Posted in htaccess, WordPress

How To Protect WordPress Against Brute-Force Attack

   Updated on August 1, 2023  Leave a comment

Are you looking to protect your WordPress website against brute-force attacks? WordPress is the most popular content management system in the world, as a result, this CMS is the target of attackers. In this article, we study how to prevent WordPress websites from brute-force attacks.

What Is A Brute Force Attack?

A brute-force attack is a method where the attacker tries to gain access site by trying a username and password. They have a system that tries different sets of permutations and combinations for usernames and passwords. Attackers use a list of the top most common passwords and try each password on your site. This process would continue until they find the correct combination of username and password.

Attackers use software through which it takes just a few minutes to try a few hundred of combinations.

Protect WordPress Against Brute Force Attack

The majority of websites are a culprit of brute force attacks. Reasons they are not taking such attacks seriously or they are not aware of how to fight those attacks.

WordPress repository has a plugin WP Limit Login Attempts which blocks the IP after a number of failed attempts of logins. But, sometimes this plugin is not effective as attackers use a wide range of different IP addresses. And it is not effective to block thousands of IP addresses.

Change WordPress Login URL

As WordPress is open-source software, the attacker knows the login page URL is wp-admin or wp-login.php. Simply, change the default login URL which attackers will never guess.

Use the plugin WPS Hide Login which allows us to change the Login URL. Try to set a unique URL like YOUR_DOMAIN/letmein or something like that.

WPS Hide Login

Set Strong Username And Password

Always use a strong username and password for your website. Don’t use username ‘admin’ or password ‘123456’. These are the very common username and password. While setting a password, use the combination of alphabets, numbers, and special characters(@#$!). It makes it impossible for attackers to guess your password. One can use WordPress’ provided password-strength indicator to choose the password.

Limit Access to wp-admin by IP

If you have limited users who are handling your dashboard then you can limit access to wp-admin just for those users. Make sure for this step, users should have static IP. We will add these IPs in the .htaccess file so no one can apart from these IPs access your login page.

Place the below code in a .htaccess file after the line # END WordPress.

# END WordPress
 
# Block access to wp-admin.
order deny,allow
allow from x.x.x.x
allow from y.y.y.y
deny from all

You need to replace ‘x.x.x.x’ and ‘y.y.y.y’ with your actual IP addresses.

Password Protect wp-login.php File

If you wish, you can add one more extra security layer for the wp-login.php file. We can protect this file by password. For this, we need to create a file .htpasswd and add this file location to our WordPress .htaccess file. You may want to read more on this Apply HTTP Authentication.

Use The Captcha On Login Form

The use of captcha is recommended. It helps to slow down brute-force attacks. Pre-login Captcha is used to reduce the number of spammers and bots from the login and registration page.

Use Two Factor Authentication

You may also consider adding two-factor authentication. This is an additional layer of security that ensures your account cannot be easily broken into.

That’s it! Apply the above steps on your website and you will never be worried about evil attacks.

We hope you understand how to protect the WordPress website against brute force attacks. If you have any questions or suggestions please leave a comment below.

If you liked this article, then please subscribe to our YouTube Channel for video tutorials.

Leave a Reply

Your email address will not be published. Required fields are marked *