Home » Blog » How to Stop Brute Force Attacks on a WordPress Website?

How to Stop Brute Force Attacks on a WordPress Website?

By /

Do you want to stop and prevent brute force attacks on your site?

In a brute force attack, hackers simply try thousands of username and password combinations until they hit on the correct one.

Once they get into your website, they can do all sorts of things, such as adding malicious ads, scamming your users, and even taking down your website.

This tutorial will show you how to stop and prevent brute force attacks so that hackers have no chance of breaking into your site.

But before we get started with the steps, let’s clarify what a brute force attack is so you can understand it better during the tutorial.

What is a brute force attack?

When we say that hackers try different password combinations on your site to log in, you might be imagining a real person sitting in front of a computer and typing in passwords, right?

Hackers are much more advanced than that. They program bots to scan the Internet and find websites that run WordPress. They then target the login page, which is usually www.example.com/wp-admin.

Once on the login page, these bots run a huge database of commonly used usernames and passwords.

  • Common usernames include “admin” or the name of the person who owns the site.
  • The most common passwords are password1234, 12345678 and qwerty1.

These hacker bots are capable of making thousands of login attempts per minute. And they keep trying again and again until they get it right or exhaust their database. Hence the name “brute force” attack.

You may now think that all you have to do is set a very strong password and problem solved. But that is not enough.

Thousands of login attempts can slow down your website and even cause it to crash. It can disrupt the user experience, meaning visitors will leave your site because it doesn’t load fast enough.

A better way to protect your site would be china phone number library to prevent the hacker from making these attempts. That’s what we’ll show you how to do next. Let’s dive right in.

china phone number library

How to stop brute force attacks on WordPress

Below we’ll outline 6  important how to create a wordpress staging site? (3 easy ways) steps you should take to protect your site from hackers. We’ll focus on preventing brute force attacks, but keep in mind that these steps will also help you stop other malware attacks.

You’ll be building a robust security system that ensures hackers have no way to harm your site from inside or outside.

Here is a list of the 6 steps we will cover:

  1. Install a Firewall Plugin
  2. Limit login attempts
  3. Restrict access to the login page
  4. Expire Passwords Regularly
  5. Add 2-factor authentication
  6. Add HTTP authentication

Step 1: Install a firewall plugin

A firewall serves as your first line of defense. It will scan every visitor that comes snbd host to your site and block malicious bots. This means that only good traffic is allowed to view your site.

There are two types of website firewalls you can use.

  • Web Application Firewall: These firewalls sit in front of your WordPress site to scan incoming traffic. They are quite effective, but they do not offer server-level protection. This means that hackers can attack your server and damage your site.
  • DNS Level Firewall: This firewall gives you better protection against hackers as it sits in front of your server. So it will scan all traffic before it reaches your website’s main server.

We highly recommend investing in a DNS firewall to protect your site. Sucuri has one of the best DNS firewalls in the industry.

Sucuri comes with built-in features to block brute force attacks without affecting your website users.

It also blocks automated tools used to scan your website. This helps keep your website off the radar of any attacker.

Additionally, it constantly monitors your website, so if any malicious bot reaches your website, it will be automatically blocked.

If you want to know more details, read our Sucuri Review .

Step 2: Limit login attempts

If you want to specifically block brute force attacks, one of the best ways to do so is by limiting the number of attempts a user has to log in.

For example, you can give them a maximum of 3 attempts to enter the correct username and password. If they fail, they can use the “Forgot your password” option and recover their credentials.

Any user or bot attempting to brute force your site will give up after 3 attempts and move on to the next target.

You can add a plugin to limit login attempts to your WordPress site to add this feature. If you are using a security plugin like Sucuri, then you should already have the login attempt limit automatically added to your site.

Step 2: Restrict access to the login page

Another good way to protect your site from brute force attacks is to grant access to the login page URL only to people you trust.

Every device that uses the Internet has a unique IP address. You can use a security plugin to universally block all IP addresses from accessing the login page and whitelist only the ones you want.

This way, only authorized users can open the login page. This method is called allowlisting and is very effective in keeping hackers away.

If you use Sucuri, in the Access Control tab of your control panel, you can add whitelisted IP addresses.

Next, switch to the Security tab .

You will see an option to enable “Admin panel restricted to whitelisted IP addresses only.”

By checking this box, Sucuri will automatically allow only your trusted users to access the login page.

Step 4: Expire passwords regularly

It goes without saying that the best way to protect any account or website on the Internet is to use strong usernames and passwords.

Apart from that, it is also necessary to change your password regularly. If you suspect an attack, you should change it immediately.

Now, if you have multiple users who have access to wp-admin, they may not remember to change their passwords regularly.

To overcome this, you can set reminders and force them to reset their password at intervals.You can use a plugin like Expire User Passwords to help you expire passwords periodically by forcing the user to change their password before being able to log in again.

Step 5: Add 2-factor authentication

Chances are you’ve already seen or have 2-factor authentication in your applications, especially email.

In addition to entering your password, you must provide a one-time code that is sent to your mobile phone or email

This means that the user will have to be verified in real time, making it much more difficult for hackers to gain access.

Even if they manage to crack your password, they will also need the code in real time.

All popular security plugins, such as Sucuri and MalCare , allow you to enable 2-factor authentication within the control panel.

So you won’t have to touch any code to add this feature to your site.

Related Posts

Copyright by Hong Kong Data

Scroll to Top