Protecting your wordpress site from brute force attacks

If you have a wordpress site. By a wordpress site, I mean a self hosted wordpress site, you must have heard that a lot of brute force attacks being initiated against wordpress sites off late and many sites are affected by this.For those that don’t know, a brute force attack is where an attempt is made to access a secure area of a website, in this case the admin area of WordPress, by trying combinations of usernames and passwords multiple times until they find one that works.

This isn’t performed by one person sitting at a PC and manually typing usernames and passwords into your login page. No, the perpetrators use something called a Botnet, a group of computers controlled remotely and working automatically to attempt a login. It is essential that we protect our sites properly and ensure that these types of attacks do not cause any damage to us or our customers or brands. This is our topic today.

There are some simple steps you can take to protect your WordPress website:

1. Change your username

Make sure your username is not the default, admin. You can’t actually change the username via the WordPress dashboard, but there are a couple of solutions.

The first is to create a new user and swap over control from the old admin user. My preference though is to alter as little as possible and use a plugin called Admin renamer. This allows you to change the admin username directly in the database using a user friendly interface.

2. Change your password

It still amazes me the amount of people that use ordinary words or dates of birth in their passwords. If you website is your business, then please treat it the same as you would your house of car. Protect it adequately.

A strong password consists of 8 or more characters ideally random in upper and lowercase, including numbers and symbols. These type of password are infinitely more difficult to crack. Read this article if you want to see just how easy it is to crack even an encrypted short password that is a common word.

I use an application called 1Password to create and store my passwords, it is cross platform and works on mobile too. So I always have access to my totally randomly generated passwords wherever I go.

3. Keep it updated

Probably the easiest of all is to keep your website updated. WordPress release around 4-6 major security updates in a year. There will also be updates for your plugins. Backup your website before updating, maybe with a plugin like BackupBuddy and ensure you apply updates on a regular basis.

I had an old unused WordPress installation that had been on a server I owned since 2007, and through this install the whole server was infected.

So make sure you delete any plugins or WordPress instances you no longer require and keep the rest up to date.

4. Install some protection

During my update process I came across 2 plugins that can help protect your WordPress site from attack.

The first is Wordfence Security, a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more. This is a substantial, yet easy to use plugin that scans your website for infection, and then locks it down from attack.

Then install BulletProof Security, recommend by a friend Simon at SoCreative, which provides website security protection against: XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection hacking and many more.

Remember that if someone does succeed in attacking your site, it is not personal, it is probably an infected pc running somewhere and all that they want to do with your site is to make it part of a bigger botnet.

Better safe that sorry.


2 comments on “Protecting your wordpress site from brute force attacks

  1. Glad you kept changing the user name on top of the list. This is the #1 security mistake 99% of the WordPress users commit. Everyone is just happy with default user name WP provides so is the hackers 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s