This week one of my client’s WordPress was a victim of a brute force attack. Luckily the client had a good password but the sheer number of login attempts caused the web host to suspend his service because of Terms of Service (TOS) violations.
His website was using over 80% of the servers resources and it took the web host almost 24 hours to restore his site.
Ouch! There are some steps you can take to help prevent brute force attacks.
First of all, what are brute force attacks?
Brute force attacks occur when a hacker tries to access your administration dashboard by guessing your user and password. The hackers use software to continually try combinations until they find success. In the case of my client, this meant so much drain on server resources the web host was alerted and shut it down. The good news is the client didn’t have a breach in security but the bad news is his site was down for 24 hours.
Okay, so how do you prevent brute force attacks on your WordPress site?
Make sure you are not using Admin as your website login.
Many WordPress installations use Admin ad the default login and hackers know this. Change your login to something more difficult. (Learn how do change your username here)
Use a strong password.
Make it difficult for hackers to guess your password. Here are some ideas on how to create a strong password. You should also change your password every 60-90 days.
Install a plugin that helps secure your login.
There are several plugins that you can choose from. Here are some of the more popular ones.
More Secure Login – add an additional field to your login. You will print an access card with a code key. When you are logging in you will be prompted for a key. Look it up on your access card and enter the correct code. You and anyone else who logs in to WordPress will always need your access card when you want to login.
Login Security Solution – increase your password security and block brute force and dictionary attacks. This plugin enforces strong password selection and monitors and blocks abnormal login attempts.
Limit Login Attempts – limit the number of login attempts and lock out users after too many failed attempts.
Limit your wp-admin access by I.P. address.
One great way to prevent attacks is to limit access to the login to your I.P. address. Unfortunately, this is difficult for many WordPress owners to do. It won’t work well if multiple users need to access WordPress or if you do not have a static I.P. address.
It is really important to take these extra security precautions to not only prevent hackers from gaining access to your website, but to help prevent downtime to your website.
If you have other ideas on how to secure your WordPress website, share them with me.