Unprotected WordPress websites fall victim to a brute force attacks every day. If you own a self-hosted WordPress website (one that is on your own web hosting account, rather than WordPress.com), it could be target.

How do I know these Brute Force Attacks real?

I personally found out that brute force attacks were real, because I saw that someone was attempting to do this.

brute force attacks on wp-login.php

How I found out robots were attempting to hack my WordPress website.

I looked at my statistics (in cPanel > Webalizer) and saw an insane number of hits on wp-login.php! Given I can estimate the number of real people who can visit my site, I can clearly see that this is a hacking attempt made by a robot!

How does a Brute Force Attack happen?

Automated programs search the internet for addresses such as “yourdomain.com/wp-login.php”; These automated programs will enter random username and password combinations, in the hope that one of these combinations will be the right one.

These programs will run as many times as they like, because WordPress has no limit on how many times you can guess a password. However, this can also cause strain on the server hosting your website, preventing real humans from accessing it.

Does this mean WordPress is not secure?

Not at all!

WordPress should be considered just as secure as any other website platform. The only reason why attacks are so common is that WordPress is so commonly used. Unfortunately, those who are hacked or exploited haven’t taken the time to learn about WordPress website security.

How to prevent Brute Force Attacks

Method 1: A simple, short-term fix

One thing you can do right now is stop using “admin” as your default username! Many people will use “admin” and “password123″ as their default log-in credentials, and this is the first thing that hackers will try to guess.

Method 2: Install a brute force prevention plugin

Some good choices include WP Bruiser or WordFence. Or for a more complete security solution, you could look into VaultPress or a monthly maintenance plan with me.

Advanced: A longer-term solution: Use .htaccess to protect your log-in page

If your web hosting provider uses cPanel, you can follow these steps to set up password protection:

  1. Use this Htpasswd Generator to create a .htpasswd file.
  2. Upload the .htpasswd file to the root of your file directory.
  3. Add the code below to your .htaccess file. Replace ‘PathOnWebServer/WhereFileIsLocated’ with the path to your .htpassword file.
AuthType Basic
AuthName "User name and Password are required for entry:"
AuthUserFile /PathOnWebServer/WhereFileIsLocated/.htpasswd
<Files "wp-login.php">
 Require valid-user
cautionImportant! Do not try to edit your .htaccess file unless you are comfortable editing this important server file. A simple mistake could make your website inaccessible. Please get in touch with an expert for help if you need one!

Although it means you will have another username and password to remember, this will create an extra step in the log-in process that the automated program won’t be prepared for. Hopefully this will also reduce the log-in URL requests turning up in your logging software.

Credit goes to Vandelay Web for the above instructions.

Related Articles