6 Practices To Harden WordPress Security Against Brute Force Attacks
As we know, WordPress is one of the most popular platforms especially for blogging business and website. Just like any other content management system, WordPress is not that reputable when it comes to harnessing security. The reason is simple: Either the WordPress website owners lack technical specification to manage and control the security aspects of the website or the people don't care enough to harden the security. Currently, WordPress is under the brute force attack through a large botnet. The brute force attack is targeted on the front-end part of WordPress website via default WordPress login. But, before you deep dive into its prevention and security aspects, let me explain to you what actually botnet is and how it operates.
All of the D5 Creation Themes are WordPress Standard and Approved. So, you can use those themes for a Secure WP Site.
What Actually Is Botnet Attack?
Generally, a hacker first hacks a large number of a computer system located in various geographical location and then makes use of this compromised system to perform illegal activities like spamming, email spam, service attack, Brute-force attack and much more. One of the biggest problems with a botnet or brute force attack is, it's quite harsh to block the spammers access through IP blocking as hackers do have access to different IP range.
How To Prevent WordPress Brute Force Attack?
As per the latest information, the recent botnet has access over 90,000+ I.P and they use this system to run brute force attack. Brute force attacks try all different password combination from the dictionary and non-dictionary words to attempt login into the system. This article mainly focuses on how WordPress owners can prevent their websites against such attacks. Here, I am showcasing some ways through which website owners can safeguard their business from such vulnerable attacks.
Change WordPress Login URL
One of the best ways to obstruct hackers injecting brute force in your website is to hide WordPress Login URL. You can even make use of WPS hide login plugin to rename your admin URL to something like abcdomain.com. It will leave very rare chances for hackers to guess. After installation of WordPress, you can go to Settings -> General to configure your WordPress login page.
Change WordPress Default Username
Whenever you install WordPress, you are given an option to select a username. Generally, majority site owners use below username:
- SuperAdmin and much more.
Remember, Brute Force attackers often make use of common username and password before they work hard to try out the different combination for an attack. So, for best security, use a username with a combination of lowercase, uppercase and mixed numbers and characters. Understand that your username is equally important like that of your password.
Use Complex Password
This rule is for the every web property that you have. Use a complex password with a combination of alphabet, special character, and numbers. It will make it difficult for a brute force attackers to decode your password. If you are among the one that has a habit of using same password on multiple places, you should stop following this practice right now.
Tip: You should develop strong password like \”5jD]&rtt, nm4#6^&ttsd etc.
Deny Access To No Referrer Request
You can also practice this method to prevent your website being attacked by Brute Force. Using a referrer method will instruct bot to submit its username and password from the hosting page. You can make use of such method by adding the respective code in your .htaccess file.
You can even make use of IP blacklist to pre-ban IP addresses that are not relevant to your site. However, implementation of this method depends on the fact that particular IP needs to be registered in the database. But still, hackers that make use of rotating IP address are issued new IP addresses quite frequently. So, those IP won't be stored in your database. So, think wisely before its implementation.
Cloud service acts as a transparent proxy that blocks all the vulnerable IP and prevents sites from being attacked. One such service is of Cloudfare. It is a free CDN service that has added a rule to detect such unwanted signal and prevents the site from being hacked. It will identify the portion of the web request and if found vulnerable, will block that IP. It will not allow hackers to easily damage the site. Highly recommended for new users.
Protect Using htpasswd/ wp-admin/
Generally, blocking wp-login.php is more than enough. But, if you are more concerned about your website security, you can use this alternative. If your site is not SSL enabled then people can access your username and password. To avoid, just create a .htaccess file in the root of /wp-admin/ with below content:
AuthUserFile ~/.htpasswd AuthName "Private access" AuthType Basic require user mysecretuser
Except this, also ensure that you take timely backup of your website. Thanks!