Our Blog

Securing WordPress against Brute Force Attacks

August 15th, 2014

closeThis post was published 5 years 7 days ago which means the content may no longer be applicable or relevant to the service we offer today. If in doubt, please contact us.

Over the last couple of months you may have been aware of a change we made to our servers in order to globally protect all WordPress installations against brute force attacks. This change meant that just before accessing your WordPress login page, you were greeted with a popup asking you for a username and password. On a technical level this change worked brilliantly and we saw on average 1 million brute force attacks being prevented every day on each server. This is a huge number and was more than we expected. Unfortunately, and perhaps understandably, some of you expressed your disappointment with this change. We have now decided to revoke this implementation and it has now been removed from our shared servers. We shall instead be trying to inform users to secure their WordPress installations using plugins or other methods that they can manage on their own terms.

How do I secure my WordPress site against brute force attacks?
Wordpress have actually done a fantastic job of creating an article that details just this, but for convenience we shall go over a few of our favourite options that work on our servers in this blog post.

Because of shared hosting, some of the options on the WordPress page will not be available to you. Things like mod_security or securing the server itself are things that only we can control. Unfortunately, it’s not simply a case of making a few changes to the server and these attacks will go away. mod_security only works in specific situations where attacks are coming from a single IP address. In most cases, attacks do not, so these preventative measures do not work at all. Here are some essential tips we recommend for securing your WordPress installation on our servers that are sure to work.

Step 1. Change your administrator username.
Using the default username of  “admin” may be convenient and easy to remember, but it’s also the most obvious one for attackers to guess. We strongly recommend that you change your username to something else, such as your first name. An easy way to change the username from ‘admin’ to something else is to use the following plugin.

Step 2. Use a strong and unique password.
This one is perhaps common sense, but you’d be surprised at how many users sacrifice security for convenience. Using the same password you use everywhere else may be convenient for you, but if one of these other sites is compromised, it makes it even easier to compromise your blog. We recommend using a new, random and unique password. If you only access your blog from a single device, we recommend looking at solutions such as LastPass which make it easy to generate random and unique passwords, but save them in a vault. There are even browser plugins available that will automatically enter your login details for you when you visit your site – saving you from having to remember such potentially complex passwords!

We are not affiliated with LastPass, but their premium version(s) also offers support for your mobile devices too.

Step 3. Rename your wp-login.php file and wp-admin folder.
This is a solution we recommend over Step 4 below, because it addresses the very source of the problem by preventing the attack from getting through to WordPress to begin with.

Brute force attacks are made against the wp-login.php file directly. If this file does not exist or has been renamed, and the attacker does not know the name of the file, then the attack will simply fail without being processed. Fortunately there’s a plugin available to make it very easy to rename this file and folder: http://wordpress.org/plugins/rename-wp-login/

Step 4. Install plugins to prevent brute force attacks.
There are many plugins available that can be used to protect your blog against brute force attacks. Our favourite of these is BruteProtect as it uses a centralised database to share IP addresses from detected attackers worldwide. This means that when a new attacker is detected, the IP address is shared with all other users of BruteProtect, preventing other blogs from being hit by the same attacker.

There are other plugins available (listed in the WordPress article at the start of this post) that can also provide quick and easy methods of blocking repeated attackers.

Important note: If you use a plugin that alerts you via e-mail when it blocks an attack, please be sure to disable these e-mails. The plugin may generate too many e-mails and cause our systems to block your website from sending out any further e-mails, which could cause problems for you.

Step 5. Enable WordPress automatic updates.
Wordpress is constantly being updated. New bugs and issues are being found and fixed all of the time. Some of these bugs are security vulnerabilities which could lead to your blog being compromised or hacked. It’s therefore critically important to keep your blog up to date and running the latest version at all times. Fortunately, with the later versions of WordPress, there is now an automatic background updater which will apply these fixes for you. To check and ensure this option is enabled, please see the following WordPress article.

If you have installed WordPress via Softaculous on our servers, you can also update it from within cPanel. You can find out how to upgrade your scripts in Softaculous by reading the following article.

If you are upgrading from a very old version of WordPress to the latest version, please be sure to check with your theme or theme developer that it will continue to work fine. Your theme may need to be updated to work correctly on the latest version.

Securing WordPress has become much easier over the last few years. Many plugins are now available to make the process as quick and as simple as possible, even for those with less technical knowledge than advanced WordPress users. This is, unfortunately, partly in response to the huge number of increased attacks being made against users of the software. Over time these plugins and systems will improve and this will likely become less of a problem.

It’s important to note that these attacks are, in almost every case, not directed at you and your blog personally. Your blog has simply been found in an automated search, and bots or other automated tools will indiscriminately attempt to guess your username and password. This is why the steps above will make this virtually impossible for them and significantly improve the security of your blog.

Performing the steps above are, of course, completely optional. That said, we very strongly recommend that you follow them, as increasing numbers of blogs are being compromised on a daily basis. It can take significantly longer to clean up and restore a compromised WordPress blog than it does to perform all of the steps above, so the time investment is certainly worth it.


What do you think?