What’s up with all the chatter about WordPress brute force attacks? If you haven’t heard or noticed, those bots are at it again, and they’re gunning for your WordPress site. So lock the doors, throw away the key, and hide under your desk. Or rather, just read the rest of this article.
What is a brute force attack?
Our good friends over at Wikipedia define it nicely as:
In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data
So maybe that’s all jibberish to you. To clarify for our purposes, it basically means bots / scripts that try to hack into your WordPress site using different combinations of usernames and passwords. So imagine a script that doesn’t get tired, doesn’t stop, and gets smarter over time hacking away at your site’s login screen. That’s a brute force attack!
Why should you care?
You need to care about these brute force attacks because your site most likely runs on WordPress (or Joomla, yes they’re a target as well). Given the recent burst in such attacks mentioned by various reputable sources such as TNW, our good friends at CloudFlare, and PC Magazine, it’s ‘safe’ to say there’s good reason for concern. Besides, like me, you prefer to have your site seen by visitors, not bots.
How to protect WordPress from brute force attacks?
There’s several steps you can take to prevent, or halt brute force attacks on your WordPress site. Here’s a few from my own arsenal:
1) Get rid of the admin
If your username is ‘admin’, then you’ve already given up half your credentials to such bots. Create a new administrator account under a new name, and then delete the ‘admin’ user permanently.
2) Setup a strong password
While you’re at it, change your password to something that’s at least somewhat difficult. Remember, these are bots and they can play the guessing game all night long. So go crazy and use some of those numbers, upper and lower case letters, and special characters to create a strong password.
3) Install a plugin to limit the number of login attempts.
I recommend the WordPress plugin – Limit Login Attempts – which will do exactly what it says.
4) Use CloudFlare
Were you affected?
Hopefully, you weren’t affected by such attacks, but if so, sound off in the comments and let me know how you handled it. If you have any other recommendations, feel free to share.