How to Protect Your WordPress Website from Brute Force Attacks

Posted on June 11, 2018 by in Resources | 25 comments

How to Protect Your WordPress Website from Brute Force Attacks

Every single person who has ever installed WordPress is in danger of brute force attacks. In fact, brute force attacks are on the rise, and they are likely to only get worse. So what does this mean for you? Do you have to stop using WordPress and move over to one of those other CMS options? Heavens, no! It just means you need a security plan to protect your WordPress website. With a few precautions, your dashboard will be a veritable fortress, and not even Superman could force his way inside.

Official Recommendations Against Brute Force Attacks

Since brute force attacks are pretty common, it only makes sense that the WordPress Codex would have recommendations and best practices for you to follow. We highly recommend that you make yourself familiar with this list and take them into consideration for your own protection. They offer both user-based protections as well as options for your server. It is well worth your time to read through it all.

What You Can Do

There’s a lot you can do to set up a secure WordPress website. There are plugins that protect you, and there are just good habits that you can create to make sure that even if you are targeted by brute force attacks, you will be safe.

Do Not Use ‘Admin’ as a Username

This should go without saying, but it has to be said anyway. Do not use ‘admin’ as a username. It’s easy to do, and it used to be fairly common practice. It’s not anymore. So when installing WP, use pretty much any other name (outside of your domain or website title) as your admin user.

If you have admin as a user on your site already, change this. It doesn’t really matter to what, but you need to change it. Despite what the Edit User section says, you can change usernames. You can use a plugin, or you can edit your WordPress database (which is easier than you may think).

Use Strong Passwords

I feel like this one’s harped on enough, so I won’t linger. Don’t use password as your password, nor password123. If you have the option, use the Generate Random Password button. Install the Force Strong Password plugin so everyone who registers for your site is secure, not just you. Because even if you follow best practices, that doesn’t mean everyone does or will.

We also suggest a separate password vault like LastPass or 1Password to keep up with the randomness.

Move Your Login Away from /wp-admin with a Plugin

You can change your URL multiple ways, but like almost everything else in WordPress, it boils down to either using a plugin or  manually editing the code.

By default, we all log into WordPress at /wp-admin. And when it comes to brute force attacks, this is their first strike. They can’t try to force their way in through the door if there is no door, though, right? By moving your login URL away from /wp-admin, you’re essentially hiding from the attackers. This is what amounts to your WP panic room.

Two of the better plugins are Loginizer and WPS Hide Login. While Loginizer has a lot more functionality than simply moving this URL, WPS Hide Login does one thing, and it does it well. It all depends on your set up as to which works better. You can also check out our write-up for other options, too.

Additionally, it’s probably not a good idea to use /login or /admin or anything that similar to the original. Think about something that may be unique to your site, or maybe something like /employees or /staff. While those are common words, the brute force bots aren’t likely programmed to hit them.

Manually Move Your Login Away from /wp-admin

If you’re the kind of user who prefers to keep plugin use to a minimum, you can change the URL by hand, too. It’s a bit more involved, but it’s not really that complicated. We break the process down for you here. You’ll need to be comfortable editing PHP files such as wp-config.php and your .htaccess file.

There are multiple ways to accomplish this as well, as you can see in this Stack Overflow thread, as well as this WordPress.org post.

Use Two-Factor Authentication

Two-factor authentication (2FA) is just about necessary these days for a truly secure online experience. Basically, 2FA boils down to you verifying that it’s you trying to login by putting in a unique code or clicking a unique link that is sent to you and you alone. Maybe it’s by email, text, or even through a keychain fob. This second factor (the username/password being the first) authenticates you as, well, you.

Luckily WordPress is not wanting for 2FA plugins, and you have some truly fantastic options out there. Two of the biggest security plugins have put out authenticator plugins, both of which are highly recommended. If you’re a premium WordFence user, you can get authentication through their plugin (2FA is a tab in the settings). UpdraftPlus has two login plugins: Keyy, a passwordless authenticator (like Clef, if you ever used that) and the aptly named Two Factor Authentication. Additionally, the Loginizer plugin I mentioned above also offers 2FA via apps like Authy and the Google Authenticator (for premium users).

Limit Login Attempts

The reason that brute force attacks are so effective against WordPress is that login attempts are unlimited by default. You never get locked out by entering the wrong password too many times. That’s why brute force is an effective means of gaining access — if they bang their head against your wall enough times, eventually they will knock a hole in it. By limiting the number of times anyone can attempt to log in, you effectively stave off the brunt of the attack. Not the entire thing, but you minimize the chances of your site being compromised and infected with malware.

The most popular plugin to do this is Limit Login Attempts, and you can also get the option through WordFence or Loginizer. Or any number of other security plugins. These are so easy to set up, there’s no reason not to have one activated.

Delete Unused WordPress Installations

I am guilty of this. You are guilty of this. Pretty much everyone everywhere is guilty of this. We have installed WordPress on our servers just to toy around with, test a plugin, or some other obscure, one-off objective, and then never touched that site again. Maybe it sits at a really strange, obfuscated subdomain of your primary domain (1kdnvrNK033r2mk.yourdomain.com, for instance). The point is that it still sits there. Even if you’re not using it, it’s a live WordPress site.

And brute-force attackers are hunting for those. Usually they lack security plugins, the passwords aren’t strong, and usernames haven’t been changed from default. And while they don’t have any real information on them, they give hackers access to your host and servers. And that’s bad mojo.

So when you need a test site, either delete it afterward or use a local development environment. Otherwise, you’re kind of painting a target on your back.

Security Plugins

With all that in mind, you should also be running an overall WordPress security plugin. These will include a lot of different things depending on the plugin itself, but generally, you’ll get malware scans, login protection, 2FA, web application firewalls, file repairs, backups, spam filters, IP white- and blacklists, and so much more. We have access to some truly amazing free options out there (which are more than good enough for most people), as well as some downright astonishing premium offerings.

While the final installation decision is up to you, it is imperative that you install a security plugin. Everybody has one they’re partial to, and in the end, the important thing is not which one that you have installed, but that you have one installed at all.

Be Safe Out There

With the rise of brute force attacks and just general bad manners on the internet, you can’t be careful enough, honestly. Any of the plugins listed above is able to protect you from hackers and botnets when combined with the best practices outlined above (and the additional ones listed in the Codex). Keep your head on your shoulders, your eyes open, and your passwords strong, and those brute force attacks won’t even be able to dent your site’s armor.

What do you use to protect your WordPress sites from the growing threat of brute force attacks?

Article featured image by phungatanee / shutterstock.com

25 Comments

  1. I have followed all the hardening advice from wordpress but the one thing that has stopped hackers on my sites has been that I change the ownership of the files and folders to my user on the server, except for when I’m uploading editing.

    • Can you list the files and folders you update the permissions. I usually update the config and htaccess to 400 but more than that I thought you would start getting errors?

    • Linda makes a good point and many owners / designers never change the Displayed name for the author, very often WP will display the primary User name so would be attackers can pick up the user name from any post.

      • B.J. Keeton

        That’s a really good point. I hadn’t even thought that having the author display as LuckyBucky5000 instead of Bucky Barnes would be a huge help to attackers. Good call, and thanks!

  2. Restrict login access by whitelisting your IP addresses.

  3. Linda makes a good point and many owners / designers never change the Displayed name for the author, very often WP will display the primary User name so would be attackers can pick up the user name from any post.

  4. Recently I had a site defaced (ad links injected into every page) and the only way I managed to stop this (even changing file permissions, using two factor authentication, firewall, login limits, locking files using htaccess etc etc all set up before the hack occurred) was to move wp-config.php up one level out of my public_html folder. As soon as I did this no more issues! Clearly someone was somehow managing to get to that file and hence log into the database and update all pages/posts with a simple SQL query.

    The real problem with the wp-config.php file is that it holds all of your database information (required by WordPress) in plain text, which is mental, so I now have this outside my public_html folder (one level up) as WordPress can read this from there out of the box.

    • That is a very interesting suggestion, I would like to try it but would it still work for subdomains?

  5. From my experience, hosting WordPress websites for years now, on our servers we use fail2ban to ban incorrect login attempts automatically, so our clients don’t have to install any plugins. We also change the prefix of tables in the database to make it harder to extract data by code. We have so many security measures in place on the server side that all this would be time wasting.

    Moving wp-admin, not using admin user or using 2-factor auth is just a self-torture, in my opinion. Use a strong password; modern browsers will remember it anyway, so no need to retype it every time. Strong password and banning IP after several incorrect auth requests will eliminate 99.99% of problems.

  6. Hi,
    We think that best solution is iTheme Security + Sucuri.

    For sure also iTheme deserve a Detailed Overview from Elegant Themes blog.

    Best regards

  7. I’m always amazed that you guys don’t include Ninja Firewall as a security recommendation in these types of articles. It’s like the secret weapon to secure your site. A must on all our websites.

    • B.J. Keeton

      For me personally, it’s because I haven’t used it. I’ll definitely look into it, though, so I don’t have this gap in my experience. Thanks, Terry!

  8. I’m a designer and I have had quite a few websites. I put them up and take them down, and sometimes I put them in line. In late 2016 going into 2017, my site started getting attacked. they were absolutely nothing of importance on the site. The low life put his name on the front page and proudly proclaimed he had hacked this site.
    When I found out I immediately took steps to search for how this person did what he did, sadly I was ill-equipped for the job. So, I thought myself clever and I took the site down and brought it back up with different information, the same person hacked it again. It was at that time, as I researched my problem, that there are metabots on the internet that have the specific job of locating brand new installation. My understanding is there are methods of cracking into new sites. Most people won’t take necessary precautions as soon as they start online. That was me. I put a site up and go tend to another and come back and find a compromised site.
    Here is the twist. This started my using Wordfence at every site I put up and made sure it was working. It got to the point I was getting hacking attempts from around the world 24/7. I took a while before I realized I was overwhelmed, but before I got to that point I was locking out hackers from their URL ranges. what confused me was I’d lock out URL from getting to my website and more and different attackers would show. What I was doing was working, but I was seriously outnumbered.
    These were state-sponsored hacking attempts and try as I might I could not keep up locking so many attempted break-ins. Luckily for me, Wordfence must have seen what I was doing because they started doing it automatically. when I learned of this I was so relieved. Wprdfence is a great product, but I was hacked twice using it. I felt that the hack was going from inside the ISP, the way it happened and their inability to see the hack, blew me away. I changed ISP. I went to GODADDY and never had a hack issue again.
    People today do not fully understand that their computers are being hacked so they can be used for the computer processing power. I did not know what was happening, but I later found out that it was a worldwide problem that these hack attempts were happening and it was to get the computers infected under their control.
    This is a very good article. Too late to help me then, but still very good information to people who have not been hacked…yet.

    The last I think most important information on this subject is to backup your data.
    have a backup of the original file website file. A backup of the online version. a continual backup of your operational website. If you are hacked you won’t know when it happened, so your backup might contain infected code. If you find this put you will have a clean backup to get back online without infected files.

  9. Great suggestions!!!

    If you are the only one that needs to login to your WP site, you can deny wp-admin access to everyone but yourself via a .htaccess file. Allowing only your IP address to login.

    # Block access to wp-admin.
    order deny,allow
    allow from x.x.x.x
    deny from all

    Replacing x.x.x.x with your IP address.
    (from wordpress codex)

  10. I Am Using Wps Hide Login For Hiding The Login Page Of My Website.

    Hey i Have Read Several Articles Saying Wordfence Slows Down The Website. What Do You Think About This?

    Jetpack Also provides Bruteforce Attack Protection And I Am currently Using This Feature, Do I Still Need Any Security Plugin?

    If Yes Then Which Is Better Between Wordfence and ithemes security?
    Thanks For Sharing Your Knowledge.

  11. I Am Using Wps Hide Login For Hiding The Login Page Of My Website.

    Hey i Have Read Several Articles Saying Wordfence Slows Down The Website. What Do You Think About This

    Jetpack Also provides Bruteforce Attack Protection And I Am currently Using This Feature, Do I Still Need Any Security Plugin?

    If Yes Then Which Is Better Between Wordfence and ithemes security.
    Thanks For Sharing Your Knowledge.

  12. What you don’t mention is what to do if you ARE in under attack.
    In my experience, you’ll often find yourself in the situation where you can’t access your site due to the magnitude of traffic clogging your system. This directly related to your resources available on your site, but ive seen plenty of sites with large amounts of ram allocated, crumble under an attack. Smaller hosting solutions don’t stand a chance.

    The key is to cut off the traffic, so you’ll need to restart your site and close off all traffic on your firewall. Timing is everything as you’ll find the traffic start to hit you as soon as your site goes live. You’ll have a minute or so, where the services are being loaded, to make the changes, before you’ll be locked out again.

    With your firewall denying all traffic you’ll have plenty of tine to implement any security changes needed.

    Belive me, once you have experienced one attack, you’ll never make the mistake of not securing future builds. It becomes a foundation for all projects.

  13. I highly recommend using a strong password, a password manager, and only trusted plugins. All previous procedures won’t protect against plugins you install! My experience with MalCare has been more than great. I combine that with CloudFlare (Whatever I find suspicious on MalCare Firewall can be blocked on CloudFlare) in addition to checking IP records.

  14. My sites were just hacked. 2 of the 3 had files and databases erased. Backups on my cpanel also deleted. Had Wordfence and a strong password but was accessing dashboard through the default wp-admin and I don’t believe I had a log-in limiter.

    While I like plugins, because Divi is such a complex theme, I worry about compatibility issues. I’m sure it’s likely a coincidence but I had just downloaded the Divi overlay plugin from the Elegant Marketplace and then this happened. Who knows exactly where they got in.

    Feeling very frustrated today. Just in searching here for information I see that several folks have been hacked in the last period.

  15. These information is very helpful. Thank you.
    Meanwhile, I have had my own share of various hack-attacks but what stopped all that eventually were WordFence and Google reCAPTCHA.
    Now, I make sure to have those two layers of protection on every site I build. Ever since I started doing that, I have rested.

    • B.J. Keeton

      That’s awesome. I know that as annoying as reCAPTCHA is for users, it significantly cuts down on the threats you have to manually deal with. I’m glad they worked so well for you. 🙂

  16. Good article

    Today WordPress still separates itself from the competition, recently disclosing that the content management system accounts for powering over 28% of all websites.

    So Wp is the most interesting CMS for hackers. And you need to protect your website.

  17. Such a great article, deeply explained and thank you for sharing

Leave a Reply

Comments are reviewed and must adhere to our comments policy.

500,591 Customers Are Already Building Amazing Websites With Divi. Join The Most Empowered WordPress Community On The Web

We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!

Sign Up Today

Pin It on Pinterest