Categories: WordPress Tutorials

WordPress Security: How to Prevent from Brute Force Attacks

WordPress – The most widely used Content Management System in today’s Internet world. Due to its popularity, it’s an incredibly attractive target for hackers. There are some attacks to be faced by WordPress websites. Today, I’ll explain you a bit about Brute Force – Most widely used attack for password protected entities.

Brute Force attack also referred as Dictionary attack. It is the most famous attack on Internet. What happens in Brute Force attack, the hacker tries all possible combinations of digits, letters and special characters to guess the password for your account.

Most of the attacks are automated. Running from an individual machine or high-speed servers against your site. It depends on resources how much time is taken to get the actual password.

How attackers ATTACK:

Usually, when we create a WordPress website. We set our Username as “Admin” and Password as “12345” or “admin”. Such kind of most common username and passwords are the best friends of Brute Force attacks. These usernames and passwords can be hacked easily within few minutes.

As we have the site owner username as “Admin” and Password is “12345”.

The attacker will try all possible combination of digits, letters and special characters against our account. It will continuously start verifying on each iteration. Once password matches. You’re HACKED!

How to Prevent from Brute Force Attacks:

There are a number of ways to prevent such kind of attacks. Below are few of them.

Pick Strong Username & Password:

Choose a unique username and strong password after you’ve setup your WordPress site. From your WordPress Admin Panel, navigate to “Users > Add New”. Create a new user of a unique name (avoid using a dictionary word). Set an adamant password. Assign him “Administrator” role. Refer the image below.

Now, Logout. And login again from the newly created account. Navigate to Users and delete WordPress default user account. Typically named as “Admin”.

Limit Login Attempts:

By default, WordPress does not allow to limit the login attempts. That means when login to an account fails continuously. It will not restrict the user to stop. There are many plugins in WordPress directory that can restrict users from login after particular failed login attempts. One of them is WP Limit Login Attempts.

From your WordPress Admin Panel. Navigate to “Plugins > Add New”. From the top right corner, search for “WP Limit Login Attempts”. Once found. Click on “Install” and “Activate” it.

After successful installation. Navigate to “Settings > WP Limit Login”. You’ll see settings like below image. In its free version, you cannot change the default settings. If you want to configure according to your needs, you can use its premium version.

After configuring, go to your WordPress login page. Remember you have 5 login attempts and a failed login attempt is shown below for your further clarification.

After all 5 login attempts. This message will be displayed and restrict that particular user for 10 minutes.

Two Factor Authentication

The best way to prevent from Brute Force attack is using Two Factor Authentication. That means along with your password, a login code sent to your phone is also required for authentication. Internet giants like Gmail, Facebook, Twitter, LinkedIn, Hotmail, Yahoo mail and others are also using Two Factor Authentication for security.

You can also use Two Factor Authentication on your WordPress based website too. Clef and Duo Two-Factor Authentication are the most popular plugins for WordPress Two Factor Authentication.

More Advanced Protection

For complete prevention from different kind of attacks, there are a number of Plugins available on WordPress directory. Some of the most popular are:

You can also read more about Brute Force attack from here.

After successful installation of your WordPress website. Security is most important factor. One should not ignore it. Last, but not the least. Your hosting plays a crucial role in securing your WordPress website. There are many Managed WordPress Hosting providers like Cloudways that provides 1-click installation of WordPress.

Feel free to ask any query by using comment section below.

arun singh

Hey, I’m Arun Singh, a server management pro with over eight years of experience keeping hosting servers humming, now channeling my expertise into dropshipping and Amazon affiliates through blogs on Amazon and eCommerce at SchemaNinja.com. Based in Mumbai, India, I work with a private company and handle servers for BloggersIdeas.com, while also sharing my passion for digital marketing and online business. My posts are packed with practical tips to help you thrive in dropshipping and eCommerce. When I’m not fine-tuning servers or writing, I’m exploring the latest tech trends. Check out my insights on SchemaNinja for all things Amazon, dropshipping, and more!