Defend Your WordPress Website Against Brute-Force Attacks

Wordfence employs several login-specific measures, such as two-factor authentication, reCAPTCHA and brute-force protection. There is also a companion plugin that solely focuses on login security.
Plus, when you think about it, the relative cost of mitigating these attacks now is much less than having to deal with a hacked website later on. That alone makes being proactive more than worth the effort.
Jetpack’s “Protect” feature, which will block unwanted login attempts.
But even if unsuccessful, these attacks can be both an annoyance and a drain on server resources. Therefore, it’s important to put policies in place that can help mitigate their damage.

What Is a “Brute-Force” Attack?

CDN providers often include methods to block out IP addresses or even entire countries from accessing your site (or, at least your dashboard). Depending on the service you use, there may also be protections specifically targeted at stopping brute-force attacks.

If either of these scenarios are in place, that raises the odds of a successful attack. And once the attacker has access to your WordPress dashboard, they can wreak all sorts of havoc.

While there are all sorts of different attacks floating around out there, the brute-force variety are among the most popular. And that happens to be our subject for today.
In the real world, this means that a malicious script runs repeatedly, entering usernames and passwords into the WordPress login page. It’s possible to see hundreds or even thousands of attempts like this per day.

  1. The use of weak login credentials, such as using an ua-common username and password.
  2. Using credentials that have been previously leaked elsewhere.

A hammer smashing glass.
Login LockDown is a plugin designed to limit brute-force attempts. It automatically locks out offending IP addresses after a set number of failed logins.
There are a number of WordPress plugins that are dedicated to security, with several offering features designed to protect against brute-force attacks. Some of the more popular options include:

Ways to Fight Back

Binary code on a computer screen.
“…consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.”

Limit Access to the Login Page

Whether you’re fairly new to WordPress or an experienced developer, you might be surprised at just how often your websites are under attack. You might also be wondering who, or what, is carrying out this type of activity – not to mention why they’d target you.
Let’s take a look at what brute-force attacks are and some ways you can better protect your WordPress website.
The beauty of this approach is that you can significantly lighten the load on your web server. How? Attackers are stopped by the CDN’s firewall before they ever reach your site. It’s kind of like having a giant flyswatter out in front of your house, rejecting pests before they make it to your front door.

Utilize a Plugin

However, there are some even stronger actions you can take, including:
A brute-force attack, according to Wikipedia:
Depending on your web server’s setup, you might consider blocking out access to the WordPress login page to all but a specific group or range of IP addresses. On an Apache server, for example, this could be done via the .htaccess file.
Unfortunately, doing nothing to combat brute-force logins is not a viable option. These attacks are both ubiquitous and relentless. And the landscape certainly doesn’t look like it will get better on its own. Therefore, it’s up to us to take preventative measures.
Content Delivery Networks (CDNs) not only improve the performance of your website, they offer the side benefit of serving as a barrier between malicious bots and your WordPress install.

Employ a CDN/Firewall

iThemes Security offers several login-related protections, including brute-force protection, two-factor authentication and the ability to rename the /wp-admin/ folder in order to thwart bots.
Thankfully, there are a number of things you can do to better protect your WordPress website against brute-force attacks. The most basic being instituting common sense security measures, such as using strong passwords and virtually anything other than “admin” as your username. These steps alone will at least make your site more difficult to crack.
The caveat is that this strategy depends on administrators having a static IP address. In corporate environments, this would likely be the case. However, other scenarios may make this method more difficult. The official WordPress documentation has some further advice that is worth a look.
Thankfully, it’s not really that difficult. The options above, while not 100% perfect, are fairly easy to implement. And each one makes things that much tougher on the average bot.

When It Comes to Security, Be Proactive

Of course, if this were all completely random, it would be pretty difficult to successfully log into a website using such a technique. But there are two major reasons why these attacks can sometimes work:
Another approach is to password-protect the login page at the server level. While this adds a bit of inconvenience, it does help to ensure that only authorized users gain access to the dashboard.
The answers are simple. In most cases, the bad actor is an automated bot. And you’re being targeted simply because you happen to be running WordPress. As the most popular Content Management System (CMS) out there, it is directly in the crosshairs of malicious actors.

Posted by WordPress Guru