WP Rocket - WordPress Caching Plugin

How to Prevent Brute Force Attacks in WordPress


Brute force attacks

No website is free from hacking attempts. According to the studies, there are dozens of cyber attacks occur each month, affecting the personal and user information of literally billions of internet users worldwide.

Criminals follow different methods for hacking a website including brute force attack, password cracking, virus, keyloggers, spoofing attacks and others. Brute force attack is most common among them.

What is a brute force attack?

In brute force attack, hackers try different password combinations until they are able to login to your site. Once they got the control, they will alter your website and use it for personal gains. It’s a terrible situation no one want to face.

How can you prevent brute force attacks?

In WordPress, you can secure contents with the help of security plugins. They will safeguard your business in several ways and protect the website from unauthorized hacking attempts, vulnerabilities, infections etc.

These are the best practices to prevent brute force attacks in WordPress.

1. Change Login page URL

wordpress login url

www.example.com/wp-login, www.example.com/wpadmin are the common login pages for WordPress sites. If your platform is verified, hackers will immediately open the default pages to check the possible passwords. There are several security plugins that allow you to rename the login page and thereby keep others away from accessing your backend.

Read How to Quickly Change WordPress Login URL to Improve Security.

2. Limit Login Attempts

limit login attempts WordPress

Set a maximum limit for login attempts on your blog. It can be 3 to 5. If anyone exceeds the limit, block them for some time from further executing the brute force attacks. Those users can’t sign in to your site until the specified lockout period elapses. You can also ask security plugins to instantly block invalid usernames like Admin which is very common in most of the WordPress websites. It’s better to avoid such default usernames as hackers can guess them easily.

3. Login CAPTCHA

CAPTCHA WordPress

Login CAPTCHA is a powerful option to keep malicious bots away from your site. Most of the hacking attempts are carried through the bots and they cannot enter the CAPTCHA codes like humans. Enable the option for your login as well as lost password pages to reduce the risk of brute force attacks.

4. Login Whitelist

This is another option to prevent unauthorized intrusions into your dashboard. Login Whitelist feature allows only certain IP addresses or ranges to access your login page and deny access to other IP addresses which are not mentioned in the list. The feature works best for static IP address users and they can enable the option through WordPress security plugins to safeguard the contents against

5. Two-factor authentication

Secure your blog with a second level password. After entering your normal credentials, a text code will be sent to your phone to confirm your identity. No one can access your WordPress dashboard without successfully completing the two-level verification process. A number of plugins are designed for the purpose and preventing brute force attacks in WordPress. There are two ways for generating the code- smartphone app or by SMS. Learn how to activate two-factor authentication in WordPress for free.

6. Honeypot

Honeypot is a hidden field in WordPress login pages which can be viewed by robots only. Robots are programmed to fill every field in the form they get. As a result of that, they will submit honeypot field too. If the plugins find that this field has a value, they will detect the presence of robots and lock them out of the website.

Are you in interested in WordPress security related topics? Read these posts: