(Last Updated On: April 15, 2019)

Brute Force Attacks are one of the common methods to gain access to your website by matching the username and password.

It is the easiest sort of method to attain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often believed it can be very successful when people use passwords like ‘123456’ and usernames like ‘admin.’

Due to the nature of these attacks, your website may suffer from frequent downtime or downgrade in performance because a lot of HTTP request is made by the server.

It’s not only with WordPress, but this attack can also possible with other CMS or custom script.

So to prevent these attacks, we use some tactics which help in stopping these types of dictionary attacks on our WordPress website.

Brute Force Attack, Brute Force Attack WP

Prevent Website from Brute Force Attack

How to Protect Yourself from These Attacks in WordPress

In brute force attacks, the attack is done on the wp-login.php file to gain unauthorized access to your website. You can do some things to protect yourself.

#1: Don’t Use the “admin” Username.

If you use the “admin” username on your website, then the hacker can easily get the username and now he just needs a password to gain access to your website.

The “admin” username is a lot easier to crack. If you leave your WordPress website on weak password and “admin” username, then it is much easier to crack the password within minutes by the attackers.

If you are still using this username, create a new account on your website and transfer all the posts to that account, and then delete the “admin” account from your website.

#2: Use Strong Password

If you’re using a weak password like “[email protected]” or anything similar on your website, then the risk are even higher. These types of the passwords can easily get cracked within minutes by using brute force attacks.

So in this case, you should have to use a strong password with special symbols (*&%$#@!). You can also check the strength of your password here.

You can use the Force Strong Password plugin to force users to set strong passwords.

Things to avoid when choosing a password:

  • Any alteration of your own real name, username, company name, or the name of your website.
  • A word from a dictionary, in any language.
  • A short password.
  • Any numeric-only or alphabetic-only password (a mixture of both is best).

#3: Limit Access to WP-Login Page

If you’re the single person who accesses the admin panel of your website, then you can disable the wp-admin dashboard from all other IP’s except your IP address.

This can be done using a file called “.htaccess” in your website folder.

Note: Beware your ISP or computer may be changing your IP address frequently, this is called dynamic IP addressing, rather than fixed IP addressing.

Steps:

Open the .htaccess file using any editor and add the below lines:

# Block access to wp-admin.
order deny,allow
allow from x.x.x.x
deny from all

In the line “allow from x.x.x.x” replace x.x.x.x with your IP address.  You can use an online service such as What Is My IP to detect your global IP address.

For Nginx, you can add a location block inside your server block that works the same as the Apache example above.
error_page 403 http://example.com/forbidden.html;
location /wp-admin {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
deny all;
}

The above code is used to deny the 403 error page on 192.168.1.1 IP address to add extra security to your website.

#4: Use “Limit Login Attempts” Plugin

Limit login attempts plugin are really helpful in preventing your website from brute force attacks. You can use any “limit login attempts” plugin on your website to safeguard it from the hackers.

I personally prefer using the “Limit Login Attempts Reloaded” Plugin on my website to safeguard it from the malicious attacks to wp-login.php files.

Alternatively, there are also many plugins you can use to block people from accessing wp-admin altogether.

Conclusion

I have only listed several methods to safeguard your website from malicious login attempts of brute force attacks. There are various other methods available to prevent your website like using HTTPS, HSTS, Using MOD Security and More.

You can follow this tutorial to prevent your website from malicious attempts of dictionary attacks.