.<\/p>\n\n\n\n<p>If you\u2019ve been following along, <strong>you\u2019ve read that it\u2019s very easy to find the admin login page for a WordPress site<\/strong>. Just type either of the following URLs in your navigation bar:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>yoursite.com\/wp-admin<\/code><\/li>\n\n\n\n<li><code>yoursite.com\/wp-login.php<\/code><\/li>\n<\/ul>\n\n\n\n<p>Now, if the classic login page is no longer accessible by going to one of the above URLs, the bots and other attackers are screwed!<\/p>\n\n\n\n<p>To move your login page to the URL of your choice, go back to iThemes Security. A setting is available in the advanced settings:<\/p>\n\n\n\n<p>At the configuration level, you will need to specify a login slug. From then on, the <code>wp-admin<\/code> directory and the <code>wp-login.php<\/code> page become inaccessible. Remember to note your new URL in several places. For example, you can bookmark it on your browser for easy access.<\/p>\n\n\n\n<p>You can also specify a redirection <strong>URL <\/strong>(e.g. <code>https:\/\/yoursite.com\/404<\/code>), which will be sent to the bot or hacker who is not logged in and wants to access your login page.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"update-word-press-regularly\">Update WordPress regularly<\/h3>\n\n\n\n<p>Even if you equip your site with multiple security plugins, your efforts may not make much of a difference if your WordPress installation is out of date. In fact, using an old version of WordPress core, themes, or plugins opens up unpatched security loopholes, making it easier for intruders to attack your site.<\/p>\n\n\n\n<p>WordPress is extremely popular. Therefore, the platform faces many bugs and hacks that might compromise its security. The good news is that developers work hard to discover these vulnerabilities, so each WordPress update usually includes new security patches. You can check for available upgrades via the <em>Updates<\/em> section in your admin dashboard:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/mllj2j8xvfl0.i.optimole.com\/cb:jC7e.37109\/w:713\/h:307\/q:90\/dpr:1.3\/f:best\/https:\/\/themeisle.com\/blog\/wp-content\/uploads\/2021\/02\/wordpress-updates-section.png\" alt=\"Checking for regular Updates section in the WordPress admin dashboard is a key tactic in WordPress brute force protection.\" class=\"wp-image-38738\"\/><\/figure>\n\n\n\n<p>In an analysis of hacked websites, Sucuri found that 61% of successful attacks in its sample happened because of outdated system versions <sup>[2]<\/sup>. Even established sites like Reuters have fallen victim to malicious attacks due to an outdated WordPress installation. Therefore, it\u2019s smart to take advantage of new version upgrades as soon as they are available.<\/p>\n\n\n\n<p>Updating your WordPress site and associated tools will likely benefit your site\u2019s performance and user experience (UX) due to new features and system improvements. However, if you\u2019re worried that updating your site might affect its functionality, you can typically defer new major updates (version X.X) for 30 days while you identify potential conflicts. However, you should always apply minor security updates right away (version X.X.X).<\/p>\n\n\n\n<p>Also, it\u2019s smart to always back up your website before you proceed with any changes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-a-word-press-firewall-plugin\">Install a WordPress firewall plugin<\/h3>\n\n\n\n<p>Our next recommendation is to set up a WordPress firewall plugin. In short, a firewall is a type of software that protects your site from unauthorized access using pre-configured rules.<\/p>\n\n\n\n<p>For instance, you can limit the number of users who can simultaneously enter your site, which keeps you safe from distributed denial of service (DDoS) attacks. A DDoS attack attempts to disrupt your server, simulating unexpected traffic jams that your bandwidth can\u2019t handle.<\/p>\n\n\n\n<p>As a result, your website may go down, or you may experience account suspension if you\u2019re on a <a href=\"https:\/\/unlimitedhostingplan.in\/\" target=\"_blank\" data-type=\"link\" data-id=\"https:\/\/unlimitedhostingplan.in\/\" rel=\"noreferrer noopener nofollow\">shared hosting<\/a> plan. This can be extremely frustrating and costly, so it\u2019s smart to protect your site from DDoS attacks.<\/p>\n\n\n\n<p>Some hosting providers might already include firewall services in their packages. Otherwise, installing a plugin such as All In One WP Security &amp; Firewall will get the job done. Apart from the firewall feature, this tool also gives you other security perks, such as spam prevention, \u2018login lockdown\u2019 to prevent excessive login attempts, and more.<\/p>\n\n\n\n<p>Note that for this method to be effective, you\u2019ll need to configure your firewall correctly. Therefore, it\u2019s smart to consult relevant documentation or consult your hosting provider.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"limit-the-number-of-failed-login-attempts\">Limit the Number of (Failed) Login Attempts<\/h3>\n\n\n\n<p>WordPress sites are vulnerable to brute force attacks because there is no limit on the number of login attempts allowed by default. This means that attackers can keep trying different combinations until they succeed. It\u2019s similar to hitting a wall repeatedly until you find a weak spot to exploit. Allowing unlimited login attempts increases the risk of unauthorized access and potential malware infections.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/positiwise.com\/blog\/wp-content\/uploads\/2023\/08\/wp-login-attempt-limits.png\" alt=\"wp login attempt limits\" class=\"wp-image-11301\"\/><figcaption class=\"wp-element-caption\">Image caption: WordPress user login page displaying login attempt limits.<\/figcaption><\/figure>\n\n\n\n<p>However, an easy and effective solution to this problem is to limit login attempts. Using plugins like Limit Login Attempts or Loginizer prevents repeated login attempts and significantly reduces the chances of a successful breach. This practical measure adds an extra layer of protection, making it more difficult for malicious actors to access your site.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"strongly-avoid-using-admin-as-a-username\">Strongly Avoid Using \u201cAdmin\u201d as a username&nbsp;<\/h3>\n\n\n\n<p>Before WordPress version 3.0, the Content Management System (CMS) was initially installed with the default and widely known username \u201cadmin.\u201d However, with subsequent updates, new installations now allow users to set a custom username during the installation process. Despite this improvement, many site owners still neglect to change the default \u201cadmin\u201d username, which poses a significant security risk. The primary concern lies in the vulnerability to brute force attacks, as hackers already possess half of the required login credentials \u2013 the username. In fact, it is advised that site owners promptly replace the default \u201cadmin\u201d username with a unique and unpredictable combination of words, numbers, and characters.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/positiwise.com\/blog\/wp-content\/uploads\/2023\/08\/the-default-username-is-admin.png\" alt=\"the default username is admin\" class=\"wp-image-11295\"\/><figcaption class=\"wp-element-caption\">Image Caption: The default \u201cAdmin\u201d as a Username has been modified as part of WordPress security.&nbsp;<\/figcaption><\/figure>\n\n\n\n<p>By changing the default username to something more obscure and personalized, website owners can significantly diminish the potential threat of brute force attacks. Adopting a distinctive and unpredictable username makes it exponentially more challenging for attackers to target a specific account successfully. A robust combination of letters, numbers, and special characters enhances the complexity of the login credentials, maintaining the site\u2019s defenses against malicious intrusions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"password-protect-admin-directory\">Password Protect Admin Directory<\/h3>\n\n\n\n<p>One way to make your WordPress website more secure is to password-protect the admin folder. Using tools like cPanel\u2019s \u201cDirectory Privacy\u201d feature can help restrict access to the login screen and other important admin resources, adding an extra layer of protection. Think of it as adding a sturdy deadbolt to your front door \u2013 while it may take a little longer to unlock, the added security is worth the effort.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/positiwise.com\/blog\/wp-content\/uploads\/2023\/08\/password-protecting-admin-directory-from-cpanel.png\" alt=\"password protecting admin directory from cpanel\" class=\"wp-image-11305\"\/><figcaption class=\"wp-element-caption\">Image Caption: Password protecting Admin directory from cPanel dashboard.<\/figcaption><\/figure>\n\n\n\n<p>What\u2019s even better is that this method can outsmart automated brute force bots that often target login pages. By requiring valid credentials for the directory, potential hackers won\u2019t even have a chance to see the WordPress login screen. Essentially, it\u2019s like having a reliable defense mechanism that effectively deters unauthorized access, giving you peace of mind and better safeguarding your WordPress site without causing any significant inconvenience to legitimate users.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Brute force attacks are common against web services.\u00a0Any website is a potential target. However, criminal\u00a0actors usually choose the most popular to increase their chances of success.\u00a0WordPress is one of their favorite targets. This platform is so popular that out of one million top websites on the Internet, over 75% are created using\u00a0WordPress. Being such a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":213,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-208","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/posts\/208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/comments?post=208"}],"version-history":[{"count":3,"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/posts\/208\/revisions"}],"predecessor-version":[{"id":216,"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/posts\/208\/revisions\/216"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/media\/213"}],"wp:attachment":[{"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/media?parent=208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/categories?post=208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unlimitedhostingplan.in\/articles\/wp-json\/wp\/v2\/tags?post=208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}