It is often seen that most of the WordPress sites are hacked or damaged by brute force attacks. Unlike the traditional hacking, brute force attack is a new phenomenon wherein hackers regularly use random username and password to get access to your website. This hit-and-trial method works most of the times because majority of the site owners don’t have strong login credentials. In most cases, the site owners use the default username ‘Admin’ with any easy password combination like website name, phone number or something which is very easy to guess.
By default, WordPress don’t have any login attempt limitation. It allows unlimited login attempts either through the login page or by sending special cookies. So hackers can attempt as many times as they want to login to your website and don’t get halted after a single failed attempt. They can take an overwhelming toll on your server memory causing performance issues. That is why WordPress is not considered as one of the reliable CMS of PHPs.
Following are the ways to prevent your website from brute force attacks:
1) Always avoid using the default username ‘Admin‘ while installing WordPress. In case, you already have username ‘Admin’, create a new user with Administrator rights. Log out from website admin and log back into WordPress with a new Administrator, and delete the default user ‘admin‘.
2) While creating your password, always use a strong password combination consisting of upper and lower case characters, numbers and special symbols. Unfortunately, quite often we see the site owners with very weak passwords like abc123, 123456 or something related to their domain.
3) Protect your site using plugins. There are 3 plugins that I highly recommend – use the one (or two) that meet your needs:
- Limit Login Attempts – This plugin limits the number of login attempts possible both through normal login as well as using auth cookies. For more details, click here.
- Google Authenticator – This plugin gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. The two-factor authentication requirement can be enabled on a per-user basis. To know more, click here
- WordFence – This plugin checks if your site is already infected. It does a deep server-side scan of your source code comparing it with the Official WordPress repository for core, themes and plugins. It secures your site and makes it up to 50 times faster. For further info, click here
4) Always keep your WordPress site updated with the latest version of WordPress and plugins. Most of the times we don’t run WordPress update as there is a possibility of losing the custom coding done in WordPress files. To avoid losing your customization, always put your custom code in a separate file so that even after the WordPress is updated, you won’t lose your custom code.
5) Always download WordPress Plugin and themes from trusted and reliable sources.
Disclaimer: Developer’s Corner Section of ISHIR blog is contributed and maintained by independent developers. The content herein is not necessarily validated by ISHIR.