WordPress – The most widely used Content Management System in today’s Internet world. Due to its popularity, it’s an incredibly attractive target for hackers. There are some attacks to be faced by WordPress websites. Today, I’ll explain you a bit about Brute Force – Most widely used attack for password protected entities.
Brute Force attack also referred as Dictionary attack. It is the most famous attack on Internet. What happens in Brute Force attack, the hacker tries all possible combinations of digits, letters and special characters to guess the password for your account.
Most of the attacks are automated. Running from an individual machine or high-speed servers against your site. It depends on resources how much time is taken to get the actual password.
How attackers ATTACK:
Usually, when we create a WordPress website. We set our Username as “Admin” and Password as “12345” or “admin”. Such kind of most common username and passwords are the best friends of Brute Force attacks. These usernames and passwords can be hacked easily within few minutes.
As we have the site owner username as “Admin” and Password is “12345”.
The attacker will try all possible combination of digits, letters and special characters against our account. It will continuously start verifying on each iteration. Once password matches. You’re HACKED!
How to Prevent from Brute Force Attacks:
There are a number of ways to prevent such kind of attacks. Below are few of them.
- Pick Strong Username & Password:
Choose a unique username and strong password after you’ve setup your WordPress site. From your WordPress Admin Panel, navigate to “Users > Add New”. Create a new user of a unique name (avoid using a dictionary word). Set an adamant password. Assign him “Administrator” role. Refer the image below.
Now, Logout. And login again from the newly created account. Navigate to Users and delete WordPress default user account. Typically named as “Admin”.
- Limit Login Attempts:
By default, WordPress does not allow to limit the login attempts. That means when login to an account fails continuously. It will not restrict the user to stop. There are many plugins in WordPress directory that can restrict users from login after particular failed login attempts. One of them is WP Limit Login Attempts.
From your WordPress Admin Panel. Navigate to “Plugins > Add New”. From the top right corner, search for “WP Limit Login Attempts”. Once found. Click on “Install” and “Activate” it.
After successful installation. Navigate to “Settings > WP Limit Login”. You’ll see settings like below image. In its free version, you cannot change the default settings. If you want to configure according to your needs, you can use its premium version.
After configuring, go to your WordPress login page. Remember you have 5 login attempts and a failed login attempt is shown below for your further clarification.
After all 5 login attempts. This message will be displayed and restrict that particular user for 10 minutes.
- Two Factor Authentication
The best way to prevent from Brute Force attack is using Two Factor Authentication. That means along with your password, a login code sent to your phone is also required for authentication. Internet giants like Gmail, Facebook, Twitter, LinkedIn, Hotmail, Yahoo mail and others are also using Two Factor Authentication for security.
You can also use Two Factor Authentication on your WordPress based website too. Clef and Duo Two-Factor Authentication are the most popular plugins for WordPress Two Factor Authentication.
- More Advanced Protection
For complete prevention from different kind of attacks, there are a number of Plugins available on WordPress directory. Some of the most popular are:
You can also read more about Brute Force attack from here.
After successful installation of your WordPress website. Security is most important factor. One should not ignore it. Last, but not the least. Your hosting plays a crucial role in securing your WordPress website. There are many Managed WordPress Hosting providers like Cloudways that provides 1-click installation of WordPress.
Feel free to ask any query by using comment section below.
Great post Jitendra . But it’s not only brute force attack that can Couse problem to one’s website. Now a days we face different kind of attacks from hackers. So I think it’s very important to take care of our website or blog in a proper way.
We should Always keep our WordPress installation up to date. We should Update our WordPress as soon as possible if there is any new WordPress update. Most of the times, hacked websites are those which are using an older version of WordPress. Older versions of WordPress always have a few known security issues
We should always keep plugins and themes added in our blog updates to latest version. New versions always come with new features and security fixes. So, updating plugins and themes is necessary
Download themes and plugins only from trusted sources. Nulled themes and themes from untrusted sources generally contain malware in the code. If you install any security plugin, you will be notified, but why to take risk. Avoid any unknown source for download plugins and themes.