Every single person who has ever installed WordPress is in danger of brute force attacks. In fact, brute force attacks are on the rise, and they are likely to only get worse. So what does this mean for you? Do you have to stop using WordPress and move over to one of those other CMS options? Heavens, no! It just means you need a security plan to protect your WordPress website. With a few precautions, your dashboard will be a veritable fortress, and not even Superman could force his way inside.
Official Recommendations Against Brute Force Attacks
Since brute force attacks are pretty common, it only makes sense that the WordPress Codex would have recommendations and best practices for you to follow. We highly recommend that you make yourself familiar with this list and take them into consideration for your own protection. They offer both user-based protections as well as options for your server. It is well worth your time to read through it all.
What You Can Do
There’s a lot you can do to set up a secure WordPress website. There are plugins that protect you, and there are just good habits that you can create to make sure that even if you are targeted by brute force attacks, you will be safe.
Do Not Use ‘Admin’ as a Username
This should go without saying, but it has to be said anyway. Do not use ‘admin’ as a username. It’s easy to do, and it used to be fairly common practice. It’s not anymore. So when installing WP, use pretty much any other name (outside of your domain or website title) as your admin user.
If you have admin as a user on your site already, change this. It doesn’t really matter to what, but you need to change it. Despite what the Edit User section says, you can change usernames. You can use a plugin, or you can edit your WordPress database (which is easier than you may think).
Use Strong Passwords
I feel like this one’s harped on enough, so I won’t linger. Don’t use password as your password, nor password123. If you have the option, use the Generate Random Password button. Install the Force Strong Password plugin so everyone who registers for your site is secure, not just you. Because even if you follow best practices, that doesn’t mean everyone does or will.
Move Your Login Away from /wp-admin with a Plugin
You can change your URL multiple ways, but like almost everything else in WordPress, it boils down to either using a plugin or manually editing the code.
By default, we all log into WordPress at /wp-admin. And when it comes to brute force attacks, this is their first strike. They can’t try to force their way in through the door if there is no door, though, right? By moving your login URL away from /wp-admin, you’re essentially hiding from the attackers. This is what amounts to your WP panic room.
Two of the better plugins are Loginizer and WPS Hide Login. While Loginizer has a lot more functionality than simply moving this URL, WPS Hide Login does one thing, and it does it well. It all depends on your set up as to which works better. You can also check out our write-up for other options, too.
Additionally, it’s probably not a good idea to use /login or /admin or anything that similar to the original. Think about something that may be unique to your site, or maybe something like /employees or /staff. While those are common words, the brute force bots aren’t likely programmed to hit them.
Manually Move Your Login Away from /wp-admin
If you’re the kind of user who prefers to keep plugin use to a minimum, you can change the URL by hand, too. It’s a bit more involved, but it’s not really that complicated. We break the process down for you here. You’ll need to be comfortable editing PHP files such as wp-config.php and your .htaccess file.
Use Two-Factor Authentication
Two-factor authentication (2FA) is just about necessary these days for a truly secure online experience. Basically, 2FA boils down to you verifying that it’s you trying to login by putting in a unique code or clicking a unique link that is sent to you and you alone. Maybe it’s by email, text, or even through a keychain fob. This second factor (the username/password being the first) authenticates you as, well, you.
Luckily WordPress is not wanting for 2FA plugins, and you have some truly fantastic options out there. Two of the biggest security plugins have put out authenticator plugins, both of which are highly recommended. If you’re a premium WordFence user, you can get authentication through their plugin (2FA is a tab in the settings). UpdraftPlus has two login plugins: Keyy, a passwordless authenticator (like Clef, if you ever used that) and the aptly named Two Factor Authentication. Additionally, the Loginizer plugin I mentioned above also offers 2FA via apps like Authy and the Google Authenticator (for premium users).
Limit Login Attempts
The reason that brute force attacks are so effective against WordPress is that login attempts are unlimited by default. You never get locked out by entering the wrong password too many times. That’s why brute force is an effective means of gaining access — if they bang their head against your wall enough times, eventually they will knock a hole in it. By limiting the number of times anyone can attempt to log in, you effectively stave off the brunt of the attack. Not the entire thing, but you minimize the chances of your site being compromised and infected with malware.
The most popular plugin to do this is Limit Login Attempts, and you can also get the option through WordFence or Loginizer. Or any number of other security plugins. These are so easy to set up, there’s no reason not to have one activated.
Delete Unused WordPress Installations
I am guilty of this. You are guilty of this. Pretty much everyone everywhere is guilty of this. We have installed WordPress on our servers just to toy around with, test a plugin, or some other obscure, one-off objective, and then never touched that site again. Maybe it sits at a really strange, obfuscated subdomain of your primary domain (1kdnvrNK033r2mk.yourdomain.com, for instance). The point is that it still sits there. Even if you’re not using it, it’s a live WordPress site.
And brute-force attackers are hunting for those. Usually they lack security plugins, the passwords aren’t strong, and usernames haven’t been changed from default. And while they don’t have any real information on them, they give hackers access to your host and servers. And that’s bad mojo.
So when you need a test site, either delete it afterward or use a local development environment. Otherwise, you’re kind of painting a target on your back.
With all that in mind, you should also be running an overall WordPress security plugin. These will include a lot of different things depending on the plugin itself, but generally, you’ll get malware scans, login protection, 2FA, web application firewalls, file repairs, backups, spam filters, IP white- and blacklists, and so much more. We have access to some truly amazing free options out there (which are more than good enough for most people), as well as some downright astonishing premium offerings.
- MalCare Security
- Sucuri (our detailed overview of Sucuri)
- WordFence (our detailed overview of WordFence)
- iThemes Security
- Jetpack (or VaultPress)
- All-in-One WP Security and Firewall
While the final installation decision is up to you, it is imperative that you install a security plugin. Everybody has one they’re partial to, and in the end, the important thing is not which one that you have installed, but that you have one installed at all.
Be Safe Out There
With the rise of brute force attacks and just general bad manners on the internet, you can’t be careful enough, honestly. Any of the plugins listed above is able to protect you from hackers and botnets when combined with the best practices outlined above (and the additional ones listed in the Codex). Keep your head on your shoulders, your eyes open, and your passwords strong, and those brute force attacks won’t even be able to dent your site’s armor.
What do you use to protect your WordPress sites from the growing threat of brute force attacks?
Article featured image by phungatanee / shutterstock.com