How to Protect your WordPress Site from Brute Force Attacks?
Any website can be seriously threatened by a brute force attack. It can ultimately cause your website to load more slowly or give hackers access to post dangerous software. In the worst situation, it might potentially make your website unavailable. You will discover how to defend your WordPress website from brute force attacks in this article.
Before we begin, you need to know what a brute force attack is.
Brute Force Attack
Hackers use specialized software or algorithms to create and input a randomly generated password or code in order to circumvent network or website security measures. These apps repeatedly bombard the system with requests. Up until the point at which the software decodes the authentication data.
Put differently, brute force assaults rely on the process of trial and error to attempt to guess your login credentials and gain access to your computer system. If successful, the hackers will be able to take control of your network or website by simply logging in as the administrator. Without warning, they can alter your website, implant malware, build a virtual backdoor, and steal user data.
And that is not all! The strain on your hosting servers will come from even the unsuccessful brute force attacks on your website. Your website will load more slowly as a result, and your server can possibly crash.
To make things worse, hackers craftily disguise these attacks by using different IP addresses and locations. It makes the identification and blocking of these malicious activities much harder for the targeted system.
To Protect WordPress Sites From Brute Force Attacks:
1. Install a Firewall Plugin
2. Update WordPress and Plugins
3. Secure the WordPress Admin Directory
4. Add/Enable Two-Factor Authentication
5. Use Strong Random Passwords
6. Disable Directory Browsing for WordPress
7. Disable PHP File Execution for some WordPress Folders
8. Install a Backup Plugin
We will look into these points one by one.
1. Install a Firewall Plugin
Brute force attacks come in the form of requests to your server. It is better to identify and filter these requests before they reach the server.
It is possible to do so by deploying a firewall plugin on your WordPress site. For that, you first have to install the plugin on your WordPress site.
Refer to this article to learn How To Enable Or Disable SSH/Shell Access For End Users In WHM?
There are two kinds of firewall solutions you can go for:
- Application-Level Firewall: These firewall plugins will scan the traffic that reaches your server. However, the scan takes place before the site begins loading most WordPress scripts, which affects its efficiency and effectiveness. Application-Level Firewalls are not foolproof because a brute force attack will still put a load on your server.
- DNS-Level Firewall: These firewall plugins will route your web traffic through their cloud proxy servers to scan the requests. They filter these requests on their servers and send genuine traffic to your server. It overcomes the drawbacks of application-level firewalls without affecting the speed and performance of your WordPress site.
Although both firewall solutions offer protection to your website, the latter is obviously more effective but understandably costlier.
Consider your budget and weigh the risks before choosing a firewall plugin. But, make sure you install one on your WordPress site. Even if you cannot afford the subscription plans, it is okay to install the free version.
2. Update WordPress and Plugins
The most common targets of brute force attacks are the websites that run on the older versions of WordPress, plugins and/or themes. Hackers have a field day with websites using outdated software as they know their vulnerabilities.
WordPress core and almost all popular plugins regularly devise updates to better their security by covering their redundancies. We recommend you make it a routine to check for the available WordPress updates. If you don’t, your website will be open to attack by those old potholes.
Here’sThe Complete Guide to Update Your WordPress. It contains everything you will ever need to know about WordPress updates.
3. Secure the WordPress Admin Directory
Most brute force attacks on WordPress websites are directed towards the WordPress admin area. A quick and easy way to combat them is to make the WordPress admin (wp-admin) directory password protected. It prevents unauthorized users from accessing the WordPress admin area.
And that is not all! The strain on your hosting servers will come from even the unsuccessful brute force attacks on your website. Your website will load more slowly as a result, and your server can possibly crash.
It is possible to add a password to the wp-admin directory from your control panel. You have to access the wp-admin directory of your WordPress website and enable password protection for it.
If you are a cPanel user, you can refer to this article: How to Check Usage Statistics of your DirectAdmin Reseller Account
There is a chance of you encountering a 404 error or error Too many redirects message.
You can resolve it by adding this line to your WordPress .htaccess file:
ErrorDocument 401 default
4. Add/Enable Two-Factor Authentication
Two-factor authentication is an effective deterrent against brute force attacks while adding an extra security layer to your WordPress login. While accessing the WordPress admin area, users have to generate a one-time passcode on their phones to enter along with their login credentials.
Two-factor authentication allows you to generate temporary code in real-time. The code is random and practically impossible to guess or decipher. It makes accessing your WordPress account a lot harder for hackers, even if they manage to crack your password.
5. Use Strong Random Passwords
Passwords are the keys to open gates of any system security. It is common sense to keep this key as a closely private secret.
People do not understand that using personal information like birth dates, names, contact numbers, etc. as passwords is risky.
Who’s to say that your attackers are not stalking your personal lives online? If they are, there is a good chance that the hackers will be using your personal information to crack your passwords.
A unique password that is a random combination of numbers, letters, and special characters, is the best way to protect your WordPress accounts. And not just WordPress admin! It is a good idea to use strong passwords for your FTP, control panel and other vital online systems.
You do not have to worry about remembering or storing these passwords. There are password manager apps to store your passwords secretly and automatically fill them in.
6. Disable Directory Browsing for WordPress
There are times when your web server can not locate an index file (index.php or index.html). As a default response, it then takes the visitor to an index page that shows the contents of the web directory.
The hackers may search for vulnerable files with directory browsing to launch their brute force attack.
There is a way to fix this. You have to edit your WordPress .htaccess file and add/copy the following line at the bottom:
Options -Indexes
7. Disable PHP File Execution for some WordPress Folders
One of the most notorious ways to initiate brute force attacks is by running PHP scripts on a web server. Hackers often try to install and execute a PHP script in the WordPress folders of your website. As WordPress is primarily encoded in PHP, disabling the malicious script for all WordPress folders is ill-advised.
Still, there are exceptions as some folders don’t need PHP scripts at all. The best example is the uploads folder of WordPress that is located at /wp-content/uploads. It also happens to be an ideal place to hide backdoor files serving as an easy target for hackers.
The good news is you can disable PHP execution in the uploads folder without disrupting the functions of your WordPress website.
To Disable PHP Execution
- Open a text editor (e.g. Notepad) on your computer.
- Copy/enter the following code:
- <Files *.php> deny from all </Files>
- Save it as a .htaccess file.
- Open the FTP client and upload it to /wp-content/uploads/ folder on your website.
You can even create/edit the .htaccess file in the uploads via the File Manager tool.
8. Install a Backup Plugin
In the worst-case scenario, if an attack does manage to mess up your website, you will lose its original data. That is why you must choose a WordPress hosting service that offers regular data backups.
However, if you do not have backup services with your hosting, you can still take backups of your WordPress website with plugins. There are many free and paid backup plugins available on WordPress to schedule automatic backups of your website.
All that you need to do is install and activate the plugin. Here are a few recommendations of some popular backup plugins for WordPress: UpdraftPlus, VaultPress (Jetpack Backup), Backup Buddy, BlogVault and BoldGrid Backup.
To Sum up
There is a constant threat of brute force attacks looming over websites. Thanks to the unorthodox nature of these attacks, hackers use them to wreak havoc on the website and can also diminish its online reputation.
It goes without saying how important it is to take measures against them and safeguard your website. Although WordPress is a modern, secure and highly advanced CMS for websites, it is not flawless. But with a few tweaks in some settings and inducting appropriate technologies, you can effectively fend off the brute force attacks on your WordPress site.
