A brute force attack is one of the most common types of attacks in WordPress. Sometimes you may have not a clear idea about what happens on brute force attacks. Normally hackers will try to guess the correct combination of the username and the password of the WordPress website and then obtain access to the site. In a brute force attack, hackers can execute malicious activities. Hackers can use the resources of the WordPress site and do some tasks such as then store files, stealing the data, defacing the website, launching attacks on other websites, and sending spam emails.

Then the site will be blacklist by Google and the hosting provider will suspend the website. However, WordPress users can prevent this by taking actions against brute force attacks. This article highlights the steps which every user requires to follow in order to secure the site against brute force attacks.

What is a WordPress brute force attack?

WordPress owners require to enter the user name and the password in the login page to get access to the wp-admin dashboard.

Every WordPress site has a default login page shown below.

Hackers can simply find the login page of any WordPress website and hackers maintain a database of commonly used usernames as well as passwords. Most of the users use common user names such as “admin” and common passwords such as “1234” or “12345678”. This, not a smart security tip. As users make simple the tasks of hackers to gain access to the site very easily.

Normally hackers program bots to find WordPress websites and then they open the login pages and launch brute force attacks. Here bots can try on millions of combinations of common usernames and passwords to match with the user’s username and password within a few seconds. They can find out the names of authors and team members appear on the website.

So it is essential to use a highly strong and unique credential for the site. However, this is also not enough security tip to prevent brute force attacks. WordPress owners need to equip their site without giving any chances to gain access to it. For that, every website owner should have a clear knowledge of security measures that can apply to avoid brute force attacks.

How to protect the website from Brute force attacks

As WordPress website owners you can apply eight security measures in order to protect your website from brute force attacks.

Use a strong username and password
Prevent the discovery of usernames
Limit login attempts
Change the default login page URL
Implement two-factor authentication
Implement HTTP authentication
Use a firewall
Implement Geoblocking

This article explains each method in a detailed way by step by step. Then you can obtain a good knowledge of security tips you can apply against brute force attacks.

01. Use Strong Usernames and Passwords

Normally a login credential has two features of the username and password. Your username and password should long and unique. Then it is difficult to guess your username and the password for hackers’ bots.

Unique username

Make sure that your username must strong like your password. In most cases, users have strong passwords but their username is not much strong and hackers can easily guess it. Then they have to find out only your password. It makes an effortless job for hackers. So definitely you should concern regarding the username also. It is better not to use common usernames anymore.

Currently, a weak username is the one of common security vulnerabilities on the WordPress website. If you work with a team, you should check the usernames of each member to ensure whether they are using common usernames. If so, you have advised them to change their username to something long and unique.

Strong passwords

WordPress asks you to confirm a strong password when you are creating a new account. It warns you if your password is weak. But you can set a weak password and move further on the process without making your password strong by selecting the “confirm the use of weak password” option.

Then the duty of creating a strong password is up to the users. Generally, it can use a combination of uppercase, lowercase, and special character. The problem of most users to set a stronger password is that difficulty in remembering the password. But users can avoid this issue by obtaining the service of a password management technique. Further, you can read on this by the article on Password Management For WordPress Users.

02. Prevent discovery of username

Change display name

Websites have blog posts with the names of the author displayed at the beginning or end of the article. Then hackers can get that displayed name and log in to your website by using it. So, if your author’s name is the same as the displayed name in the blog, then your website is in the danger of being a hack. You have to protect the username by changing the displayed name in your blog. For that, you have to follow the below steps simply.

Select Edit your profile in the WordPress dashboard.

Change the Nickname.
Select a new nickname from the “Display name publicly as” option.
Save settings by clicking on “Update profile”.

Block WordPress REST API from displaying the name

Hackers can find out your username on WordPress by the Rest API. The Rest API has introduced in 2016 and hackers have identified a weak point to obtain the usernames. Hackers can get user information including the username by using the API. So you have to run the URL: www.example.com/wp-json/wp/v2/users.

You can avoid hackers from getting usernames through the Rest API by both using a plugin or do it manually.

Use a plugin to prevent Rest API from displaying usernames

You can use the Disable REST API plugin to block Rest API from displaying usernames.

Install and Disable REST API. This plugin will block Rest API from displaying usernames.

Manually prevent REST API from displaying usernames

You can do it manually by inserting a code snippet into the function.php. file. You have to follow the below steps simply to do this.

Log into the WordPress hosting account and locate the function.php file.
Go for cPanel and then for File Manager and then for public_html.
Access wp-content in the public_html folder.
Select the active theme on the site.
Located inside the active theme folder are the function.php file and right-click and select edit.

Enter the below code snippet inside the function.php file.

Function trendyport_remove_version () {return’’;} add_filter(‘the_generator’, ‘trendyport_remove_version’);

Save the file.

03. Limit login attempts

Hackers create bots in order to try on combinations of common usernames and passwords and then obtain access to the website. The bots can try various common combinations within a few seconds. However, the brute force attack prevention plugin only gives three attempts for trying. Then the visitor makes blocked after trying three wrong credentials. But for WordPress users, this is not an issue and it has a method to unblock them quickly. The user has to solve a CAPTCHA presented by the plugin and then they can get access to the website by entering the correct combination. However, this chance is not offered for bots by the plugin. So it is required to activate the brute force attack prevention plugin in WordPress. For that, you have to perform below steps finely.

Create an account and activate the plugin on the website.
Then the plugin implements CAPTCHA protection measures automatically.

The plugin dashboard shows you the details of the bots being blocked by it.

04. Change default login page URL

Hackers are well known regarding the format of the default login URL. Because of that hackers can easily find out your login page and then launch brute force attacks. However, if you can move your login page to a new URL such as http://www.example.com/newurl, you can hide your login page from hackers.

You can use plugins such as Easy Hide Login, Change wp-admin login, WPS Hide Login and etc. for change the URL. Here, the article explains to you how to change your default login page URL with the WPS Hide Login plugin. For that, you can follow the below steps.

Install and activate WPS Hide Login on the WordPress website.
Go to the settings in the WordPress dashboard and then select WPS Hide Login.
Set the new login URL.
Save settings.

05. Implement Two-Factor authentication

In the Two-Factor authentication method initially, you have to enter the username and password. Then this service sends a code to the user’s phone which you have to enter to access the account. This is the same as two steps applied to log into Gmail and Facebook.

It confirms that the actual user is logging into the account. The users have to verify themselves in real-time. You can apply the same method for the WordPress website by installing a two-factor authentication plugin. This plugin sends a code to your phone when you enter the username and password on the website. Then you can enter the received code and log into the site.

06. Implement HTTP authentication

HTTP authentication allows users to block hackers from accessing the login page. This is also a layer of protection for the WordPress login page.

If you install the HTTP authentication on the WordPress, you will appear a sign-in box by asking for credentials when enter into the login page. You should know that the HTTP credential is not similar to your login credentials. You can implement this HTTP authentication by using a plugin. When you installing the plugin it asks you to provide HTTP credential. This entered credential by yourself is the one you should give to get access to the login page.

Without these credentials, no one can access the login page. Then you have to install the HTTP Auth plugin on WordPress. For that, you can follow the below steps.

Install and activate HTTP Auth on the WordPress site.
Select the HTTP Auth option in the WordPress dashboard and do it for Settings.
Select a Username and Password.
Choose the option Login and WordPress admin page.
Then select Active HTTP Authentication option.
Save changes.

07. Use Firewall protection

The WordPress firewall scans the good traffic from the bad. Then it allows only good traffic to reach your site and it blocks identified bad traffics. Hence, you can identify and prevent hackers from their first attempt to get access to the site.

How does a firewall identify bad traffic?

Normally hackers’ IP addresses are referred to as malicious. The Firewall maintains a database including the identified malicious IP address of hackers and bots. The firewall limits access by checking visitors’ IP addresses with the database. If it identified any malicious IP addresses, the firewall blocks those IP addresses and prevent hackers’ attempts. The MalCare security plugin has a WordPress firewall and implements the scanning of malicious IP addresses automatically.

08. Implement Geoblocking

This method is to ban all IP addresses initiating from a specific country. Likewise, you can block particular countries to mitigate brute force attacks. The Center for Strategic and International Studies (CSIS) has found that China and Russia are the biggest sources of cyber-attacks around the globe. Hence, if your WordPress site is not dealing with visitors of those countries, you can simply implement Geoblocking. You can do it easily by installing the MalCare security plugin.

If you carefully go through this article and implement the above steps, you can save your WordPress website from brute force attacks definitely. Because brute force attacks have the highest success rate due to poor credentials use by WordPress users. Thre are some various types of attacks that can impact your site. Hence, it is essential to equip your site with good security measures not only to prevent brute force attacks but to face all types of cyberattacks. For that, you can simply install the MalCare security plugin and it prevents all types of hacking attempts.

Connect with us

We would like to hear about your problems, questions, and suggestions. So feel free to contact us. This is free of charge service that we offer. But we receive thousands of emails per day. So it is impossible to reply to all of them. So we create a Community to help you individually. Go to Community and open help Topic under the relevant category. Please spread this post to your friends by sharing Facebook and other major social media. And make sure to like us on Facebook.

How to Password Protect Your WordPress admin(wp-admin) Directory