If you have had looked into website security or had a website for a while you may have heard, or even been the victim of a brute force attack. Simply put, a brute force attack is when either a human, or more commonly a bot attempts to gain access to the WordPress admin area by guessing your username and password. Usually they will occur when they already know (or think they know) the username, they will then repeatedly attempt to login to the users account through the wp-login.php page by guessing the password.
Why Should I Worry About This?
There are two main reasons you should worry about this, firstly the obvious one, if they guess your password and gain access to your site’s admin area they can do all sorts of things and you can end up having a site full of malware and viruses which can not only be extremely difficult to resolve, but will also affect your business while the problem is being dealt with.
The secondly problem is a bit more technical, but basically by making repeated requests to login to your website means that your server can take a bit of a hammering, and depending on the size of the attack can potentially take your site down completely!
What You Can Do
If you are worried about a brute force attack happening on your website there are a few things you can do.
- The easiest thing you can do is make sure your username and password cannot be easily guessed. Avoid the default admin username and try to use something that is not too obvious, and also change your password so it is secure and includes upper and lower case letters as well as special characters.
- Change the default login page from wp-login.php to something else. This will give another layer of security against the attack as in addition to guessing your username and password they also need to guess your login url. A simple plugin that you can install to do this is WPS Hide Login
- Limit access to the login page to specific IP addresses. This works well if you are the only user and primarily login to your website from one or two locations where the IP address is fixed.
- Password protect your login page also adds another layer of security.
The options you implement will depend on how your site is used, for example limiting the login page to specific IP address can work well if you are the only one who logs in to the site, but will not be a good option if you have various team members or subscribers who need will be logging in. WordPress have gone into more detail about points three and four which you can read about here, but to implement either the IP address restriction or the password protection you will need some technical knowledge and should not be done if you are unsure what you are doing or you may cause damage to your website.
The Best Solution
Although the solutions above are going to help prevent the bruce force attack from succeeding they still don’t prevent unwanted usage of CPU and memory on your server. There is, however, another option that would alleviate this problem and that is CloudFlare. By routing your website through CloudFlare it means that brute force attacks can potentially be stopped before they even reach your server. This article goes into the specifics of how you can prevent a brute force attack on your WordPress website using CloudFlare’s page rules, but again you will need some technical knowledge to do this so you may want to contact a professional to set it up for you.