How to Defend Against Brute Force WordPress Login AttacksWhat is your administrative username for your blog?
If it’s admin, you need to change it.
If you don’t know, go to your site’s wp-admin, click on Users and then Your Profile. Your Username is under Name.
For about three weeks in August, Microblogger was getting pounded by brute force login attempts on the username ADMIN and I was being notified by a plugin every single time a login failed.
It was getting annoying.
If you don’t have a plugin installed that notifies you, you’re probably under attack too but you just don’t know it. Bots are trying to break into your site.
I recently installed the Sucuri Security WordPress plugin because I wanted to do a quick scan of the blog for vulnerabilityes. I usually turn off a plugin after it has done its primary job but I left this one on by accident and it’s been reporting these frequent brute force attempts.
One of the reporting functions of the Sucuri plugin is a failed login attempt. And I was getting a lot of these notifications.
I changed my username to something different long ago so the admin user doesn’t even exist. This is one of the suggestions WordPress gives to preventing a brute force attempt from succeeding. It won’t, however, stop brute force attacks from happening in the first place.
In this article, I’ll explain what you can do to reduce brute force attacks as well as limit their effectiveness.
How to Stop/Limit Brute Force Attacks
The best way is to use a service like Cloudflare as a firewall to prevent attacks from known IP addresses. Savvy attackers are cycling through IPs and likely using a botnet of some kind, so there isn’t anything you can do short of deflecting the attacks with a firewall.
CloudFlare is free so I recommend signing up for it. Once you have it set up, you’ll want to go to the CloudFlare settings and set your Security profile to High. If you are under attack, the High setting will cut the number of attempts by 95%. I had it on Medium and was getting bombarded. They offer Advanced DDoS protection but only for Business and Enterprise customers, which I am not. That might be a good option if you’re getting more than a few nefarious log ins.
How to Limit Attack Effectiveness
First, make sure you aren’t using “admin” as your username. If you need to change it, WordPress recommends using Admin renamer extended to change your username.
Next, slow down brute force attacks by installing Limit Login Attempts (don’t be scared by the warning that it hasn’t been updated in 2 years, it works great) and turn it on. This will prevent logins by IP for a period of time. Once a specified number of attempts (and failures) has been reached, the plugin will prevent further attempts for a cool-off period. It will slow down brute force attackers considerably and really the only thing you can do to slow them down.
Here are some of the defense recommendations by WordPress but most of them will not prevent the attacker from accessing your site in the first place, which might be leading to higher hosting bills.
Latest posts by Jim (see all)
- How to Auto-Tweet Posts from an RSS Feed and Tag Someone - December 20, 2016
- How to Delete a Website from Google Analytics - December 9, 2015
- Don’t Use Public URL Shortening Links in Emails - June 12, 2015