How to Protect WordPress from Brute Force Attacks

Today I want to help you bolster your website’s security against the most common type of security breach: brute force attacks.

The logic behind brute force attacks is simple: if I guess your username and password enough times, eventually I’ll get them right.

Of course, brute force attacks aren’t performed by individuals, they’re performed by bots — bots capable of trying thousands of combinations every minute.

Now, there are four things needed for a brute force attack to succeed:

  • Your username
  • Your password
  • Your login page
  • The freedom to try thousands of different username/password combinations without restriction

Even securing just one of these four areas will make your website far more secure. However, if you can shore up all four areas, there’s very little chance a brute force attack will be successful.

Here are three tips for protecting WordPress against brute force attacks.

1. Secure Login Credentials

Are you familiar with the infinite monkey theorem? It theorizes that monkeys hitting a typewriter randomly could reproduce the complete works of Shakespeare, if given enough time.

There are actually many similarities between this hypothetical theorem and brute force attacks.

The problem? Bots are far more sophisticated than monkeys, and it’s far easier to guess two words at random than it is an entire Shakespearean play.

If given enough time, every username and password can be cracked. Of course, some username and password combos are more vulnerable than others.

Take the most common username, admin, and the most common password, password. How long do you think it will take even the most basic of bots to crack that combination?

The more complex your login credentials are, the more difficult it is for them to be “cracked.”

Two tips:

  • Never, ever, ever use Admin as your username
  • Use a long combination of uppercase, lowercase, numbers, and special symbols when choosing your password — the free Strong Password Generator service can help with this. More details on setting up a strong password here.

2. Move the Login Page

Let me ask you something: how difficult is it for someone to find your login page?

When you use the default login extension — — you make it far easier for the bots to find the login page they want to attack.

Without access to your login page, brute force attacks can’t succeed.

Protect your login page from brute force attacks by moving your wp-admin page to a more secure URL — you can do this using the free HC Custom WP-Admin URL plugin.

3. Limit Login Attempts

If a bot had only two or three attempts at your username and password, how likely is it to succeed?

Just working on the basis of there being 26 letters and 10 numbers (36 characters), there are 2.8 trillion potential combinations in an 8-character password. Include an extra 26 uppercase characters (62 characters total) and there are 218 trillion 8-character combinations. And that’s before we even consider the liklihood of getting your username right, too.

With odds like that, a brute force attack can only succeed if given a lot of time.

By installing the free Login Lockdown plugin on your website, you can restrict the number of login attemps from a single IP address. With a seriously restricted number of attempts, bots will need a lot of luck to guess your login credentials correctly.

Final Thoughts

Brute force attacks are the most dangerous security threat to WordPress users.

Fortunately, just a few simple steps can protect a WordPress website from the vast majority of brute force attacks. The three tips outlined in today’s article are all free to implement, and should take no more than a few minutes each — so there’s no excuses!

Do you have any tips for protecting a website from brute force attacks? Share them in the comments below!

Featured image courtesy of Charles Dyer.

New Posts in your inbox

  1. Thanks for your article. I think there’re some other solutions to prevent brute force attacks that can be added to the post such as protecting the admin directory or installing a firewall plugin.