In the past, we have taken a closer look at the security of WordPress websites. With the rapid growth in adoption of WordPress as a CMS, the number of security risks has also increased. For a website administrator, it is important to be aware of the different types of security threats that a WordPress website might face. In this blog article, we will explain brute force attacks and some security measures that can help minimize them.
What Are a Brute Force Attacks?
Brute Force Attacks are the simplest method that hackers use to gain access to a website. Instead of looking for any loopholes or vulnerabilities in the software, a brute force attack tries to gain access by entering usernames and passwords repeatedly until a successful combination is reached. While this is not a foolproof method of gaining access to a WordPress website, it can prove to be fatal if the username or password is an easy guess (like ‘12345’ or ‘abcde’ or usernames like ‘admin’). It is not uncommon for WordPress users to set such passwords, especially if they are not aware of the security threats to their website.
Brute force attacks overload the hosting server’s memory by making several repeated HTTP requests. Even if the attacker is not successful in gaining access to the website, it often pushes the server to its limit which can result in a potential crash. Almost all website are prone to brute force attacks, but given the popularity of WordPress, it is arguably the most vulnerable platform.
There has been a sustained increase in brute force attacks since 2016. One of the most common methods of brute force attacks is to repeatedly send HTTP requests to the wp-login.php file until access is gained or the server crashes. Here are a few security measures you can adopt to ensure that your website is protected from brute force attacks.
#1 Strong Usernames and Passwords
A significantly large number of brute force attacks assume that the wp-login username is ‘admin’ which is the default username on WordPress. It is highly recommended that you change this default username into something more complex, which will not be easy to guess. You can also create a new WordPress account, migrate all your files into it and delete ‘admin’ altogether. This is a fairly simple and straightforward process that can be carried out manually. However you can also use a plugin like Admin Renamed Extended.
It goes without saying that your WordPress password should be unique and difficult for brute force attacks to crack. Several automatic password generators are available today which can be used to generate secure passwords for your WordPress account. While changing your password on WordPress, pay attention to the password strength meter on WordPress and ensure that it identifies your password as ‘strong’. Some things that you should definitely avoid in your password are your real name, numbers only or common words that can be easily guessed. The ideal password must be alphanumeric and at least 8 characters long.
#2 Brute Force Attack Prevention Plugins
There are many plugins available on WordPress which are designed specifically to secure the site from brute force attacks. These plugins can perform a variety of security functions such as limiting login attempts and HTTP requests, blocking suspicious IP addresses and sending login alerts to the webmaster. Some of the most widely used plugins are:
- SiteGuard WP Plugin: This plugin protects WordPress websites from unauthorised access. It prevents access to the wp-admin page if the connecting IP address does not match known addresses. SIteGuard also has a Captcha verification feature and provides email alerts of login attempts
- BulletProof Security: It offers a wide range of tools like .htaccess protection, cookie expiration and error login. This plugin takes automatic backups of the database to make the recovery process easier.
- BruteProtect: A cloud-powered security plugin that is designed to prevent brute force attacks. IP addresses blocked for malicious activity are shared among all sites in the network to prevent further attacks.
These plugins can be installed directly from the Plugins section in WordPress.
#3 Protect Your wp-login.php with a Password
Adding a password to access wp-login.php is a good idea because it adds another layer of security to your WordPress website. Let’s go through this process step by step:
- Create a .htpasswds file via. your hosting service manually using an htpasswd generator. Note that the .htpasswds are a file that is only an extension without a prefix.
- Upload this file to your public web or root folder.
- Once the file is uploaded, place the below code in your .htaccess file:
# Protect wp-login <Files wp-login.php> AuthUserFile ~/.htpasswd AuthName "Private access" AuthType Basic require user username </Files>
#4 Limit Access to wp-admin
If your website is managed by only one person with a fixed IP address, then the wp-admin folder can be protected by an IP filter. Only the administrator’s IP will be able to access the wp-admin folder and make HTTP requests to it.
- Create a plain text editor called .htaccess
- Add the below code to it
# Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all
(Note that x.x.x.x is your static IP Address)
Using this method, you can allow access to multiple IP addresses
- Save the file and upload it to the wp-admin folder
In addition to this, you can also block IP Addresses based on suspicious behaviour and country of origin. You can download a blocklist from the Internet which will give you an idea of malicious IP addresses and their associated regions. Uploading a table of these IP addresses along with block rules into your WordPress directory will greatly reduce the probability of brute force attacks.
Services like CloudFare and Sucuri CloudProxy can also reduce the probability of brute force attacks by denying access to IP addresses before they reach your server.
#5 Implement an Account Lockout Policy
An account lockout policy determines when your WordPress admin panel should be automatically locked. This can be done after a finite number of unsuccessful login attempts – the access to the admin panel gets locked until an administrator manually unlocks it. One of the downsides of this technique is that multiple accounts can be locked out by one malicious user which may cause a temporary lapse in service to users and added workload to the administrator.
An alternative to the above lockout policy is to use progressive delays. In this method, user accounts are temporarily blocked after a number of failed login attempts. With each failed login attempt, the lockout time increases which makes it difficult for automated malicious tools to launch a brute force attack.
Another way to reduce brute force attacks is to use a CAPTCHA based verification for every login attempt. The user is asked to enter alphabets or solve a simple puzzle to verify his authenticity. To a small extent, this could hamper the usability and accessibility of the website but as the popular saying goes: better safe than sorry! MalCare Firewall offers CAPTCHA based protection where the hacker bots are locked out 3 consecutive failed login attempts.
As we have mentioned in the past, WordPress is vulnerable to cyber attacks if its security is not prioritized. Using these security measures you can prevent brute force attacks and ensure that your website remains up and running.