Brute Force Attacks on WordPress Websites have caused a lot of pain to webmasters and web hosting companies in recent weeks. If you’re using WordPress to power your website, you may be vulnerable to a new web-based attack that aims to hack your admin password.
The good news is you can do something about it. You can tighten your WordPress security to counter these attacks. But first, let’s understand these attacks a little better.
What Are Brute Force Attacks?
Brute Force Attacks are targeted to hack your WordPress Admin Dashboard. These attacks specifically target your WordPress website’s wp-login.php from a large number of IP addresses spread geographically around the world.
The scale of these attacks is massive. Just imagine that a large botnet army of around 90,000 compromised servers are continuously attempting to guess your username and password and get into your WordPress Admin Dashboard.
These attacks hammer the wp-login.php file on your website over and over until they get in or the web server dies. If you are using “admin” or “administrator” to login to your dashboard, you should know that you are at risk!
According to WordPress.org:
Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin.'
Steps To Protect Your WordPress Websites
Your web hosting company is already doing everything it can to protect your websites from these attacks. In addition, there are a few things you can do to ensure your particular website is safe and sound.
Here are steps you can follow to improve your security for your WordPress website:
1. Get Rid Of The Default Accounts
Do not keep default WordPress Admin user account active which is usually “admin” or “administrator”. Hackers are using default account names to begin the attacks. Create a user ID that is hard to guess.
2. Use Strong Passwords
These botnets have been using common passwords like “123456”, “qwerty123” etc. to break into your WordPress dashboard. It is important that you create a password that is hard to guess. To create such a password, you may want to follow these guidelines:
- Use at least 8 characters total. The more, the better.
- Use a mixture of upper and lower-case letters
- Mix Numbers, punctuation or other non-alphanumeric characters
3. Lock Down Your WordPress Admin Through .HTACCESS
Caution! Before following this step, make sure you know what you are doing. If you do this step wrong, it can break your website. Now here is what you can do:
Edit your .HTACCESS file to lock down access to your WP-ADMIN screen. The .HTACCESS file is usually located in your website’s home directory on the web server. You edit the file using your cPanel or you use FTP to transfer a copy of the file to your local machine and then use a text editor to edit the content. After the following action has been completed, the modified file is used to replace the original file. Now, you need to add following lines to the beginning of the .HTACCESS file:
[note background=”#FFFF85″]<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?YourDomain\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]
</IfModule>[/note]
Important: Please make sure you replace YourDomain with your actual domain name. If you domain is not a .com, then replace .com the above code with your domain’s extension.
The .HTACCESS rules ensure that the requests coming from your domain are only to be entertained. Every other request will be rejected.
4. Implement CloudFlare To Get DNS Level Protection
Usually CloudFlare offers DNS level filtering only to its paid customers. Due to the large scale of this botnet attack, CloudFlare has rolled out DNS level filtering to all of their free accounts as well. This is an awesome step by CloudFlare and I really appreciate being on CloudFlare for this reason.
CloudFlare is a system that I have highly recommended from the time when nobody was talking about these brute force attacks. It is simply awesome because of the level of security and speed it provides to your websites.
Congratulations if you are on CloudFlare already. If you are not yet using CloudFlare, check out these posts to find out how you can use it and how you will benefit from it:
- CloudFlare Supercharges Your Website Security And Performance
- Blazing Fast And Secure Website Using MaxCDN And CloudFlare Combo
5. Keep WordPress And Your Plug-ins Up-To-Date
This is should be an important daily maintenance task whether or not a threat exists. Keeping your website up-to-date with the latest versions of WordPress and all plugins is critical to maintaining the integrity of your website.
I login to my WordPress admin and check to see if there are any available updates every day. As soon as I find a new update, I check the details, take a backup of my website and apply the update.
6. Take Regular Backups Of Your WordPress Website
Speaking of backups, I wrote extensively about the importance of making regular backups of your WordPress websites. If you missed the posts, here are the links for your reference:
- Best Way To Manage Your WordPress Blogs Is To Use ManageWP
- Best Ways To Take Regular Backups Of Your WordPress Websites
If you have not secured your website yet, this should be your opportunity to strengthen your security protection. These steps will significantly reduce opportunities for hackers to be able to take over your WordPress website.
Your Turn To Share
How are you preparing to protect your website from these brute force attacks? Is there any additional measure that you want to suggest? Please share your thoughts in the comments by clicking here. Thank you kindly!