How to Defend Against a WordPress Brute Force Attack
There are a lot of unscrupulous individuals out there that have been breaking into people’s WordPress websites and causing havoc on servers in general. One of the ways these individuals are doing this is by using what’s called a WordPress brute force attack. A WordPress brute force attack is when a hacker, or rather slime of the earth hacker, sicks a bot (hacker program) on your WordPress login area to gain access to your administrative panel. This bot tries to guess your username and password by using processing power to enter as many combinations as possible until it guesses correctly, hence the name WordPress brute force attack.
#1. The obvious concern is that someone could gain access to your website backend and potentially destroy your website, steal sensitive user information, and even install hidden malware in the background of your website that loads viruses on your site visitors systems. Eek!!! 😯
#2. The less obvious concern is the effect on your server. Distributed denial of service attacks or DDoS attacks are caused in a variety of ways. One of those ways is with a WordPress brute force attack. The program that the hacker uses to implement the attack makes thousands of requests to your server and essentially cripples it in the process. Because the server is so busy with the hackers program requests it slows down to a crawl so regular users can’t access it. This has caused a major problem for many hosting companies and website owners alike. The problem is that many hosts choose the wrong solution to this problem and make matters worse.
Now that we know what a WordPress brute force attack is let’s go over how to properly defend against it. There are some traditional methods that some inexperienced web hosts implement to prevent these attacks. One of those methods was implemented by my former web host (I won’t mention any names) :x. They added a CAPTCHA to all of the WordPress .htaccess files on my server (without notifying me I might add). It caused all kinds of issues with other WordPress plugins and quite frankly is just an ugly hack. We are going to take a look at the proper way to defend against a WordPress brute force attack with a well thought out and properly programmed WordPress plugin.
BruteProtect tracks failed login attempts to your website. If any single IP address has too many failed attempts in a short period of time, they are blocked from logging in to your site. Normally this wouldn’t be a problem for a savvy hacker with access to hundreds or even thousands of IP addresses, but BruteProtect uses the power of the WordPress community to track any failed log in attempt from a website with the plugin installed to the BruteProtect server. This means the hacker will be blocked from your website before they even make their first attempt to hack in. With the power of thousands of WordPress websites working together the hackers don’t stand a chance. 😛
BruteProtect is very easy to install. Just follow the author’s instructions on the WordPress plugin area (BruteProtect). Once you install the plugin, you will need to get a free BruteProtect API key, which you can do directly from your WordPress dashboard. Just enter your email address and hit the “Get an API Key”. Go to your email and copy the emailed API key to BruteProtect’s dashboard area and hit the “Save API Key”. That’s it!!
BruteProtect allows you to protect yourself against traditional brute force attacks AND distributed brute force attacks that use many servers and many IPs. Their are some other great plugins out there that can defend against a WordPress brute force attack besides BruteProtect, but this is my favorite and is really what I recommend. I believe if you are using CloudFlare (which I highly recommend) there is a security feature that is automatically built into the service.
Please feel free to comment or ask any questions you may have.
I hope this helps.
Share Web Design