Earlier this month, I received following email from WordFence about the largest brute force attack on WordPress:
As of 11am eastern time this morning we are monitoring the largest distributed brute force attack on WordPress installations that we’ve seen to date. The real-time attack map on www.wordfence.com became so busy that we’ve had to throttle the amount of traffic we show down to 4% of actual traffic.
What Is A Brute Force Attack?
Not every WordPress or web developers are good. There are some evil folks too. A brute force attack is when a person or some machines try to crack your username password combination by repeatedly sending login attempts. They’ll perform sequential login attempts to your WordPress by using some common and random username and password combinations.
Protect Your WordPress From Brute Force Attacks
Brute force attacks are vicious but you can easily protect your WordPress from brute force attacks by following taking these simple precautions:
Are you using admin as your WordPress username? Drop the ball on that username. It’s the default username and it’s really easy for hackers to guess this username. Make sure to use your name or something different as your WordPress admin username.
Stuck with the admin username, as WordPress doesn’t allow to change the username? Username Changer comes where handy when it comes to change your WordPress username without messing with your MySQL database.
Just like strong username, you need a strong password! A brute force attacker tries to guess some random words, dictionary words, adding numbers to them, and using all common passwords to crack your password. Using password as your password is not a smart move, as brute force will instantly break this password. Use random alphabets, numbers and special characters. Do NOT use strings like 123456 or qwerty.
You can also check your password strength by visiting howsecureismypassword.net.
Limit Login Attempts:
You should also limit the login attempts to your WordPress site. Limit Login Attempts plugin blocks a user or brute force attacker from making after an admin specified limit. It’ll make impossible for brute force attackers to crack your password.
Limit Access To wp-admin And wp-login By IP:
If you are the only one who needs to login to your WordPress and you have a fixed IP address, you can also limit access to your wp-admin and wp-login.php with .htaccess file. You’ll be the only one with the access of admin panel and login of your WordPress. You can follow these two articles – limit access to wp-admin and limit access to wp-login.php.
Deny Access to No Referrer Requests:
Here’s another great step to protect your WordPress’ login and comment form with another .htaccess code. This trick will deny the direct access to your comment and login page. Only users from your site will be able to access these forms. You can do this by following these instructions.
There are tons of plugins in WordPress’ plugin repository to protect your WordPress from these evil brute force attacks. WordFence is my favorite plugin for this job.
All these steps will definitely protect your WordPress website from all these rude and evil brute force attacks. What to you think about these trick?