Brute Force attacks can be defined as multiple attempts, usually from an automated software, to enter into your WordPress dashboard and system using consecutive login guesses.
A very common way of deploying a brute force attack is to focus on wp-login.php file and admin as the username. Then the program will start with the generation of common weak passwords (example: 1234 , 0000, etc) till sooner or later it will get the right password.
What if my password is strong? Do I still need to be protected?
Even if you have a strong password in place, a brute force attack is still something you don’t want to get to your website for several reasons: to save server memory and bandwidth, especially if you have a monthly bandwidth allowance. In fact, the attacker program generates consecutive URL calls to your website whose will respond. Every time your website replies back, part of the bandwidth and memory is used. Hence the need to fix or avoid this issue since the beginning.
What WordPress.org advices about Brute Force attacks?
They have a page in their Codex section where they provide official guidelines. Some advice are pretty straight and I am happy to share:
- Implement a strong password: You can use the random generator password in the User section of your WordPress Admin panel.
- Avoid using Admin as username: Actually, remove the username admin from your website.
The rest is too technical and it takes too long to implement unless you are into I.T. such as a programmer, I strongly advice to avoid. Instead, you can use two free plugins I am going to explain you below.
Two Very useful Free plugins to protect your website against Brute Force attacks to wp-login
A way to avoid being a target of a brute force attack is to limit the number of login failures and hide the wp-login area. As I wrote at the begin of this post, the attack comes from an automated program and not a manual hacking. These programs are looking for the wp-admin login area.
WPS Hide Login | Official WordPress Plugin Page
This light and free plugin is made to hide the classic URL /wp-admin changing the login area in any custom defined URL. Example: /access-area
IThemes Security (Formerly WP Better Security) | Official WordPress Plugin Page
In the past, this plugin used to have within their free feature, the option of hiding or changing the URL path of the admin area. Now it is not anymore possible doing this with the freemium version. Here is why you need to install WPS Hide Login too.
Ithemes Security works well and there are lots of options to secure your website, so I advise you to familiarise with the setting interface. What I found really interesting and useful is:
- Reducing the number of login attempts;
- Lockout users who fail to log in (example: wrong username or password);
- Block a specific IP address from accessing to your website;
- To have an event database where to see what user and IP tried or have logged in.
Once you have installed and activate these two plugins you will see from your traffic data that common brute force attacks are not anymore a threat.