Security in WordPress is a primary concern. As open source script is vulnerable to all sorts of attacks, WordPress is no different. But it’s not entirely correct. The reason behind your WordPress site being hacked isn’t its fault; instead, it’s your fault.
The most natural and most common way to hack a website is using brute force attack. Hackers use brute force attack to gain access to a website. A ‘brute force’ attack is a sort of attack against a site to access the site by speculating the username and password, again and again.
Brute force attack can be made using either human or bot. But most of the time hackers use bots because bots are capable of trying thousands of combinations every minute.
To become satisfied with a brute force attack hackers need:
- Your username
- Your login page
- Freedom to try thousands of different username/password combinations without restriction
So, if a hacker doesn’t have anyone of this information they can’t reach your website. And by taking few steps, you can stop this kind of attacks.
Today, we will go through on how you can prevent your WordPress site from brute force attacks. Let’s dive into the article….
Step 1: Secure Your Login Credentials
A) Change User Name
The first line of defense and most important step to prevent an attacker for succeeding is to secure your login credentials. If you use weak username or password, it’s effortless for a bot to guess your login credential and gain access.
For example, if you ‘admin’ as your username and ‘protectpass’ as your password how long it will take to breach the security? It will take few minutes to gain access.
So, don’t use admin as your username. Try to use something else as username and every time use your email address for login, this will give you better security hold. As emails aren’t easy to predict, hackers will have a tough time with it. You can use plugins like WP Email Login for this purpose.
B) Set Strong Password
After changing the username, you should set a secure password. The more your password is protected, the more it is hard for hackers to crack your website. To arrange a secure password, you can follow this rules:
- Use a mix of upper and lowercase letters
- At least one number
- Use at least one symbol
- Specific length, i.e., 12-15 characters
If you follow this rules, you can create a secure password. But you can’t honestly make a random password as you are human. So instead, you can use password generators like Strong Password Generator. ApplyAnd to remember passwords use password manager services. For example, LastPass, or 1Password.
Step 2: Use reCAPTCHA
Using reCAPTCHA in your WP login form will ensure an extra layer of security. reCAPTCHA is a free service from Google. It helps protect websites from spam and abuse. This is a test to tell humans and bots apart.
After all, most of the brute force attacks are made by bots so it can be prevented merely by using reCAPTCHA in WP login form.
If you want to integrate reCAPTCHA your own follow this steps:
- Go to google reCATPCHA, add your website and get the secret key
- Add following code in the header section of your website: <script src=“https://www.google.com/recaptcha/api.js” async defer></script>
- After that include the following line wherever you want to show the CAPTCHA: <div class=“g-recaptcha” data-sitekey=“your_site_key”></div>
However, remember that this trick can only prevent bots, not humans.
Step 3: Change Login Page URL
Did you wonder, if hackers can’t find your WP login page then how will they attack you? Without having access to your login page, a brute force attack can’t become successful.
You should change these permalinks:
Step 4: Use Password to Access Login Page
You can also prevent anyone to load your login page even if they know your login page URL by securing access to your wp-login.php file using a .htpassword file. Unless they know the username and password, they can’t load the login page.
Use the following steps:
- Using htpasswd generator create content and save it as a file named .htpasswd (with no extension).
- Upload the .htpasswd file in same location as .htaccess file
- Now put the code below in your .htaccess file:## Stop Apache from serving .htpasswd files
<Files ~ “^\.ht”> Order allow,deny Deny from all </Files>
AuthName “Private access”
require user coderex
Change “~/.htpasswd” as the location of your .htpasswd file and change “coderex” to the username you gave when creating the htpasswd file.
Step 5: Limit Login Attempt
With limiting the login attempts, you can secure your WordPress website from brute force attack. If bots had only 3 to 4 try to re-enter username and password, it wouldn’t become successful.
Though WordPress by default doesn’t prevent anyone from attempting to login in your website, it gives the option to limit login attempt while you first install WordPress.
Step 6: Limit Access to The Login Page by IP Address
You can also block access to the WordPress admin area if you have a static IP address. This is a great way to secure WordPress login by permitting access to specific IP addresses. Add the following code to your .htaccess file:
AuthName “WordPress Admin Access Control”
order deny, allow
deny from all
# whitelist IP address
allow from xx.xx.xx.xxx.xxxx
Change the “xx.xx.xx.xxx.xxxx” to your original IP address and if you need more than one IP address also add them in the code.
Step 7: Use Two Factor (2F) Authentication
2F authentication is the final line of defense against brute force attack. In this process, you have to enter a unique verification code created each time you want to login by the Google Authenticator mobile app. To able this feature, you also have to install Google Authenticator plugin, or 2FAS Light – Google Authenticator in your WordPress website.