How to Protect Your WordPress Site from Brute Force Attacks (Step by Step)

One of the many problems that can occur when working with a CMS, especially in WordPress, is a so-called Brute Force attack. A bot tries to log into the backend of a website. The Brute Force technique is characterized by the fact that within a very short time many different password combinations are tried out to find the right one. Often also about different IP addresses of a so-called botnet. Since we monitor the servers partly manually, we can detect an increased load of the server and then check where it comes from. However, we can not guarantee that you will ultimately be responsible for securing your CMS. When we detect a BruteForce attack, we block the IP causing it. If it is a botnet, we can only lock the entire account temporarily.

What is a brute force attack anyway?

The aim of such an attack is usually the decryption of a password and as the name Brute Force (brute force) suggests, the attackers do not proceed with sensitivity.

Typically, hackers exploit vulnerabilities or vulnerabilities to gain access to the desired system. In a brute-force attack, however, all possible combinations of user and password are systematically tried to achieve the goal. For this purpose, huge databases of frequently used passwords are created or random algorithms played through. The more complex the password is, the longer the attack will take and ultimately decide on its success or failure. However, in order to be able to try out the passwords, the attackers must be able to place their attempts in the right place (login page).

So you make it harder for attackers to crack your password:

Tip 1: Use a strong password

Incredible, but unfortunately true: The password 123456 leads in 2017 again to the list of the most widely used passwords. The name of the pet, the loved one, date of birth, wedding date, or other personal data are also gladly accepted. Not strong, not good – not sure! Here are three simple rules for a good, secure password:

• Do not use personal information, even if it’s easy to remember
• Not too short – a good password should have at least 8 digits (almost too short), better 10 or even more digits
• Combine numbers and upper and lower case PLUS special characters

A strong password could look like this: IbiMg, was7iB!

This is of course really corrosive, to remember that. If you do not want to use or use a password manager such as LastPass, then think of a sentence that you can remember well and use the initial letters from it, for example.

My above example: I ch b in i n M unich g orn, w without a via s ince 200 7 i n B erlin! If necessary, you can also make a note of this sentence without outsiders being able to do anything with it (I would not recommend it to you anyway).

Tip 2: Change your username

Change the WordPress default username “admin”. Otherwise, you have already taken 50% of the work from the hackers.

But there is a small detour and it works like this:

1. As a precaution, make a backup in case of an emergency. You should always do that if you make significant changes to your site.
2. Then you create a new user with admin rights. Here you ideally choose a user name that is not quite common. There is a difference between the need to know if the username is simply not admin or administrator or more complicated. However, it is undisputed that it should by no means remain admin.
3. Now you announce yourself from your side and immediately again with the new user.
4. Finally, you delete your old username. But beware! Make sure that you transfer your previous posts and content that you have created under this name in the past to your new username. For this, you have to tick off the corresponding box when deleting, which is requested by WP during the deletion process. Otherwise, everything is gone in the end and you do not want that.

Tip 3: Lock the login attempts

You can hackers make life difficult by limiting the number of access attempts. Also for this, there are various plugins, which take over this work for you and block access to the example after 3 or 5 failed attempts (temporarily).

Tip 4: Keep an IP blacklist

Many hacking attempts come from Asia or Russia. Therefore, it is advisable to block IP addresses from these countries from the outset (unless some of your clients come out of the room). Visitors with the corresponding IP address can no longer access your login page but receive a 404 message. A blacklist is expandable, so theoretically you can block as many IP address ranges as you like. However, this can cause some problems. For example, you should be careful not to shut yourself out, which can easily happen if you travel a lot. If you are planning a change of location, you should check whether the IP address range of your whereabouts at the destination is blocked and cancel this barrier BEFORE your departure or limit it to a larger size.

Tip 5: Change your default login URL

The default login for WordPress is In my case so
Knowing this, the hackers take advantage of it, making it a lot easier to gain access to your site.
To change the login URL, there are various plugins that you can use to change the URL part “wp-login”. What you choose for this is entirely up to you, eg “input”, “access” or completely outlandish terms. Absolutely no matter, but you should be able to easily remember the URL.

Short conclusion & a little tip

If you keep these tips in mind, you are still not 100% sure (you almost never are), but the chances of being victimized by a brute force attack are many times lower, as the effort is on attackers is too high, and they prefer to turn to lighter goals. There are other measures that I will introduce to you in another article in an opportunity.

Which plugin should you take?

Finally, a few words about the plugins. As already written, there are different plugins for individual measures, but also some that do several of the above for you at the same time.

Which plugin you use, is a matter of taste. Pay attention to the reviews on the selection and if it is compatible with your WP version. Furthermore, the last update of the plugin should not be more than 1 month ago. This can have fatal consequences, especially for security-relevant matters.


Add a Comment