Protect Your WordPress Website From Brute Force Attacks

In the classic movie WarGames, the main character programs his computer to guess the passwords of other computers randomly through his modem. This rather crude method of guessing passwords is called a brute force attack and is not uncommon for today’s WordPress sites.

While an inelegant and old-fashioned way to attempt to breach other computers, a brute force attack still can be quite successful if a site has an easy-to-guess password or an account name like “admin.”

The first sign of such an attack is a spike in server memory because of all the requests hitting the PHP login file, wp-login.php. To prevent such an occurrence, let’s take a look at some steps to take to stop brute force attacks in their tracks.

5 Steps to Prevent Brute Force Attacks

1. Create a Strong Password

The first step in preventing brute force breaches is a strong password. Be sure there’s no personal data incorporated into your password, such as a company name or birthday. You also don’t want to include any dictionary words, but rather a mix of numbers and letters (upper and lowercase) as well as special characters.

Never use “admin” as a username, as almost all hacking software guess passwords for that name. Using a unique login name is a great step to stop hackers.

2. Use Two-Factor Authentication

Another good preventative technique is 2FA (two-factor authentication) which we covered extensively in a previous blog post.

3. Rename the WordPress Login Page

A popular technique to prevent hackers from hitting the WordPress login page is to rename wp-login.php using one of many such plugins This stops the hackers from even trying to guess the password since they can’t find the login page and also helps prevent the server from spiking due to excessive PHP use.

4. Limit Login Attempts

“Login limiters” are another great security measure to stop brute force attacks. These make it so a user can only guess a password a set amount of times, like 3 or 5 attempts, before getting blocked. There are many plugins that will limit login attempts on any given site.

5. Restrict Access for Other IPs

A powerful but heavily restrictive step is to protect the login page by IP number. For Apache servers, the simplest way to do this is to add this line to your .htaccess file:

# Block access to wp-login.php.
<Files wp-login.php>
  order deny,allow
  allow from 203.0.113.15
  deny from all
</Files>

This security step means you can only log in to WordPress from the IP number you list above. This is not recommended if you use a dynamic (changing) IP. If needed, you can always allow more than one IPs using the following method.

# Block access to wp-login.php.
<Files wp-login.php>
  order deny,allow
  allow from 203.0.113.15
  allow from 203.0.113.16
  allow from 203.0.113.17
  deny from all
</Files>

For Nginx servers, implementing a location block works similar to the Apache example:

error_page 403 http://example.com/forbidden.html;
location /wp-login.php {
allow 203.0.113.15
# or for the entire network:
# allow 203.0.113.0/24;
deny all;
}

If you need additional help hardening your WordPress site against brute force attacks, feel free to contact the experts at Hall.

See how Hall can help increase your demand.