Wondering how to secure and protect your WordPress website from brute force attacks, malware, and hacks?
In this article, I will show you what I do in real life to protect my websites and our client websites from brute force attacks.
Through the years I have been hired to help get several websites back online after attacks, I have also had the privilege of working with a diverse number of clients using WordPress, from Universities to government institutions, and in that time, none of the websites in our custody have had successful hacks.
WordPress as a popular Content Management system that attracts the interest of hackers.
In 2018 alone, according to Sucuri, one of the leading security companies in the world, WordPress websites alone had over 90% of hacks compared with other Content Management systems.
One could easily say, WordPress is the issue, but far from it, the reality is that WordPress is a very powerful content management system, powering over 32% of websites on the internet today.
The issue that makes most websites victim to hackers is the slack practices of website owners.
As we get deeper into this, it is good to understand what brute-force attacks are and then we can consider how to protect any WordPress site from them.
What Are Brute Force Attacks?
A brute force attack is an attempt by a hacker to guess passwords of protected areas of a website.
Hackers deploy sophisticated tools with a lot of processing power to try to crack thousands of possible passwords in a single go.
When successful, a hacker can cause all sorts of damage, from totally wiping out and defacing a website, to stealing sensitive information like credit card and personal details or install malware on a website.
How to Protect a WordPress Website from A Brute Force Attack?
I believe the first and most important thing any website admin should know to protect their website, is to face the reality that their websites are of interest to hackers.
When you are aware of that, you will do whatever is required to protect your websites.
1. Employ a regular backup for your website
The reality is that if a hacker is motivated enough, they will never give your website a break.
In the unfortunate event that a hack is successful, you will want to get your website back up fast.
The only way you can do that is if you have a clean backup from which you can restore your website.
There are several backup solutions out there, but, I will recommend you try out WPvivid cloud backup solution.
With it you can back up or restore your entire website, both the files and databases to all the major cloud storage platforms including, Microsoft OneDrive, DigitalOcean Spaces, Dropbox, Google Drive, SFTP and FTP.
2. Update your WordPress core files and plugins
WordPress and all plugin developers often release security updates for their software.
I often think these updates are not suggestions to be considered.
Most of these releases, cover the latest threats and provide patches to weaknesses and bugs identified in software.
You want to protect your WordPress website from brute forces attacks, then make sure your website and all the plugins are updated.
If you are not using some plugins or themes, then disable them altogether.
3. Use strong and hard to guess passwords
Brute force attacks are all about guessing passwords.
For that reason, use strong passwords.
Create a strong password policy for all users on your website that uses a combination of characters, numbers, and symbols that would be hard to guess.
In the same vein, frequently change passwords.
4. Rename or change all the default WordPress settings
Change these settings that hackers are interested in or how they can easily identify your website
Here are some default items you should consider changing;
- The default admin name – do not use admin, administrator, your domain name as the username of your account.
- Hide the backend of your WordPress website.
By default, every WordPress website users wp-admin as its admin slug, change this.
While at it changes all the other important file names that hackers will often target.
- If you do not need 24-hour access to your admin area, you could also consider enabling it at only the times you know you will need access to it.
You are probably wondering how you can manually do this, though, it is possible, several WordPress plugins can help achieve all this.
From the days it was called Better WordPress Security – I have installed and used iThemes security on every new WordPress installation.
With it, you can perform all the tasks I mention here and more.
I also use Defender Pro by WPMU DEV, on many client websites.
Any of these plugins will deploy a firewall that is so powerful and so robust to protect against any brute force attacks.
5. Limit the login attempts on a website
Ideally, if a hacker had all the time they needed they could try every key combination on a keyword and eventually they would get it.
To protect your website from such, you can configure your website, to ban or lockout IP addresses that to access your website after a certain number of failed login attempts.
Let not your website be a low hanging fruit that attracts hackers.
Good practice with the help of security plugins is all you need to protect your WordPress website from brute force hacks.
It takes less than 2 minutes to install and deploy a firewall or security plugin, but trust me it will save you from nightmares untold.
Talking of nightmares, develop a discipline of regularly backing up your website.
A secure backup is like an insurance policy against any eventualities that may happen.
You never intend to use it, but you get it anyway because life is full of surprises. You would rather have a backup and never use it, than be sorry later when you need it and don’t have one.
In case you may need, here is our ultimate guide on WordPress security.