WordPress users have been facing the problem of brute force attacks for quite some time, and it has been said that until now, more than 90,000 blogs were compromised. For those who don’t know, brute force attacks are the least sophisticated attacks out there where the hacker rapidly cycles through some of the common directory names, usernames, passwords and IP addresses in order to access private files. The hacker would only be successful if his combination is correct, the chances of which are very slight but for some reason they won’t stop trying.
Sucuri, a security firm, went into details on the issue bothering WordPress users and found some astonishing details.
A large number of servers are attempting to log in by cycling different usernames and passwords at wp-login.php and wp-admin. Sucuri examined the logs from its own blog and discovered that between December 2012 and April 2013, hackers had attempted almost 5 million brute-force attacks. The attempted hacks used very predictable patterns. To login, they tried five usernames such as “admin,” “test,” “administrator,” “Admin” and “root.” Apart from that, common passwords were also tried out by them.
But wait, let’s stop talking about what happened and start talking about what you, as a WordPress admin, would need to do to protect your precious blog from such attacks.
Limit login attempts on WordPress site:
This should be the first step. Use a WordPress security plugin like Limit Login Attempts or Better WP Security to limit login attempts by any user. If a user enters wrong details more than once or twice, then that user would be blocked by this plugin. To strengthen the security further, you can also password protect your wp-admin directory from cPanel.
Use a strong password for your WordPress site
Always make sure that you’re using a strong, really strong password. Avoid common names, places or combinations like xyz, abcd, qwerty, 123456, etc. A strong password is one that is a combination of uppercase and lowercase letters, numbers and special characters like #@*^. Also make sure that you don’t use the same password anywhere else.
Avoid common usernames
You’re not using the “admin” username, are you? The most common usernames like admin, administrator, root, etc. are targeted first and that’s why you should never have any such username on your WordPress installation. If you have, then first create a new user and delete the old one by assigning all existing posts to the new user. You can always choose a name that’s displayed publicly in the front end as something different from your real username. In fact, it makes sense to have a hard-to=guess username.
Use two-factor authentication
WordPress.com users can enable the two-factor authentication from the “Security” tab of your account settings. Once you’re done with the wizard, you’re good to go.
Those who are on self-hosted WordPress installations can use the Google Authenticator plugin. This plugin offers two-factor authentication using the Google Authenticator app for Android, iPhone and Blackberry.
View your server logs regularly and if you find anything suspicious, simply block that IP’s access to your site from cPanel or report it to your web host. Also it makes sense to backup your WordPress site so that if something fishy happens, you can revert back to your previous state.
Go ahead, follow these tips to avoid being hit by WordPress brute force attacks. Stay alert, stay safe!