Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Blocking brute force login attempts in WordPress

            Created by Aldwin Lim, Modified on Mon, Nov 17 at 10:05 AM by Ryan Sullivan

            WordPress is the world’s most widely used content management system on the planet, but that popularity comes with a heavy price.

            Bad actors often attempt to gain unauthorized access to WordPress sites by sending a relentless bombardment of of login credentials at a login prompt. If successful, these hackers can compromise your security, inject malware, deface your content, erode your customers’ trust, and ruin a perfectly good day.

            The attacks are called Brute Force Login Attempts. And at SiteCare, we’ve seen some incredibly sophisticated brute force attacks on WordPress sites that are not properly protected. Quite honestly, there are some fairly simple steps you can take to help defend your site. This article provides five tips that you can use to fortify your WordPress site from the evildoers.

            Step #1: Use Strong Usernames and Passwords

            The first line of defense is simple: Ensure your usernames and passwords are uncrackable.


            Usernames:

            Ditch the predictable "admin" username. Opt for usernames that are a combination of upper and lowercase letters, numbers, and symbols. These are significantly harder to guess through brute-force methods.


            Password Management:

            Encourage users to create complex passwords with a password manager. At SiteCare, we’re fans of 1Password and the Password Policy Manager Plugin. These tools will help you create strong passwords for each account and remove the temptation to reuse the same password on multiple sites and applications. By mandating a minimum length and variety of characters, you’ll help thwart hackers from entering your WordPress site.


            Notebook:

            This should go without saying, but many of you have a notebook in the top right drawer of your computer desk with every password you’ve ever created. We recommend immediately migrating these passwords to a password manager, like 1Password, and lighting a fire to this notebook.


            Step #2: Limit User Permissions

            The damage caused by a compromised account can be contained by the assigned permissions. We recommend assigning only the level of access required for their role. An editor doesn't need administrator privileges, and a contributor doesn't necessarily need editing capabilities. This minimizes the potential damage if an attacker gains access.

            • CloudFlare's Security Arsenal: Browser Integrity and "I'm Under Attack" Mode
              CloudFlare, the popular Content Delivery Network (CDN), offers robust security features. By enabling browser integrity checks, CloudFlare can identify suspicious browser behavior and block potential automated login attempts.

              Furthermore, CloudFlare's "I'm Under Attack" mode strengthens security measures during times of suspected attacks. This mode implements stricter challenge thresholds, further deterring brute force attempts.

            • Two-Factor Authentication: Adding an Extra Layer
              Two-factor authentication (2FA) adds a critical second step to the login process. Even if an attacker acquires your password, they won't be able to access your site without the additional verification code sent to your phone or generated by an authenticator app. There are various 2FA plugins available for WordPress, making it easy to implement for both administrators and users.

            • Limiting Login Attempts: Thwarting Persistent Attacks
              Limiting the number of consecutive login attempts from a single IP address significantly hinders brute force attacks. Popular security plugins for WordPress allow you to set a threshold for failed login attempts within a specific timeframe. After exceeding this limit, the IP address is automatically locked out for a predetermined period. This discourages persistent attempts and prevents automated scripts from endlessly trying to crack passwords.

            • Obfuscating the Login Gateway: Hiding the Default Login URL
              The default WordPress login URL (typically [invalid URL removed]) is a well-known target for attackers. By changing this URL to something more obscure, you make it more difficult for automated scripts to identify the login page. Several plugins can help you achieve this by masking the login URL with a custom one. Remember, obscurity isn't a replacement for the strategies outlined above, but it adds an extra layer of difficulty for attackers.


            A Multi-Layered Defense is the Best Approach

            Mitigating brute force login attempts requires a multi-pronged approach. By implementing strong user credentials, limiting user permissions, leveraging CloudFlare's security features, utilizing 2FA, and restricting login attempts, you significantly increase your WordPress site's resilience. Remember, security is an ongoing process. Stay updated on the latest threats and update your security measures accordingly. By prioritizing these strategies, you can deter attackers and safeguard your WordPress site from unauthorized access.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0