A brute force attack is a terrible threat to any website. It may end up slowing down your website or allow hackers to upload malicious malware on it. In the worst case, it may even render your site inaccessible. In this article, you will learn to protect your WordPress site from brute force attacks.
Before we begin, you need to know what a brute force attack is.
Brute Force Attack
Hackers deploy special programs or algorithms to generate and enter a random password/code to get past the security of a website or a network. These programs run on the repeat by sending many requests to the system. Until eventually, the program deciphers the authentication information.
In other words, brute force attacks use the trial-and-error system to try and guess your login details to access your computer system. If successful, it will allow the hackers to literally log in as the administrator and lay waste to your website or network. They can create a virtual backdoor, install malware, steal user information, and make changes to your site without you knowing.
That is not all! Even the failed brute force attacks on your website will put a load on your hosting servers. It will slow your website and may even lead your server to crash.
To make things worse, hackers craftily disguise these attacks by using different IP addresses and locations. It makes the identification and blocking of these malicious activities much harder for the targeted system.
We will look into these points one by one.
1. Install a Firewall Plugin
Brute force attacks come in the form of requests to your server. It is better to identify and filter these requests before they reach the server.
It is possible to do so by deploying a firewall plugin on your WordPress site. For that, you first have to install the plugin on your WordPress site.
Refer to this article to learn How to Install a WordPress Plugin?
There are two kinds of firewall solutions you can go for:
- Application-Level Firewall: These firewall plugins will scan the traffic that reaches your server. However, the scan takes place before the site begins loading most WordPress scripts, which affects its efficiency and effectiveness. Application-Level Firewalls are not foolproof because a brute force attack will still put a load on your server.
- DNS-Level Firewall: These firewall plugins will route your web traffic through their cloud proxy servers to scan the requests. They filter these requests on their servers and send genuine traffic to your server. It overcomes the drawbacks of application-level firewalls without affecting the speed and performance of your WordPress site.
Although both firewall solutions offer protection to your website, the latter is obviously more effective but understandably costlier.
Consider your budget and weigh the risks before choosing a firewall plugin. But, make sure you install one on your WordPress site. Even if you cannot afford the subscription plans, it is okay to install the free version.
2. Update WordPress and Plugins
The most common targets of brute force attacks are the websites that run on the older versions of WordPress, plugins and/or themes. Hackers have a field day with websites using outdated software as they know their vulnerabilities.
WordPress core and almost all popular plugins regularly devise updates to better their security by covering their redundancies. We recommend you make it a routine to check for the available WordPress updates. If you don’t, your website will be open to attack by those old potholes.
Here’s The Complete Guide to Update Your WordPress. It contains everything you will ever need to know about WordPress updates.
3. Secure the WordPress Admin Directory
The WordPress admin area is the primary target of a majority of brute force attacks on WordPress websites. Adding password protection to the WordPress admin (wp-admin) directory is a simple and effective counter against them. It blocks access to unauthorized users to the WordPress admin area.
It is possible to add a password to the wp-admin directory from your control panel. You have to access the wp-admin directory of your WordPress website and enable password protection for it.
If you are a cPanel user, you can refer to this article: How to Add Password to WordPress Admin (wp-admin) Directory via cPanel?
There is a chance of you encountering a 404 error or error Too many redirects message.
You can resolve it by adding this line to your WordPress .htaccess file:
ErrorDocument 401 default
4. Add/Enable Two-Factor Authentication
Two-factor authentication is an effective deterrent against brute force attacks while adding an extra security layer to your WordPress login. While accessing the WordPress admin area, users have to generate a one-time passcode on their phones to enter along with their login credentials.
Two-factor authentication allows you to generate temporary code in real-time. The code is random and practically impossible to guess or decipher. It makes accessing your WordPress account a lot harder for hackers, even if they manage to crack your password.
5. Use Strong Random Passwords
Passwords are the keys to open gates of any system security. It is common sense to keep this key as a closely private secret.
People do not understand that using personal information like birth dates, names, contact numbers, etc. as passwords is risky.
Who’s to say that your attackers are not stalking your personal lives online? If they are, there is a good chance that the hackers will be using your personal information to crack your passwords.
A unique password that is a random combination of numbers, letters, and special characters, is the best way to protect your WordPress accounts. And not just WordPress admin! It is a good idea to use strong passwords for your FTP, control panel and other vital online systems.
You do not have to worry about remembering or storing these passwords. There are password manager apps to store your passwords secretly and automatically fill them in.
6. Disable Directory Browsing for WordPress
There are times when your web server can not locate an index file (index.php or index.html). As a default response, it then takes the visitor to an index page that shows the contents of the web directory.
The hackers may search for vulnerable files with directory browsing to launch their brute force attack.
There is a way to fix this. You have to edit your WordPress .htaccess file and add/copy the following line at the bottom:
We have a reference article where you can Learn How to Disable Directory Browsing on WordPress.
7. Disable PHP File Execution for some WordPress Folders
One of the most notorious ways to initiate brute force attacks is by running PHP scripts on a web server. Hackers often try to install and execute a PHP script in the WordPress folders of your website. As WordPress is primarily encoded in PHP, disabling the malicious script for all WordPress folders is ill-advised.
Still, there are exceptions as some folders don’t need PHP scripts at all. The best example is the uploads folder of WordPress that is located at /wp-content/uploads. It also happens to be an ideal place to hide backdoor files serving as an easy target for hackers.
The good news is you can disable PHP execution in the uploads folder without disrupting the functions of your WordPress website.
To Disable PHP Execution
- Open a text editor (e.g. Notepad) on your computer.
- Copy/enter the following code:
<Files *.php> deny from all </Files>
- Save it as a .htaccess file.
- Open the FTP client and upload it to /wp-content/uploads/ folder on your website.
You can even create/edit the .htaccess file in the uploads via the File Manager tool. Here, you can learn How To Edit A .htaccess File Through The cPanel File Manager.
8. Install a Backup Plugin
In the worst-case scenario, if an attack does manage to mess up your website, you will lose its original data. That is why you must choose a WordPress hosting service that offers regular data backups.
However, if you do not have backup services with your hosting, you can still take backups of your WordPress website with plugins. There are many free and paid backup plugins available on WordPress to schedule automatic backups of your website.
All that you need to do is install and activate the plugin. Here are a few recommendations of some popular backup plugins for WordPress: UpdraftPlus, VaultPress (Jetpack Backup), Backup Buddy, BlogVault and BoldGrid Backup.
To Sum up
There is a constant threat of brute force attacks looming over websites. Thanks to the unorthodox nature of these attacks, hackers use them to wreak havoc on the website and can also diminish its online reputation.
It goes without saying how important it is to take measures against them and safeguard your website. Although WordPress is a modern, secure and highly advanced CMS for websites, it is not flawless. But with a few tweaks in some settings and inducting appropriate technologies, you can effectively fend off the brute force attacks on your WordPress site.