Attacking website using Brute Force is an old technique and still, exists on the Internet. Brute Force attacks can take your website down and disrupt your online business if necessary prevention tool is not in place.
Brute Force attack can be applied either using human or bots by continuously trying to login with guessed credentials into your WordPress website.
This get worse when the login page is not protected and some of the research has noticed thousands of login attempts to wp-login.php per minute.
Let’s take a look at graph by SUCURI.
More than 1 million attacks per hour are protected by SUCURI.
A few days back, I received 42 emails notification about site lockout due to brute force attacks. So this can happen to you.
There are multiple ways to prevent brute force attack; here are two of them, which you can follow.
Hide WordPress Login
One of the first things after setting up your website you should consider doing is to hide the login area.
By default, WordPress login page is available as:
Knowing the technologies you are using is easy these days. So if bad guys know you are using WordPress and login area is not hidden then they can easily access login page and prepare for a brute force attack.
Let’s hide the WordPress login area with following plugins. You can use any one of them.
WPS Hide Login
WPS Hide Login is a lightweight plugin with active installed over 40,000. This plugin will help you change the login URL to anything you wish.
After changing the login URL, if someone try to access wp-admin/wp-login.php/login/admin then it will throw 404 error page.
Another very lightweight plugin with over 100,000 actives installed to solve the purpose. Change the wp-login.php to anything you want but don’t forget to remember the one you change it.
Don’t worry about what will happen if you disable or uninstall the plugin. The login page will be restored the default WordPress one.
iThemes Security (Better WP Security)
Better WP Security is not just to hide the login area but a complete suite of WordPress security. If you are already using this plugin, then this is how you can use to hide the login area. If not using yet, then you may try it. It’s one of the very popular plugins with over 700,000 active installed.
Assuming you have already installed the plugin.
- Login to your WordPress
- Go to Security >> Settings
- Select “Hide Login Area” next to Go to drop down
- Enter the URI you want to use to access to admin page
- Click on “Save All Changes”
Don’t forget to test by accessing admin page with the one you changed just now.
Above three plugins should be able to help you with hiding WordPress login area. Let’s take WordPress security further with 2-factor authentication.
Implement 2-factor Authentication
2-factor authentication adds extra layer of security to your WordPress website. Along with your credential, you also need to supply the one-time password (OTP). This is achievable by using following plugins. Pick the one you like.
Google Authenticator for WordPress
Use Google Authenticator plugin to generate a one-time password and to be used every time your login. This will add an additional box in Login form to enter the OTP generated by Google.
Note: in order to use Google Authenticator, you must have a phone with installed Google Authenticator apps.
Once you have apps installed, you can setup the account and all set!
Clef Two-Factor Authentication
Clef is a very smart way of logging to your WordPress. It completely removes the entering password concept and your phone act as an identity. It’s very popular with over 700,000 actives installed and I personally use it.
After setting up an account with Clef (it’s free), each time your login, you have to wave your phone in front of the login window. It’s magical!
No more need to remember the password and forget about brute force attack with Clef.
These techniques you can apply to your WordPress website to protect from brute force. However, you may also use Cloud Based Security Provider, which protect from brute force and many other vulnerabilities.
You may consider anyone of the following.
Incapsula by IMPERVA is complete website security & performance solution powering thousands of websites including some of the following popular websites.
Incapsula offers free plan and have 28 data centers worldwide. So if web security is your concern then go ahead and try Incapsula.
One of the most popular CDN and Security companies powering more than 2,000,000 web properties faster and safer. If you are struggling with slow loading website and weak security, then go ahead and try Cloud Flare.
SUCURI is specialized in website antivirus and firewall. They help you to stop hack attempts, stop DDoS attack, clean hack and complete security to your website.
WordPress security by SUCURI is probably the only thing you need to secure your WordPress website from Brute Force and many other security vulnerabilities.
Above three cloud-based security provider not only help you WordPress but also any other platform like Joomla, Drupal, PHP, etc.
I hope now you have an idea in protecting your website from brute force and many other security vulnerabilities. Stay secured!