How to Protect Your WordPress Site from Brute Force Attacks
The ultimate guide to Brute Force attacks in WordPress
by Remco Nieuwenhuizen
Owner of WPsupporters
Brute Force attacks target your site’s login pages, encryption keys, and SQL statements.
For example, brute force attacks involve trying password combinations on a login page. The whole process systematically alerts an attacker once a valid combination is found.
In this article – you’ll learn how to protect your WordPress site from brute-force attacks. Here is a list of what you’ll cover in this resource.
Table of Content
Introduction to Brute Force Attacks
What’s the meaning of Brute Force attacks?
A brute force attack is a form of a system’s login hacking with trial and error.
As its name suggests – brute force attacks involve aggressively checking password combinations on a login page. The intention of brute force attacks in WordPress is – to find and exploit a system with a valid combination of passwords, security keys, or sensitive data.
Attackers perform brute force attacks with a tool for dictionary procedures. In this case, a dictionary contains millions of password combinations – thus called a Dictionary attack. A script tries dictionary passwords, one by one – and alerts attackers if a valid combination is found – Aircrack-ng, John the Ripper, and Hashcat are examples of tools for dictionary attacks.
Brute Force attacks in WordPress can cause catastrophic damage. Once an attacker finds and exploits your system with a valid password, you can expect everything – from page defacements to making your site go offline.
If you have a WordPress website, the WPsupporters team has you covered 24/7.
With an expert WordPress technical support team, your site will be monitored, maintained and kept up-to-date all year round.
Types of Brute Force attacks
Before diving deep into detail, here is a table-overview of brute force attacks with risk levels.
Simple or Traditional Brute Force attacks
As its name suggests, simple brute-force attacks involve guessing password combinations for a single username.
For example – attackers can brute force admin accounts with password combinations until a good match is found. In this case, manual routines can help attackers guess common passwords, such as 12345. However, attackers can also automate simple brute force attacks with scripts, such as Aircrack-ng.
Tip: What is a Brute Forcer? The tool, bruteforce script, or automation used to carry out brute force attacks is called a Brute Forcer. Learning how to automate attacks with a brute forcer is the answer to – how to use a brute forcer for attacks?
The name says all – dictionary attacks consist of a pre-defined list of passwords, famous phrases, or words to check against a specific system or username.
For example, the tool that runs a dictionary attack – picks passwords one by one from the dictionary, checks against a username, and repeats the process until a valid combination of credential is found. As its name suggests, the purpose of dictionary attacks is – to make password guessing possible with leaked, common, and popular passwords stored in a dictionary – thousands or millions.
Hybrid Brute Force attacks
Hybrid attacks are composed of two procedures – simple and dictionary.
As its name suggests, hybrid attacks approach system hacking with simple password guessing and automating brute forcing with dictionary procedures.
Hybrid brute force attacks help attackers crack complex password combinations, such as ones composed of numbers, letters, and special characters.
Reverse Brute Force attacks
Instead of guessing passwords for usernames, Reverse attacks involve thinking of possible usernames for a known password.
When data breaches happen, passwords are usually released at scale. In this case, attackers check possible usernames for exposed passwords until a valid match is found.
The type of brute force attacks that targets people who neglect strong measures for credentials.
For example, if a username-password combination works on a site, attackers automate checking the same combination on other sites. The fact that users use the same credentials on other sites, helps attackers easily sniff accounts with the same credentials.
Why is protection from Brute Force attacks necessary?
Effects of Brute Force attacks
- Attackers gain full access to a WordPress site if an admin account is cracked with brute force attacks – also called full-site takeovers.
- WordPress sites under brute force attacks may fall victim to Distributed Denial of Service (DoS) scenarios – which occurs when multiple systems target a single node with traffic floods.
- If a link accepts user inputs, attackers can also turn simple brute force attacks into SQL Injections – a type of attacks that exploits loopholes in SQL statements. In this case, sensitive data is fetched from the database by brute forcing and injecting specially crafted statements into URLs.
- Brute Force attacks in WordPress help attackers expose sensitive files – if a folder is publicly available online. For example – by brute forcing suspicious URLs, attackers can view sensitive files, directories, and scripts on a WordPress website.
Protection from Brute Force attacks is necessary: What’s next?
Although technical infrastructure matters to protect your site from attacks, doing manual assessments of WordPress weighs equal importance.
For example, if you’re not checking WordFence Live Traffic, you’re missing out on traffic driving brute force attacks.
Let’s proceed to learn – how you can protect your WordPress site from brute force attacks.
The following lines include ways to protect your site from BF attacks. However, to make your life easier – you can proceed with WordFence installation, 2FA configuration, and hiding your login page to protect your WordPress site from BF attacks.
How to protect your WordPress site from Brute Force Attacks?
Let’s learn how to protect your WordPress site from brute force attacks.
Basic security measures
Don’t overlook creating strong passwords for WordPress dashboard. For example – (jgweyY7wJ5j7QeL7bR!n$NX2) is an example of a strong password. Similarly, avoid using common usernames for WordPress users, such as admin, editor, and user. Here, a password’s length also matters; long passwords with specialist characters are hard to crack with brute force attacks.
Here is a list of suggestions for beginners – helping those clear grounds for brute force protection.
- Passwords should never contain publicly found information – such as family members, lucky numbers, or hobbies.
- Don’t use single passwords on multiple accounts. Brute Force attacks can reversely check if a user has multiple accounts with the same credentials.
- Implement routines that help lock out culprit agents, such as lockout policy, Captcha, limiting login attempts, and two-factor authentication. You can continue reading more about setting up such measures on a WordPress website.
- If your site allows user registration, you should have implemented strong password rules for new users. In this regard, a WordPress plugin helps you enforce password policies for random users.
- WordPress sites that allow user-generated content need proper security precautions against brute force attacks. For example, if your site enables users to leave comments, create new posts, or handle URLs – you need firewall protection – such as CloudFlare or a plugin, WordFence.
- Remove unused accounts – In WordPress, users with weak passwords pose security risks against brute force attacks. You can let them change their passwords or remove them all.
Two Factor Authentication (2FA)
Specific options help you protect your site from brute force attacks in WordPress – including Two Factor Authentication (2FA), WordPress installation, and hiding login pages.
So, how to block brute force attacks in WordPress?
Two Factor Authenticator (2FA) helps users configure a 2-bridge login system on WordPress. Once a user enters a valid password, WordPress also asks to enter a code from an email. Although an attacker enters a valid password, login is impossible with 2FA enabled.
In WordPress – security plugins, such as WordFence, help you configure 2FA. The process is simple for beginners.
Avoid WordPress installation with cPanel’s automated scripts
Similarly, we don’t prefer WordPress installation with cPanel’s automated scripts. Instead, install WordPress manually and ensure you’ve changed the default options, such as database table prefixes, credentials, and login passwords.
Hide WordPress’ Login page
In the same manner, hiding WordPress’ login page helps – too. Keep reading for more information on hiding WordPress’s login page with a plugin.
Traffic log details in WordPress dashboard
In WordPress, you can explore log details manually – and find if a specific site, IP address, or computer is brute forcing your site.
Manual exploration of logs is easy with WordFence plugin. In the dashboard, the WordFence -> Tools page helps you see a list of attacking IPs recorded by WordFence logs.
Here – by clicking Block IP, you can block the attacking IP or click See Recent Traffic for hits from the IP in question.
Traffic log checks in Hosting cPanel
Like WordFence log details, you can also check traffic logs in Hosting cPanel. For example, Namecheap’s cPanel includes traffic logs under Visitors.
The purpose of checking traffic logs is to see if a culprit IP is attacking WordPress login. You can also check traffic logs in Google Analytics – Google’s free tool for site analytics.
Two Factor Authentication (2FA) setup in WordPress
Without 2FA set up, WordPress sites fall victim of brute force attacks. WordPress plugins help users extend WordPress functionality without source coding.
In this case, WordFence – one of the best plugins for WordPress security, includes the option of Two Factor Authentication (2FA).
Let’s learn how to use WordFence for 2FA configuration in WordPress.
The first step is installing and activating WordFence in the WordPress dashboard using the Plugins -> Add New page.
Once installed, the WordFence -> Login Security page helps you configure 2FA on WordPress login.
Proceed and scan the QR code on the screen with the Google Authenticator app – install the app if you haven’t already.
Google Authenticator shows a code once the QR code has been scanned successfully. Next, enter the code on the PC screen and click Activate.
To this line – you’ve successfully configured 2FA on WordPress login. You can also download login code backups from WordFence, in case you need them.
In WordFence settings for 2FA, you can turn 2FA on for various users – such as editors, authors, and contributors.
The next time you log into WordPress dashboard, you can see WordFence asking for a 2FA code from Google Authenticator. You can also enter a backup code if you can’t access Google Authenticator.
Note: Two Factor Authenticator (2FA) helps WordPress users protect login systems from brute force attacks. In WordFence, you can also block specific usernames, IP addresses, or computers from using your site’s login page.
Related Reading: Learn how to maintain a WordPress website
Hiding WordPress login page with plugins
If a login page is not visible, chances of launching brute force attacks in WordPress become slim.
Fortunately, WordPress plugins help users hide login pages – no coding is required.
Proceed and install WPS Hide Login on Plugins -> Add New page in WordPress dashboard. Once installed and activated, the Settings -> WPS Hide Login page helps you rename your site’s login URL.
Here, you can enter a custom login URL and a redirection path. Once configured, the address you entered in the custom login URL field is the WordPress login page, while – the Redirection URL is the page non-logged-in users see when they try to access WordPress’ default login page – wp-login.php or wp-admin directory.
Note: Changing the custom login URL keeps attackers stay away from brute force attacks. In this case, WordFence sends periodic emails of failed login attempts on WordPress login portals – pay attention.
Limit Login attempts
Once you’ve installed WordFence, you can also limit login attempts on WordPress login.
Once a user enters the wrong credentials in a row, WordFence blocks the user for a specific duration of time. In WordFence settings, you can set measures to limit login attempts, along with how long WordFence should keep culprit users locked out of WordPress.
Using Captcha with a WordPress plugin helps you prevent attacking Bots on WordPress forms – where hackers may find exploitatable loopholes with brute force attacks.
To get started – install and activate the Invisible reCAPTCHA plugin in WordPress dashboard.
After you’ve installed the plugin, you need to set additional measures – too. Proceed and log into your Google account.
The Invisible reCAPTCHA plugin requires site registration with Google. Make sure – you’ve filled in this form for registration.
Next – collect Site and Secret Keys after entering the required information. Now, you need to enter secret keys in the plugin’s settings.
Once finished, you can set where WordPress should display invisible Captcha on your website.
WordPress Dashboard Tweaks
Install Updates on Time
In WordPress, user management and updates help protect from Brute Force attacks.
If WordPress core, Themes, and Plugins are not updated, outdated assets may open doors for brute force attacks. For example, outdated versions of PFsense carry loopholes that cause attackers to bypass protection from brute force attacks on a WordPress site.
This is why – updating WordPress assets on time is priority for WordPress security. You can also turn the Automated Updates feature on for WordPress plugins – as shown in the screenshot below.
WordPress has various user roles. In this case, improper user roles open doors for brute force attacks in WordPress.
For example, if you allow random people – weak passwords might help attackers gain control, as people don’t implement measures for strong passwords.
In this case, when creating new users on WordPress – don’t allow users create common passwords. Instead, leave WordPress default passwords for new users.
Also – if possible, set WordFence’s 2FA for new users on WordPress, such as authors, editors, and contributors.
WordPress support services
Introduction to WordPress Support Services
WordPress support services help users maintain, fix, and improve WordPress performance. Of course, WordPress support plans include the one-time fix, live sessions, or monthly plans for WordPress site owners.
How do WordPress support services help?
Here is a list of services, support services offer for WordPress sites.
Security – WordPress security services are helpful if you lack manual expertise in WordPress backend, security precautions, and best practices. You can protect your site for a small fee from brute force attacks in WordPress, spam comments, DDoS attacks, and random vulnerability exploitation. In this case, don’t forget to check our services for WordPress security.
Automated Backups – helping users restore WordPress sites if something goes wrong.
Dedicated Support – includes live sessions, support on call, or on-site services for locals; dedicated plans help users with WordPress emergencies.
Performance Improvements – With performance-based support plans, users can improve site speed, conversions, and uptime monitoring.
Search Engine Optimization (SEO) – one of the best support services, SEO plans help clients secure rankings on search engines – helping them drive traffic with organic reach.
Examples of Support Services for WordPress
WP Supporters – WP Supporters has been serving clients for four years now, helping them achieve more with automated backups, WordPress updates, Support services, and SEO rankings. See how WP Supporters help clients improve WordPress performance. WP Supporters is explicitly focusing on brute force protection for WordPress users.
WP Tech Support – another candidate for WordPress support services, helping you perform WordPress maintenance, improve performance, and secure rankings on search pages.
WP Helper – pioneered WordPress support services, providing backups, performance improvements, and dedicated support for those lacking WordPress expertise.
Maintenancer – provides a suite of WordPress tools and services, including web hosting, support services, backups, and maintenance plans.
Web guy – helps clients perform daily malware scans for WordPress, backups, and uptime monitoring with personalized support.
Web Server protection
Disable Directory Browsing
By default, web servers may list a directory’s content to random users. While such scenarios don’t affect brute force protection, exposure of sensitive files may pose security concerns.
For example, the web server’s version information is displayed on directory pages. In this case – an attacker can confirm and exploit if a vector is available for loopholes in the web server’s version.
Disabling directory browsing is simple and doesn’t ask for technical expertise. However, you must log in to Hosting -> cPanel -> File Manager. Inside the Root directory in File Manager, you can look for the directory where you want to limit showing directory content.
To get started – create an empty index.php or index.html file inside the directory. That’s all.
From now on, when browsing the directory, no content is shown to public viewers.
Disable PHP File Execution
Certain PHP files can cause brute force attacks in WordPress sites – mainly if a file deals with user inputs.
For example, XML-RPC in WordPress helps users communicate data remotely with a WordPress site, such as posting content. If such routines are not correctly maintained, attackers can exploit XML-RPC for malicious intents, using brute force login attempts.
Similarly – poorly designed scripts can make WordPress vulnerable to upload loopholes. When this happens, attackers can upload random PHP files to a site. If, for example, PHP file execution hasn’t been stopped, arbitrary files may grant attackers WordPress access.
XML-RPC in WordPress
As described earlier, XML-RPC provides remote authentication to WordPress users. In this case, XML-RPC handles data transmission on a WordPress site.
XML-RPC opens doors for brute force attacks in WordPress. If your schedules don’t include using XML-RPC, you can disable XML-RPC remote access with a WordPress plugin, such as Disable XML-RPC.
Access Rules in Htaccess File
In Apache Web Server, the htaccess file handles access levels for directories. For example – if you want to block users from accessing specific directories, the htaccess file helps you configure proper access levels.
You can also use the htaccess file for protection when hardening a site from Brute Force attacks.
In this case, you can allow specific IPs to access your site’s login page. A system with an htaccess file will deny users not listed in the safe list IPs of the htaccess file.
Here is the code to set access levels for specific IPs.
order deny, allow
allow from IP1
allow from IP2
deny from all
Web hosting plans provide background Firewall protection for users and help you protect your WordPress site from Brute Force attacks.
For example, CloudFlare is a CDN service – that usually helps users deliver content fast across the globe. Its premium and free plans include Firewall protection against brute force attacks in WordPress.
For more information on how to use CloudFlare to protect your site from brute force attacks – read this detailed tutorial.
Web-based security services like Imperva Firewall help users protect systems against brute force attacks. Such services fall under Web Application Firewalls.
WordPress users can monitor their sites’ traffic with web application firewalls. The traffic is monitored, checked, and challenged against the firewall rules – helping users understand and block – if traffic is coming from suspicious IPs.
Of course, Imperva and other web application firewalls cost on a monthly basis – and are recommended only if acquiring a Firewall is undeniable for your business.
Plan a Restoration
Although backups don’t help users avoid brute force attacks in WordPress, site restoration from backups helps you stay on track when something goes wrong.
For example – you can restore your site from a valid, recent backup – if attackers gain access and cause corruption in the site’s content.
In WordPress, use the Up Draft Plus plugin for backups, restoration, and management of ZIP packages.
Before an attack strikes, you can scan your site for potential loopholes. To get started, Google Dorks, Sucuri, and WordPress Scanners help you scan your site for loopholes, mis-configurations, and sensitive files.
In this regard – premium plans of web-based scanners help you even more, protect your site from dictionary attacks, provide signature-based protection, and keep your system with updated packages against brute force attacks.
So – how to prevent brute force attacks?
In this article – you’ve learned about WordPress brute force attacks. For WordPress users, protection from brute force attacks is not rocket science.
Installing WordFence for configuring 2FA helps users block brute force attacks on WordPress login pages. In the same manner, you can also hide WordPress logins with the WPS Hide Login plugin.
Hiding the login page and 2FA together – help most users play well regarding brute force attacks in WordPress. However, if looking into server log details makes sense, go for more information on attacking IPs.
Last, we recommend WordPress security services – if you don’t prefer dealing with brute force attacks manually. Head over to contact us for more information on how we can help.
Frequently Asked Questions (FAQs)
What are brute force attacks in WordPress?
As its name suggests – Brute Force attacks are backed by aggressive repetition of trying login combinations – in order to find and gain access with a valid credential.
Brute Force attacks target WordPress’ login page with possible combinations of credentials. Automation tools perform the whole process. When a valid combination of credentials is found, attackers can log into a victim site’s WordPress dashboard.
Do brute force attacks in WordPress still work?
To find whether or not a brute force attack will work – see if the target infrastructure is equipped with proper precautions, such as 2FA, hidden login page, and firewall implementation.
Brute Force attacks are effective on sites with weak credentials. For example, if a WordPress site is running with common passwords, attackers can guess password combinations with brute force attacks – dictionary procedures.
Can WordPress be brute-forced?
Yes. Brute Force attacks target WordPress’ login page – referring to force login WordPress. The WordPress login page is tested with password combinations using dictionary procedures for Brute Force attacks. If found a valid combination, an attacker can log into WordPress dashboard.
WordPress sites with public login pages are more vulnerable to brute force attacks. For example – if a WordPress login page is accessible at /wp-login.php, the site is vulnerable to brute force attacks.
How common are brute force attacks on WordPress?
Brute Force attacks on WordPress are common. Hence, launching brute force attacks on WordPress needs no expertise but a script for automation – attackers with little knowledge, also called script kiddies, can launch brute force attacks on WordPress. According to WordPress hacking stats on Cminds, weak passwords cause more than 8% of WordPress sites to be hacked.
If you’ve installed WordFence, you can see if your site is getting brute force traffic. In this case, WordFence lists attacking agents on WordFence -> Tools page in WordPress dashboard.
Can you brute force WordPress login?
Attackers brute-force WordPress login with brute force tools applicable for WordPress login. Such tools help intruders automate launching brute force attacks on WordPress logins.
First, attackers find WordPress login URL, followed by setting up brute forcing infrastructure to launch an attack.
Why is my WordPress site being attacked?
If you’re getting too many Brute Force attacks on WordPress, chances are – your WordPress login page is accessible at the default URL. As described above, you can hide WordPress login page with WordPress plugins, such as WPS Hide Login.
There are lots of attack vectors against WordPress sites. To find if a site is being attacked with brute force vectors, you’ll need to see various aspects, such as server log details, WordFence logs, and assistance from Hosting representatives.
How do I protect my WordPress site from Brute Force attacks?
You can protect your site with Two Factor Authentication (2FA) and by hiding your WordPress login page. To get started, install and activate WordFence plugin for WordPress 2FA configuration. In the same manner, use the WPS Hide Login to hide the WordPress login page from attackers.
Once you’ve secured your site with proper infrastructure, ensure you periodically assess the site’s traffic – helping you stop brute force attacks on time.
Why are WordPress sites not secure?
The WordPress core is secured with periodic updates. However, if a WordPress site is not maintained correctly – outdated themes, plugins, and 3rd party integrations may pose security risks.
The more a site’s owner knows security precautions, the more a WordPress site can beat attacking agents, such as Brute Forcing Bots.
How safe is a website on WordPress?
WordPress as a CMS is a safe platform for content publishers. In this case, WordPress contributors are improving core files – making WordPress more secure, robust, and supportive with 3rd party integrations.
However, WordPress security is more about users, awareness, and technical expertise of safe procedures. As described above, a site owner overlooking security precautions could lead to catastrophic disasters for a WordPress-based site. By experience, we can say – un-attended sites are more vulnerable to brute force attacks, security loopholes, and DDoS attacks.
Is WordPress the most hacked CMS?
WordPress is a wildly used CMS on the Internet. Its sheer popularity makes it a target for attackers.
WordPress core, by default, has no loopholes. As defined earlier, the way site owners manage WordPress security weighs importance. Simply put, the more you take WordPress security seriously, the more you make it more secure.