Posted in htaccess, WordPress

How To Protect WordPress Against Brute-Force Attack

   Updated on February 1, 2018  Leave a comment

Are you looking to protect your WordPress website against brute force attack? WordPress is a most popular content management system in the world, as a result, this CMS is on the target of attackers. In this article, we study how to prevent WordPress website from the brute force attack.

What Is A Brute Force Attack?

Brute force attack is a method where the attacker tries to gain access site by trying username and password. They have a system which tries the different set of permutation and combination for usernames and passwords. Attackers use a list of top most common passwords and try each password on your site. This process would continue until they find the correct combination of username and password.

Attackers use a software through which it takes just a few minutes to try few hundreds of combinations.

Protect WordPress Against Brute Force Attack

The majority of websites are a culprit of brute force attacks. Reasons they are not taking such attacks seriously or they are not aware of how to fight with those attacks.

WordPress repository has a plugin WP Limit Login Attempts which block the IP after number of failed attempts of logins. But, sometimes this plugin is not effective as attackers use a wide range of different IP addresses. And it is not effective to block thousands of IP addresses.

Change WordPress Login URL

As WordPress is an open source software, the attacker knows login page URL is wp-admin or wp-login.php. Simply, change the default login URL which attackers will never guess.

Use the plugin WPS Hide Login which allow us to change the Login URL. Try to set unique URL like YOUR_DOMAIN/letmein or something like that.

WPS Hide Login

Set Strong Username And Password

Always use strong username and password for your website. Don’t use username ‘admin’ or password ‘123456’. These are the very common username and password. While setting a password, use the combination of alphabets, numbers, special characters(@#$!). It makes impossible for attackers to guess your password. One can use the WordPress provided a password-strength indicator to choose the password.

Limit Access to wp-admin by IP

If you have limited users who are handling your dashboard then you can limit access of wp-admin just for those users. Make sure for this step, users should have static IP. We will add these IP’s in the .htaccess file so no one can apart from these IP’s access your login page.

Place the below code in a .htaccess file after the line # END WordPress.

# END WordPress

# Block access to wp-admin.
order deny,allow
allow from x.x.x.x
allow from y.y.y.y
deny from all

You need to replace ‘x.x.x.x’ and ‘y.y.y.y’ with your actual IP addresses.

Password Protect wp-login.php File

If you wish, you can add one more extra security layer for wp-login.php file. We can protect this file by password. For this, we need to create a file .htpasswd and add this file location our WordPress .htaccess file. You may want to read more on this Apply HTTP Authentication.

Use The Captcha On Login Form

Use of captcha is recommended. It helps to slow down brute-force attacks. Pre-login Captcha is used to reduce the number of spammers and bots from login and registration page.

Use Two Factor Authentication

You may also consider to add two factor authentication. This is an additional layer of security which ensure your account cannot easily broken into.

That’s it! Apply the above steps on your website and you will never be worried about evil attacks.

We hope you understand how to protect WordPress website against brute force attacks. If you have any questions or suggestions please leave a comment below.

If you liked this article, then please subscribe to our YouTube Channel for video tutorials.

Leave a Reply

Your email address will not be published. Required fields are marked *