Defend Your WordPress Website Against Brute-Force Attacks

Whether you’re fairly brand-new to WordPress or an experienced developer, you might be surprised at just how often your websites are under attack. You might also be wondering who, or what, is carrying out this type of activity- not to mention why they’d target you.

The rebuts are simple. In most cases, the bad actor is an automated bot. And you’re being targeted simply because you happen to be running WordPress. As the most popular Content Management System( CMS) out there, it is directly in the crosshairs of malevolent actors.

While there are all sorts of different attacks hovering around out there, the brute-force variety are among the most popular. And that happens to be our subject for today.

Let’s take a look at what brute-force assaults are and some ways you can better protect your WordPress website.

What Is a “Brute-Force” Attack?

A brute-force attack, according to Wikipedia ­čśŤ TAGEND

“…consists of an attacker referring countless passwords or passphrases with the hope of eventually guessing correctly.”

In the real world, this means that a malevolent dialogue rolls frequently, recruiting usernames and passwords into the WordPress login page. It’s possible to see hundreds or even thousands of attempts like this per day.

Of course, if this were all completely random, it would be pretty difficult to successfully log into a website exploiting such a skill. But there are two major reasons why these attacks can sometimes work ­čśŤ TAGEND

The help of poor login credentials, such as using an ultra-common username and password. Using credentials that has already been seeped abroad.

If either of these situations are in place, that develops the stranges of a successful attack. And formerly the attacker has access to your WordPress dashboard, they can wreak all sorts of havoc.

But even if unsuccessful, these attacks can be both an exasperation and a drain on server resources. Therefore, it’s important to set policies in place that can help mitigate their damage.

Binary code on a computer screen.

Ways to Fight Back

Thankfully, there are a number of things you can do to better protect your WordPress website against brute-force criticizes. The most basic being instituting common sense security measures, such as using strong passwords and virtually anything other than “admin” as your username. These stairs alone will at least determine your site more difficult to crack.

However, there are some even stronger activities you can take, including ­čśŤ TAGEND Restriction Access to the Login Page

Depending on your entanglement server’s setup, you might consider blocking out access to the WordPress login page to all but a specific group or range of IP addresses. On an Apache server, for example, this could be done via the .htaccess file.

The caveat is that this strategy depends on administrators having a static IP address. In corporate surroundings, this would likely be the case. Nonetheless, other scenarios may make this method more difficult. The official WordPress documentation has some further advice that is worth a look.

Another approach is to password-protect the login page at the server tier. While this adds a bit of disruption, it does help to ensure that only sanctioned users gain access to the dashboard.

Implement a Plugin

There are a number of WordPress plugins that are dedicated to security, with several provide pieces designed to protect against brute-force attempts. Some of the most popular alternatives include ­čśŤ TAGEND

Jetpack’sProtect” peculiarity, which will block unwanted login attempts.

Wordfence hires various login-specific measures, such as two-factor authentication, reCAPTCHA and brute-force protection. There is also a companion plugin that only focuses on login security.

Login LockDown is a plugin designed to limit brute-force aims. It automatically locks out offending IP addresses after a establish number of flunked logins.

iThemes Security offers several login-related defences, including brute-force protection, two-factor authentication and the ability to rename the/ wp-admin/ folder in order to thwart bots.

Exert a CDN/ Firewall

Content Delivery Networks( CDNs) is not simply improve the performance of your website, they furnish the side benefit of serving as a hurdle between malicious bots and your WordPress install.

CDN providers often include methods to block out IP addresses or even part countries from accessing your area( or, at least your dashboard ). Depending on the service you use, there may also be safeties specifically targeted at stopping brute-force attacks.

The beauty of this approach is that you can significantly lighten the load on your web server. How? Attackers are stopped by the CDN’s firewall before they ever contact your place. It’s kind of like having a beings flyswatter out in front of your house, accepting pests before they make it to your front door.

A hammer smashing glass.

When It Comes to Security, Be Proactive

Unfortunately, doing good-for-nothing to combat brute-force logins is not a viable option. These attacks are both ubiquitous and relentless. And the landscape certainly doesn’t look like it will get better on its own. Therefore, it’s up to us to take preventative measures.

Thankfully, it’s not really that difficult. The options above, while not 100% excellent, are fairly easy to implement. And each one becomes things that much tougher on the average bot.

Plus, when you think about it, the relative cost of mitigating these attacks now is much less than having to deal with a hacked website later on. That alone stirs being proactive more than worth the effort.

Read more: