It is important to note that avoiding brute force attacks in WordPress eliminates an access point for unauthorized users very important for security. The objective of this article is to learn how to avoid brute force attacks on WordPress. So let’s do it.
When we talk about security in WordPress, the first site that comes to mind is access to the administration panel in WordPress (wp-admin). This access, if not conveniently protected, can be a gateway for malicious users. One way to get in is to make several access attempts until you get the username and password. It’s what is called a brute force attack on WordPress. For this, we can use a plugin to avoid brute force attacks in WordPress.
Avoiding brute force attacks using plugins
The plugin we are going to talk about is called iThemes Security before it was called Better WP Security but it has currently changed. This plugin can help us when hiding the wp-admin access URL to another site that only we know.
To more specifically avoid these attacks there are also other plugins such as Brute Force Login protection that avoids all these actions that can be part of a brute force attack:
- Limit the number of login attempts allowed using the normal login form
- Limit the number of login attempts allowed through auth cookies
- Manually block/unblock IP addresses
- Manually white list of trusted IP addresses
- Delay execution after a failed login attempt (to slow down brute force attack)
- Option to inform the user about the remaining attempts on the login page
- Email administrator option when an IP has been blocked
- Custom message to show blocked users
There are also other plugins that can do this and other functions such as the following:
- Brute Force Login Security, Spam Protection & Limit Login Attemps.
- WP limit login attempts
So we no longer have an excuse to avoid being hacked by brute force.
Measures to take into account in WordPress to continue avoiding brute force attacks in WordPress
- It is necessary to remove the administrator user with the name admin. Search for any other name but do not use the admin user, much less the admin password
- Our access password must be a strong password or with some plugin to force email as a user.
- Be guided by our recommendations that we leave in the security article on WordPress
Some people still think that WordPress is not vulnerable or that they don’t have a web page that can help anyone to try to hack it. Nothing is further from reality, we simply see the WordPress vulnerability report and it currently has 271 registered.
Currently, the new attack that has become fashionable is to use the web to undermine cryptocurrencies so if you could not think of any reason in 2018 you already have the first.
If we want to avoid brute force attacks in WordPress, a very responsible practice in this regard and that is not only mentioned above is to have the necessary measures to restore the normal state of our website. For this, the first question we have to ask ourselves is whether we have a backup or backup system, that is, if we are making copies of our website, database, etc. This is essential for when we have not been able to prevent a security incident and have to return to normal from a starting point prior to an attack but if this backup does not exist then we have an added problem.
So we recommend using any plugin that allows us to make backup copies of our website and of course our database. Essential!.