How to Protect Your WordPress Blog from Brute Force Attacks

A brute force attack is a strategy used to break an authentication system by trying all possibilities. For instance, breaking into a WordPress blog involves multiple authentication attempts with various passwords. In order to try as many passwords as possible, the brute force attack is issued by a remote server running a brute force script.

Fortunately there are multiple ways to protect your WordPress blog from brute force attacks.

Use a Strong Password

You’ve probably heard this a thousand times: use a strong password! Do not use your kid’s name, your dog’s name or anything that’s easily guessable. When choosing a password, make use of lowercase and uppercase letters. Insert some numbers and symbols and use at least 8 characters (12 is even better).

WordPress has a built-in function that evaluates a password’s strength. Make sure the password you chose is considered strong enough by WordPress. There are some free, good random password generators out there. Use them if you can’t think of a good password. Here are some of them :

• http://www.pctools.com/guides/password/
• http://www.securesafepro.com/pasgen.php

Changing the Default Administrator Account

One of WordPress’ weakness when it comes to brute force attacks is the administrator account. By default, the administrator username is always “admin” and can’t be changed from within WordPress (at least not without the help of special plugins).  This makes it easier for brute force script to break in since they only have to guess the password.

In order to change the administrator username, you can simply use phpMyAdmin to connect to your blog’s database and edit this value manually:

1. Open phpMyAdmin using your web browser. Most of the time, you can find a link to phpMyAdmin from your web hosting control panel (cPanel, Plesk, vDeck, etc.)
2. Select your blog’s database from the left column.
3. Select the wp_users table on the left.
4. Click the Browse tab at the top of the page.
5. The admin user account is usually the first record from wp_users table. Click the pencil icon next to it to edit this entry.
6. Change the user_login value to something else. Again, make this harder to guess by using numbers and special characters.

Click Image to Zoom

Of course, sensitive information have been blurred out from the screenshot above for obvious reasons.

Restrict the Rate at which Failed Logins can be Re-Attempted

One of my favorite WordPress security plugin is Login LockDown. This plugin detects failed login attempts and blocks the access to the attacker by IP address for a given time period.

I won’t go into details on how to install WordPress plugins but basically here’s how it goes :

1. Download the Login LockDown plugin to your PC.
2. Extract the content from the archive to a temporary folder.
3. Using your favorite FTP client, upload the content from the archive to /your-website/wp-content/plugins
4. From the WordPress Dashboard, go to Plugins and enable Login LockDown.

There are a handful of configuration parameters that can be set such as the maximum number of attempts before locking the remote IP address, the lockout length, etc.

External Links

• Help Preventing WordPress Brute Force Attacks
• The Latest Brute Force Attack on WordPress
• User Locker Plugin
• Protect WordPress Blog from Brute Force Hacking Attacks
• Protect WordPress Blog from Brute Force Password Attacks
• 14 Effective Pratical Security Tips for WordPress