With WordPress running almost one third of the world’s websites, hackers have found an amazing pool to work through.
What makes WordPress vulnerable?
Well, security breaches in WP themes and plugins could be one reason. Even a very small vulnerability found in a WordPress install can expose millions of websites.
If you check Sucuri Website, you can see only a small amount of the security problems reported daily.
43 percent of cyber attacks are aimed at small businesses - Symantec ReportSymantec Report
Are you using WordPress?
Then, you definitely need to pay extra care on your business.
You don’t have to stop using your WP website. You only have to take a few steps ahead and start solving problems before they occur.
What is a Brute Force Attack?
A Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in.Source
There are many ways to perform a brute force attack. The most common method is dictionary-based attacks.
In a brute force attack, automated software is used to generate a large number of consecutive guesses.
Or, it can use stolen databases with IDs and passwords.
Brute Force attack still happening?
Yes, it still happens.
This was the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hourMark Maunder, Wordfence CEO
Also, in December, the largest aggregate database to date was discovered (found on the dark web) with 1.4 billion clear text credentials. It seems that this discovery is related to the December 18th brute force attacks.
It is an aggregated, interactive database that allows for fast (one-second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover. This database makes finding passwords faster and easier than ever before.Source
We all know that prevention is better than cure.
So, start preventing any attacks on your business today!
Basic Brute Force Attack Prevention Process
- Avoid using username “admin”
- Change the wp-login URL of your WordPress site
- Hide the fact that you are using WordPress. You can use Hide my wp plugin for that. Also, this plugin helps you change the login URL, username “admin”.
- Use a stronger password. Things to avoid when choosing a password:
- Any permutation of your own real name, username, company name, or name of your website.
- A word from a dictionary, in any language.
- A short password.
- Any numeric-only or alphabetic-only password (a mixture of both is best).
- Limit the number of login attempts made on your site.
- For example, after three failed login attempts, the account is locked out until an administrator unlocks it. Or, another alternative is that user accounts are locked out for a set period of time after a few failed login attempts.
- Use Captchas
- Pre-login captchas are a powerful way to slow down brute force. They are especially useful on open-registration sites to reduce the amount of spammers and bots from registering. This method can be used to require the user to enter a word or solve a simple math problem to ensure the user is, in fact, a person.
- Two Factor Authentication (2FA). This helps reduce risk in the event that your password is compromised.
- Password protect your wp-login.php file (and wp-admin folder)
- Use themes only from reliable sources. Use a well-coded WordPress theme
- Limit the number of plugins you install on your WordPress site. Use plugins only from well-known sources. Always verify comments or reviews, if support exists; if the author is quick to react.
- Make sure that any plugins you do have installed are kept up to date
- Install Wordfence. This includes an endpoint firewall and malware scanner that were built from the ground up to protect WordPress. You can use the free version.
- Backup your website (just in case the worst should ever happen)
- Always update to the latest version of WordPress, when possible
- Use a web host that has a track record for being reliable, safe, and secure
More difficult techniques to make brute force attack preventions
- Limit Access to wp-admin by IP. You need to create .htaccess file and edit it. You can learn how to do that by accessing this link. The instructions are different, depending of what kind a server you have.
- Blacklist an IP address. Only whitelisted IPs will be able to login. You can do this manually but it’s easy to use a plugin.
- Bot and Scan Blocking. When their system detects a specific bot trying to attack your site using a brute force technique, it is blocked automatically by Sucuri Plugin.
- Country Blocking. Most brute-force attempts come from a handful of countries. If you aren’t doing business there, you can completely block all visitors from those IP ranges.
- Avoid installing too many scripts or codes on your site (or on your web server). Always ensure they’re from a credible source.
Thousands of websites get hacked into every single day, so don’t wait for the day to come when yours could potentially get hacked too.
Take action now.
“Every day, Safe Browsing from Google discovers thousands of new unsafe sites. Many of these are legitimate websites that have been compromised by hackers.”
What are you doing to keep your WordPress website safe?
Are you using some techniques that I haven’t mentioned in this post?
I have over 10 years experience in building plugins and themes for WordPress and other platforms.
Contact me if you have plugins that you want me to check before you insert them in your website. I will be happy to check them for security and speed.