In the past, we have taken a closer look at WordPress security. With the rapid growth in adoption of WordPress as a CMS, the number of website security risks has also increased. For a website administrator, it is important to be aware of the different types of security threats that a WordPress website might face. In this blog article, we will explain WordPress brute force attacks and some security measures that can help to cut them down.
What are WordPress brute force attacks?
Brute Force Attacks are the simplest method that hackers use to gain access to your WordPress website. Instead of looking for any loopholes or vulnerabilities in the software, a brute force attack tries to gain access by entering usernames and passwords until it reaches a successful combination. While this is not a foolproof method of gaining access to a WordPress website, it can prove to be fatal if the username or password is an easy guess (like ‘12345’ or ‘abcde’ or usernames like ‘admin’). It is not uncommon for WordPress users to set such passwords, especially if they are not aware of the security threats to their website.
Brute force logins overload the hosting server’s memory by making several repeated HTTP requests. Even if the attacker is not successful in gaining access to the website, it often pushes the web server to its limit which can result in a potential crash. Almost all website are prone to brute force attacks, but given the popularity of WordPress, it is the most vulnerable platform.
There has been a sustained increase in brute force attacks since 2016. One of the most common methods of brute force attacks is to send HTTP requests to the wp-login.php file until they gain access or the server crashes. Here are a few security measures you can adopt to ensure that your website is protected from brute force attacks.
Top 7 Ways to Prevent Brute Force Attacks?
- Strong Passwords and usernames
- Change your display name
- Prevent discovery of username
- Brute force attack prevention plugins
- Password protecting your wp-login.php
- Limit access to wp-admin
- Implement an account lockout policy
#1 Strong passwords and usernames
A huge number of brute force attacks assume that the wp-login username is ‘admin’ which is the default username on WordPress. It is highly recommended that you change this default username into something more complex, which will not be easy to guess. You can also create a new WordPress account, migrate all your files into it and delete ‘admin’ altogether. This is a fairly simple and straightforward process that you can carry out manually. However, you can also use a plugin like Admin Renamed Extended.
It goes without saying that your WordPress password should be unique and difficult for brute force attacks to crack. Several automatic password generators are available today which you can use to generate secure passwords for your WordPress account. When changing a WordPress password, pay attention to the password strength meter on WordPress and ensure that it identifies your password as ‘strong’. Some things that you should definitely avoid in your password are your real name, numbers only or common words that can be easily guessed. The ideal password must be alphanumeric and at least 8 characters long.
#2 Change your display name
Hackers are trying various ways to discover usernames. One common method is to look up for names that appear on the site. These are display names. Take for instance, ‘Sophia’ is your display name. And ‘Sophia’ also happens to be your username. It’s not uncommon to have the same username and display name.
A hacker bot may scan your site and pick up Sophia. And brute-forcing into your website with the name.
To prevent this from happening, you simply have to change your display name from ‘Sophia’ to something else, say ‘Lawrence.’ But make sure there is no username called Lawrence.
That said, it’s important to note that changing the display name can hide your original username (i.e. Sophia) on the website. But it’ll still be available on the WordPress user profile URL. Unfortunately, WordPress doesn’t allow users to change the profile URL. If they know where to look for, a hacker can easily discover the original username.
#3 Prevent discovery of username
Whenever a new WordPress feature is rolled out, hackers try to exploit it. With version 4.7, WordPress unveiled Rest API as a core feature. And hackers found a way to exploit it.
The API helps execute various functions on a WordPress site. Extraction of the site user is one function that new API provides. Anyone can run a simply ready-made URL (example.com/wp-json/wp/v2/users) and find out usernames.
We tried running the URL for our site and it immediately revealed user information. In the following image, you can see how the URL reveals the name of the users on our website. Try it on your site: yourwebsite.com/wp-json/wp/v2/users
We, of course, didn’t want to knowingly leave a door open for the hackers and so we began searching for a solution to this problem. After considerable effort, we found out that Wordfence offers a feature called “Prevent Discovery of Usernames” that tackles this exact problem. We installed the plugin and enabled it and that effectively targeted the specific functionality in the API that exposes usernames and blocked it.
#4 Brute force attack prevention plugins
There are many WordPress plugins available that are designed specifically to secure WordPress blog from brute force attacks. These plugins can perform a variety of security functions such as limiting login attempts and HTTP requests, blocking access of suspicious IP addresses and sending login alerts to the webmaster. Some of the most widely used WordPress security plugins are:
- SiteGuard WP Plugin: This plugin protects WordPress websites from unauthorized access. It prevents access to the wp-admin page if the connecting IP address does not match known addresses. SIteGuard also has a Captcha verification feature and provides email alerts of login attempts
- BulletProof Security: It offers a wide range of tools like .htaccess protection, cookie expiration, and error login. It’s also a WordPress backup plugin that takes automatic backups of the database to make the recovery process easier.
- BruteProtect: A cloud-powered security plugin stops brute force attacks. IP addresses blocked for malicious activity are shared among all WordPress sites in the network to prevent further attacks.
These plugins can be installed directly from the Plugins section in WordPress.
#5 Password protecting your wp-login.php
Adding a password to wp-login.php is a good idea. It helps in restricting access to the file and also adds another layer of security to your WordPress website. Let’s go through this process step by step:
Step 1: Create a .htpasswds file via. Your WordPress hosting service manually using an htpasswd generator. Note that the .htpasswds are a file that is only an extension without a prefix.
Step 2: Upload this file to your public web or root folder.
Step 3: After uploading the file, place the below code in your .htaccess file:
# Protect wp-login
AuthName "Private access"
require user username
Now you wp-login.php is password protected.
#6 Limit access to wp-admin
If only one person with a fixed IP address manages your site, then an IP filter can protect the wp-admin folder. This will help in limiting access to wp-admin because the administrator’s IP will be able to access the wp-admin folder and make HTTP requests to it.
Step 1: Create a plain text editor called .htaccess
Step 2: Add the below code to it
# Block access to wp-admin.
allow from x.x.x.x
deny from all
(Note that x.x.x.x is your static IP Address)
Using this method, you can allow access to many different IP addresses
Step 3: Save the file and upload it to the wp-admin folder
In addition to this, you can also block IP Addresses based on suspicious behaviour and country of origin. You can download a blocklist from the Internet which will give you an idea of malicious IP addresses and their associated regions. Uploading a table of these IP addresses along with block rules into your WordPress directory will greatly reduce the probability of brute force attacks.
Services like CloudFare and Sucuri CloudProxy can also reduce the probability of brute force attacks by denying access to IP addresses before they reach your server.
#7 Implement an account lockout policy
An account lockout policy determines when your WordPress admin panel should be automatically locked. This can be done after a finite number of unsuccessful login attempts – the access to the admin panel gets locked until an administrator manually unlocks it. One of the downsides of this technique is that multiple accounts can be locked out by one malicious user which may cause a temporary lapse in service to users and added workload to the administrator.
An alternative to the above lockout policy is to use progressive delays. In this method, user accounts are temporarily blocked after a number of failed login attempts. With each failed login attempt, the lockout time increases which makes it difficult for automated malicious tools to launch a brute force attack.
Another way to reduce brute force attacks is to use a CAPTCHA based verification for every login attempt. Then the user must enter alphabets or solve a simple puzzle to verify his authenticity. To a small extent, this could hamper the usability and accessibility of the website. But as the popular saying goes: better safe than sorry! MalCare Website Firewall offers CAPTCHA based protection where the system locks out hacker bots after 3 consecutive failed login attempts.
WordPress is vulnerable to cyber attacks hence security should be a priority. Using these security measures can help in stopping brute force attacks while also ensuring that your website remains up and running.