View Categories

Reading Time: 5 min read

Methods to Protect Your WordPress Site from Brute Force Attacks #

Methods to Protect Your WordPress Site, Brute force attacks present a serious threat to websites. They can slow down your site, allow hackers to upload malicious malware, or even render your site inaccessible. This article will guide you on protecting your WordPress site from brute force attacks.

Before we begin, it’s crucial to understand what a brute force attack entails.

Brute Force Attack: Methods to Protect Your WordPress Site #

Hackers use specialized programs or algorithms to generate and enter random passwords or codes to bypass a website’s or network’s security. These programs repeatedly send numerous requests to the system until they eventually crack the authentication information.

Simply put, brute force attacks employ a trial-and-error method to guess your login details and gain access to your computer system. If successful, hackers can log in as administrators and wreak havoc on your website or network. They might create a virtual backdoor, install malware, steal user information, and make changes to your site without your knowledge.

That’s not all! Even unsuccessful brute force attacks can burden your hosting servers, slowing down your website and potentially causing server crashes.

To make matters worse, hackers cleverly disguise these attacks by using different IP addresses and locations, making it much harder for the targeted system to identify and block these malicious activities.

We will review each of these points separately.

1. Add a Firewall Plugin: Methods to Protect Your WordPress Site #

Brute force attacks manifest as requests to your server. It’s more effective to detect and block these requests before they reach the server.

You can achieve this by installing a firewall plugin on your WordPress site. First, you need to install the plugin on your WordPress site.

There are two types of firewall solutions available:

  1. Application-Level Firewall: These plugins scan incoming traffic to your server, but the scan occurs before most WordPress scripts load, reducing their efficiency and effectiveness. They can still allow brute force attacks to strain your server.
  2. DNS-Level Firewall: These plugins route your web traffic through cloud proxy servers to inspect the requests. They filter out unwanted requests on their servers and forward legitimate traffic to your server. This approach avoids the downsides of application-level firewalls and does not affect the speed and performance of your WordPress site.

While both firewall solutions provide website protection, the latter is clearly more effective but also more expensive.

Evaluate your budget and assess the risks before selecting a firewall plugin. However, ensure you have one installed on your WordPress site. If you can’t afford the paid plans, the free version is still a good option.

2. Regularly Update WordPress and Plugins #

Websites running older versions of WordPress, plugins, and themes are the most frequent targets of brute force attacks. Hackers exploit outdated software because they are aware of its vulnerabilities.

WordPress core and nearly all popular plugins consistently release updates to enhance their security by addressing vulnerabilities. We advise you to routinely check for WordPress updates. Failing to do so leaves your website exposed to attacks through those old weaknesses.

3. Protect the WordPress Admin Directory: Methods to Protect Your WordPress Site #

The WordPress admin area is a common target for brute force attacks on WordPress sites. Adding password protection to the WordPress admin (wp-admin) directory is a simple and effective way to prevent this. It blocks unauthorized users from accessing the WordPress admin area.

You can add a password to the wp-admin directory through your control panel. Just access the wp-admin directory of your WordPress site and enable password protection.

If you encounter a 404 error or error Too many redirects message,

you can resolve it by adding this line to your WordPress .htaccess file:

ErrorDocument 401 default

4. Enable or Add Two-Factor Authentication #

Two-factor authentication is a powerful defense against brute force attacks, adding an extra layer of security to your WordPress login. Users must generate a one-time passcode on their phones to access the WordPress admin area, in addition to their login credentials.

With two-factor authentication, you can create temporary codes in real-time. These random codes are nearly impossible to guess or decode, making it significantly harder for hackers to access your WordPress account, even if they crack your password.

5. Utilize Robust Random Passwords #

Passwords unlock the security of any system, so it’s essential to keep them private and confidential.

Using personal information like birth dates, names, or contact numbers as passwords is risky and should be avoided.

Hackers may be monitoring your online activities and could use personal details to guess your passwords.

The best protection for your WordPress accounts is a unique password with a random mix of numbers, letters, and special characters. This applies to WordPress admin, FTP, control panels, and other critical online systems.

You don’t need to remember or store these complex passwords manually. Password manager apps can securely store them and autofill when needed.

6. Turn Off Directory Browsing in WordPress #

Sometimes, your web server can’t find an index file (index.php or index.html). By default, it then displays an index page listing the web directory’s contents.

Hackers may use directory browsing to find vulnerable files and launch a brute force attack.

To prevent this, you need to edit your WordPress .htaccess file and add/copy the following line at the end:

Options -Indexes

7. Prevent PHP File Execution in Specific WordPress Directories #

One of the most common methods to start brute force attacks is by running PHP scripts on a web server. Hackers frequently attempt to install and execute a PHP script within your website’s WordPress folders. Since WordPress is mainly written in PHP, disabling the malicious script for all WordPress folders is not recommended.

However, some folders don’t require PHP scripts at all. For instance, the uploads folder in WordPress, located at /wp-content/uploads, is a common place for hackers to hide backdoor files.

The good news is you can disable PHP execution in the uploads folder without affecting your WordPress website’s functionality.

To Disable PHP Execution #

  1. Open a text editor (e.g. Notepad) on your computer.
  2. Copy or type the following code:
  3. <Files *.php> deny from all </Files>
  4. Save it as a .htaccess file.
  5. Open your FTP client and upload it to the /wp-content/uploads/ folder on your website.

You can also create or edit the .htaccess file in the uploads folder using the File Manager tool.

Methods to Protect Your WordPress Site

8. Set Up a Backup Plugin #

In the worst-case scenario, an attack could disrupt your website and cause data loss. Hence, choosing a WordPress hosting service that offers regular data backups is essential.

If your hosting lacks backup services, you can still back up your WordPress site using plugins. There are many free and paid backup plugins on WordPress that can automate your site backups.

Just install and activate the plugin. Here are some popular backup plugins for WordPress: UpdraftPlus, VaultPress (Jetpack Backup), Backup Buddy, BlogVault, and BoldGrid Backup.

In Summary #

Websites constantly face the threat of brute force attacks. These unconventional attacks allow hackers to cause significant damage to the website and harm its online reputation.

Protecting your website from these threats is crucial. While WordPress is a modern, secure, and advanced CMS, it is not without flaws. However, by adjusting some settings and using the right technologies, you can effectively defend your WordPress site against brute force attacks.