WordPress has gained recognition for a long time. People are creating WP sites on a reliable host like 000webhost.com that allows them to enjoy a number of features.
With most people using WordPress to build a website, the security has become a major concern. Just like open source script, WordPress is also prone to all types of attacks, and those brute force attacks were caused due to the negligence of the users.
But, how these brute force attacks happened? Well, the answer is – when an attacker uses thousands of IP addresses and try to steal credentials of WP admin.
These attacks are usually carried out either by a bot or human that tries different usernames and passwords combinations more than thousand times every minute.
What do you need to become gratified with brute force attack hackers?
- Login page
- Freedom to try different usernames and passwords combination without any limitation
Remember, if a hacker doesn’t have such information they can’t harm your site.
In this post, we will go through the effective ways on how to site from brute force attacks.
Step 1 – Protect your Site’s login credentials
WordPress login page is the first target of attackers, so the first step is to secure it with your username and attackers. Most people just create a username and password, without taking care of the security and here attackers step in. So, here are the small steps you need to take in order to protect the login credentials of your site.
Change your username
The first step you need to take is change your username. It prevents an attacker to get your login credentials. If you use a weak username or common password, the bot will easily get access. Also, ensure not to use admin as your username.
Use something else and by using your email address for login you are getting a better security. Because emails are not easy to guess and hackers will have a difficult time guessing the email address.
Set a strong password
After changing your username, it’s time to set a strong password. If your password is strong and protected, hackers would have a tough time to crack it. For arranging a secure password, use below rule-
- Blend of upper and lowercase letters
- Have one number at least
- Use one symbol at least
- Use characters of specific length like 12-15
By following these rules, you can easily create a strong password.
Step 2 – Use reCAPTCHA
Another step is to use reCAPTCHA on your WordPress login form. This is a type of test that sets apart humans from bots. It will give an extra layer of security and as it is a free service and also helps sites to get protected against abuse and spam.
The reason to use reCAPTCHA is – most of the brute force attacks are done by bots, so it ensures that the one entering the site is not a bot.
In order to integrate reCAPTCHA, follow these steps-
- Search for reCAPTCHA on Google and add your site and receive a secret key.
- Use this code in your site’s header section- <script src=“https://www.google.com/recaptcha/api.js” async defer></script>
- Now you will see the line- CAPTCHA:<div class=“g-recaptcha” data-sitekey=“your_site_key”></div>
If these steps seem an overwhelming task, you have great options of using plugins like Invisible reCaptcha, ALL in one security & Farewell.
Step 2 – Change URL of WP Login Page
Obviously, if hackers are unable to find your WP login page, they can’t attack your site. By changing your existing URL with a new one, you are preventing hackers to attack your sire.
For that, you can make changes in the following permalinks
However, changing URL and code is a little complex. But for changing the only URL to a custom one, you can install WPS Hide Login plugin or iThemes Security plugin.\
Step 3 – Access login page with Password
In order to prevent any type of access to your login page URL, you can secure access to your wp-login.php file using a .htpassword file. It unable them to get access to the login page unless they know the username and password.
Follow the below steps
In order to create content use htpasswd generator and save it with a file name .htpasswd
Now change “~/.htpasswd” as your .htpasswd file location and then change “coderex” to your username.
Step 4 – Limit your login attempt
Lets’ face it- WordPress by default can’t prevent anyone to attempt login to your site. In fact it provides an option to restrict the login attempt while you install the WP site at first.
You don’t need to stress out if you didn’t check the installation box as you are using safe plugins like Limit Login Attempts, Loginizer, or Login Lockdown.
If you have a strict IP address, you can block the login page access to the WP admin easily. You can follow the below code to your .htaccess file.
Now you can change “xx.xx.xxx.xxxx” to your actual IP address. Even if you are seeking more than one IP address then add them to your code.
Step 5 – Using 2F authentication
If you are looking for an effective way of defense against brute force attack, then 2F authentication is the right way to go with. If you are unaware what is 2F authentication is all about, then let me tell you-
This is a process that provides you an access to a unique verification code every time you want to get access to Google Authenticator mobile app.
This also helps in reducing the risk if your password is compromised. It adds an extra layer of protection and also considered as one of the best ways to make sure that your account is strongly protected.
If you are seeking to get this feature, install it by using 2F authentication Light Google Authenticator or Google Authenticator plugin on your site.
Undoubtedly, site security is one of the essential factors you need to worry about. If your username and password are not unique and strong, be ready for brute force attacks.
If you don’t follow the above steps to keep your site secured and protected, there will be utmost chances that you will never know when your site will be attacked and hacked by the random users.