How to Protect WordPress from Brute Force Attacks
Do you want to protect your WordPress website from brute force attacks? A brute force attack can make your website slower or even unreachable. In a bad case, a brute force attack can even install malware on your website.
To protect your WordPress website from a brute force attack you can do several things. We advise you to download our free WordPress secure checklist.
What is a brute force attack?
A brute force attack is a well-known method for hacking websites. With such an attack, a lot of computing power is used to try to hack a website until it succeeds. For example, if there is no algorithm to hack a website, brute force can try to try out all options until one is found. In the case of WordPress, this can happen with the password of your WordPress admin environment.
Because a lot of different IP addresses are used during a (good) brute force attack, it is difficult to block such an attack. There are plugins that (based on IP address) block access to the admin environment if too many attempts have been made to log in. This security method is not always effective in a brute force attack, because it uses multiple IP addresses.
Prevent a brute force attack
There are a number of important issues that you should take care of to prevent your WordPress website from becoming a victim of a brute force attack.
1: Move your website to a good hosting party
The most important thing for the security of your WordPress website is that you use a good hosting party. Our hosting party Savvii scans the platform daily for backdoors and other security risks. If your website is hacked, then Savvii will make sure that your website is cleaned again.
2: Keep WordPress up-to-date
By ensuring that you always install your WordPress updates in time, you ensure that known problems in plugins, themes or WordPress itself cannot be used to hack your website. In older versions of plugins and themes are often known backdoors. Hackers know this too. It is therefore important to regularly update plugins and themes so that known problems can be solved immediately.
3: Install a firewall
In addition to keeping your WordPress installation up-to-date, it can help to install a firewall plugin such as Sucuri. This is a DNS firewall, so all traffic to your website first passes through the Sucuri proxy. This way hackers are often filtered out before they can reach your website. Also, CloudFlare is an effective tool to protect your website.
4: Protect your wp-admin
Many brute force attacks trying to gain access to the WordPress admin environment. If you have access to your server via DirectAdmin, for example, you can add an extra password to the / wp-admin / folder. Open the “file manager” in DirectAdmin and search for your wp-admin folder. Then click on “Protect”:
You will then enter a screen where you can enter a username and password:
Note: This is not the password of your admin account! This is an extra layer of security, so you have to log in twice. You can safely store this password in your browser.
5: Turn off “directory browsing”
Many servers automatically display a list of folders and files if a particular directory does not have an “index.html” or “index.php” file. A hacker can see in this way which files you all have on your website and thus find out which files are vulnerable.
You can turn this off by adding the following code at the bottom of your .htaccess file :
6: Provide regular and automatic backups
Make sure that your WordPress installation is regularly backed up. And also ensure that this happens automatically so that backups are still made if you forget it. Hosting parties such as Savvii automatically make backups every day. Make sure that you also download backups and save them somewhere else (for example in iCloud or Google Drive).
7: Turn off PHP for certain folders
A hacker can place a PHP script in one of your WordPress folders. Because WordPress itself also runs on PHP, you can not disable PHP in all folders. Logical, because WordPress needs PHP to work. But there are also folders in which you can turn off PHP without affecting the operation of your website.
The folder / wp-content / uploads do not need PHP, because it only contains media files. You can put a .htaccess file in this folder that prevents the execution of PHP code. The following code must appear in that file:
deny from all
The prevention of a brute force attack can be done as much as possible by following the advice above. The most important thing is that you are with a hosting party that actively monitors this, such as Savvii. In addition, it is important to have a good backup solution so that you have something to fall back on if your website is hacked once.