A brute force attack preys upon your website’s greatest weakness: the people who use it. It doesn’t involve sophisticated SQL injection or XSS techniques. An attacker simply guesses usernames and passwords until they get one combination right.
For high-traffic blogs, a disabling brute force attack causes significant service and revenue disruptions. Fortunately, simple precautions will defend your WordPress site from brute force attacks. In addition, get knowledgeable about the security of your hosting provider. For example, learn more about AWS security options if you host your WordPress site with Amazon.
Protect Your WordPress Site From Brute Force
1. Change Your Admin Username
If you started using WordPress early in its development, your admin username defaulted to “admin.” That’s why attackers start by probing “admin” as a username when they try a brute force attack. You have a couple of options for changing your username: setting up a new admin account or using a plugin.
Create a New Admin Account
1. Open your Dashboard. Hover over “Users” and choose “Add New” from the popup menu.
2. Complete the form. Fill in a new username and password, along with the other requested information. On the dropdown menu next to “Role,” choose “Administrator.” Then, click” Add New User.”
3. Delete your old admin account. On the Dashboard, click “Users.” Place a check in the box beside your old admin account, and then choose “Delete” from the Bulk Actions menu. When prompted, transfer all posts from the previous admin account to your new admin account.
Change Your Username With a Plugin
Download “Admin namer extended” by searching for it on your Add Plugins page. Alternatively, you can click here to download the .zip file. Once it’s installed, select the plugin and simply type in a new username to replace the generic “admin” username.
2. Use Plugins to Fend off Brute Force Attacks
In addition to eliminating your admin username, use plugins to add tests or two-factor authentication to the login process. You can also use plugins to limit the number of times an attacker can attempt to login.
Adding a CAPTCHA plugin requires anyone logging into your site to type in a one-time code to access your site. The plugin Captcha by BestWebSoft will require everyone who logs into your site to complete a simple arithmetic problem to gain access.
Step up to two-factor authentication by incorporating Google Authenticator codes into your login process. After you download and install the WP Google Authenticator plugin, users will be prompted to enter a Google Authenticator code at login.
To get the code, they’ll need to download the Google Authenticator mobile app to their Android, iPhone, or BlackBerry mobile devices. Then, you’ll need to set up WP Google Authenticator on your WordPress account by visiting “Settings” and then “Authenticator” in your Dashboard. Check the appropriate boxes to authorize the plugin and to force use, and then click “Save.” When users login, they open their Google Authenticator app, where they’ll see your website’s name and a numerical code. They enter the code in the appropriate field on the login screen to access your WordPress site.
Limit Login Attempts
If you use a managed hosting provider, your provider might install a Limit Login Attempts plugin by default. If not, try a plugin called Brute Force Login Protection, which will limit the number of times anyone can login to your account before their IP address gets blocked.
Keep in mind that the same plugin limiting login attempts for brute force attacks will also block your IP address if you type in the wrong password too many times. Make sure you keep your password in a safe place, or use a password manager to store your WordPress password.
3. Create a Strong Password
Nothing protects your WordPress site like requiring strong passwords from yourself and your users. Use one of these options to design a good password:
- Mix of letters, numbers, and symbols. Use a blend of upper-case and lower-case letters, numbers, and symbols to design a strong password.
- A memorable phrase. String together some unrelated words, like carenvelopetrombonecat. This option gives you a password that’s tough for attackers to crack and also easy for you to remember.
Add the Force Strong Passwords plugin to require all users to construct strong passwords. By doing so, you’ll prevent attackers from brute forcing any account associated with your site.