Are you looking to protect your WordPress website against brute force attack? WordPress is a most popular content management system in the world, as a result, this CMS is on the target of attackers. In this article, we study how to prevent WordPress website from the brute force attack.
What Is A Brute Force Attack?
Brute force attack is a method where the attacker tries to gain access site by trying username and password. They have a system which tries the different set of permutation and combination for usernames and passwords. Attackers use a list of top most common passwords and try each password on your site. This process would continue until they find the correct combination of username and password.
Attackers use a software through which it takes just a few minutes to try few hundreds of combinations.
Protect WordPress Against Brute Force Attack
The majority of websites are a culprit of brute force attacks. Reasons they are not taking such attacks seriously or they are not aware of how to fight with those attacks.
WordPress repository has a plugin WP Limit Login Attempts which block the IP after number of failed attempts of logins. But, sometimes this plugin is not effective as attackers use a wide range of different IP addresses. And it is not effective to block thousands of IP addresses.
Change WordPress Login URL
As WordPress is an open source software, the attacker knows login page URL is wp-admin or wp-login.php. Simply, change the default login URL which attackers will never guess.
Use the plugin WPS Hide Login which allow us to change the Login URL. Try to set unique URL like YOUR_DOMAIN/letmein or something like that.
Set Strong Username And Password
Always use strong username and password for your website. Don’t use username ‘admin’ or password ‘123456’. These are the very common username and password. While setting a password, use the combination of alphabets, numbers, special characters(@#$!). It makes impossible for attackers to guess your password. One can use the WordPress provided a password-strength indicator to choose the password.
Limit Access to wp-admin by IP
If you have limited users who are handling your dashboard then you can limit access of wp-admin just for those users. Make sure for this step, users should have static IP. We will add these IP’s in the .htaccess file so no one can apart from these IP’s access your login page.
Place the below code in a .htaccess file after the line # END WordPress.
# END WordPress # Block access to wp-admin. order deny,allow allow from x.x.x.x allow from y.y.y.y deny from all
You need to replace ‘x.x.x.x’ and ‘y.y.y.y’ with your actual IP addresses.
Password Protect wp-login.php File
If you wish, you can add one more extra security layer for wp-login.php file. We can protect this file by password. For this, we need to create a file .htpasswd and add this file location our WordPress .htaccess file. You may want to read more on this Apply HTTP Authentication.
Use The Captcha On Login Form
Use of captcha is recommended. It helps to slow down brute-force attacks. Pre-login Captcha is used to reduce the number of spammers and bots from login and registration page.
Use Two Factor Authentication
You may also consider to add two factor authentication. This is an additional layer of security which ensure your account cannot easily broken into.
That’s it! Apply the above steps on your website and you will never be worried about evil attacks.
We hope you understand how to protect WordPress website against brute force attacks. If you have any questions or suggestions please leave a comment below.
If you liked this article, then please subscribe to our YouTube Channel for video tutorials.