Unprotected WordPress websites fall victim to a brute force attacks every day. If you own a self-hosted WordPress website (one that is on your own web hosting account, rather than WordPress.com), it could be target.
How do I know these Brute Force Attacks real?
I personally found out that brute force attacks were real, because I saw that someone was attempting to do this.
I looked at my statistics (in cPanel > Webalizer) and saw an insane number of hits on wp-login.php! Given I can estimate the number of real people who can visit my site, I can clearly see that this is a hacking attempt made by a robot!
How does a Brute Force Attack happen?
Automated programs search the internet for addresses such as “yourdomain.com/wp-login.php”; These automated programs will enter random username and password combinations, in the hope that one of these combinations will be the right one.
These programs will run as many times as they like, because WordPress has no limit on how many times you can guess a password. However, this can also cause strain on the server hosting your website, preventing real humans from accessing it.
Does this mean WordPress is not secure?
Not at all!
WordPress should be considered just as secure as any other website platform. The only reason why attacks are so common is that WordPress is so commonly used. Unfortunately, those who are hacked or exploited haven’t taken the time to learn about WordPress website security.
How to prevent Brute Force Attacks
Method 1: A simple, short-term fix
One thing you can do right now is stop using “admin” as your default username! Many people will use “admin” and “password123″ as their default log-in credentials, and this is the first thing that hackers will try to guess.
Method 2: Install a brute force prevention plugin
Advanced: A longer-term solution: Use .htaccess to protect your log-in page
If your web hosting provider uses cPanel, you can follow these steps to set up password protection:
- Use this Htpasswd Generator to create a .htpasswd file.
- Upload the .htpasswd file to the root of your file directory.
- Add the code below to your .htaccess file. Replace ‘PathOnWebServer/WhereFileIsLocated’ with the path to your .htpassword file.
AuthType Basic AuthName "User name and Password are required for entry:" AuthUserFile /PathOnWebServer/WhereFileIsLocated/.htpasswd <Files "wp-login.php"> Require valid-user </Files>
Although it means you will have another username and password to remember (learn how to make one that’s tough to crack, but easy to remember), this will create an extra step in the log-in process that the automated program won’t be prepared for. Hopefully this will also reduce the log-in URL requests turning up in your logging software.
Credit goes to Vandelay Web for the above instructions.
How did you go? Did you implement any of these steps to protect your website? Let me know in the comments.