April 17

How to Protect YOUR SITE From WordPress Brute Push Attacks?

Tutorials, WordPress Hacking, WordPress Security


This post was originally published on this site

Are you concerned that hackers are usually launching brute push attacks on your own website?

We wish we’re able to tell you your website is secure but the reality, is it’s quite achievable that your web site is under a brute power attack at this time.

A brute force attack may be the most typical WordPress attacks. In this sort of attack, hackers make an effort to guess the right combination of your account to gain usage of your site.

As soon as they have usage of your site, they are able to utilize it to execute malicious routines. As soon as a hacker is within your website, they are able to cause a variety of trouble like making use of your web site’s assets to shop files, stealing your computer data, defacing your website, launching assaults on other websites, delivering spam emails, etc.

Apart out of this, things may snowball a lot further. When Google realizes that your site is hacked, it could blacklist your site as well as your hosting provider can suspend your site.

But don’t worry. It is possible to prevent this catastrophe by safeguarding your website from brute force episodes. In this post, we’ll demonstrate the exact methods you need to consider to secure your site against this kind of attack.


To protect your site against brute force assaults, install Best WordPress Security Plugin. It includes a Login Protection function making use of which it blocks hackers if they want to apply brute drive attacks on your own login page.

What is really a WordPress Brute Force Strike?

Every WordPress website includes a login page where in fact the site owner must enter a username and a password to be able to access the wp-admin dashboard.


wordpress dashboard


Every WordPress website includes a default login web page that appears like this – www.example.com/wp-admin


wordpress username password


Hackers know about this. So it’s possible for them to get the login web page of any WordPress internet site.

Many site owners have a tendency to use usernames and passwords which are simple to remember. Frequently occurring ones consist of admin as a username and password1234 or 12345678 established as a password.

Hackers have an enormous database of such popular usernames and passwords.

They program bots to get WordPress websites, open the login pages and launch brute force attacks in it. The bots try various combinations of common usernames and passwords to get access to the website.

They also grab names displayed on the site such as for example author names or founder and team member.

These can handle making a large number of login attempts each and every minute.

This is what’s called a brute force attack.

Now, even though they aren’t successful at guessing your credentials, this type of attack can still damage your website.

Thousands of login attempts made within a few minutes will shock your online server and cause decelerate as well as crash.

Hence, using strong credentials is essential to make sure that hackers can’t break in nonetheless it isn’t sufficient. To be able to protect your website contrary to the damages that brute force attacks could cause, you will need to take measures to avoid the hacker from accessing your website altogether.

In another section, we’ll demonstrate the security measures you will need to try protect your WordPress site against brute force attacks and hackers altogether.

How To Protect YOUR SITE From Brute Force Episodes?

To keep hackers away and stop brute force attacks, you can find 8 security measures you should implement on your own site.

    1. Use Solid Usernames & Passwords
    2. Prevent Discovery of Username
    3. Restriction Login Attempts
    4. Modification Default Login Web page URL
    5. Implement Two-Aspect Authentication
    6. Carry out HTTP Authentication
    7. Use a Firewall
    8. Implement Geoblocking

We’ll take you through all the measures step-by-step.

1. Use Strong Usernames & Passwords

A login credential has two elements – account.

If you utilize a account that’s long and unique, it’ll be problematic for hackers bots to guess your credentials.

i. Unique Usernames

It’s not unusual to truly have a strong password however, not a solid username. If your username is simple to guess, then your hacker only must find out the password. This makes their job easier.

This is excatly why it’s vital that you stay away from common usernames.

Instead, use something that’s unique and can’t be found on your site.

Weak usernames are probably one of the most common security vulnerabilities entirely on WordPress website. When you have multiple users on your own website, it’s far better investigate if anyone is utilizing a common username. If they’re, you need to make sure that they’re switching to a distinctive username.

You can share this guide together with your users – How to improve WordPress Username?

ii. Strong Passwords

When you are developing a new user account, WordPress encourages one to work with a strong password by generating a password for you personally. However, it is possible to still elect to set a weak password. WordPress will warn you concerning the weak password, nevertheless, you will get away with it by selecting the choice Confirm usage of weak password.


wordpress weak password for WordPress brute force attacks


Thus the onus of fabricating a solid password falls on the users. An over-all rule of thumb is by using a variety of uppercase, lowercase, and special characters. For example this is considered a solid password – p$d&xG56ZhLNrJl49&)NJ4#h

Most WordPress users are adverse to utilizing a strong password because it’s hard to keep in mind. But you could figure out how to use password management techniques to enable you to use strong passwords and never have to remember them. Here’s helpful information on Password Management For WordPress Users.

2. Prevent Discovery of Username

During brute force attacks, hackers scan your site searching for names they can use to break into your site. It is possible to prevent hackers from finding it utilizing the following measures –

i. Change Display Name

Many websites have blogs with names of the writer displayed at the start or end of this article. If this display name is equivalent to your author name, then hackers can pick that up and utilize it to log into your site.

To protect your username, it is possible to change your display name. Here’s how –

Step 1: From your own WordPress dashboard, select Edit your profile.


edit profile wordpress


Step 2: Then head to Nickname and change it out. We changed our nickname from Sophia to Phoebe.

Step 3: Next, from the choice Display name publicly as, choose the new nickname. Save this setting by scrolling down and select Update Profile.


change wordpress display name


And that’s the way you change your display name.

ii. Block WordPress Rest API From Displaying Name

Besides, the display name, another way hackers find usernames on a WordPress website is through Rest API. WordPress had introduced it back 2016 for the advantage of users but hackers have discovered a weak spot in the event.

Using the API, anyone will get user information from your own website like the username. All you need to accomplish is run this simple URL: www.example.com/wp-json/wp/v2/users


xmlrpc display user details


There are two ways that you can avoid the Rest API from displaying the usernames. You should use a plugin or take action manually.

→ Utilizing a Plugin to avoid Rest API From Displaying Usernames (Recommended)

At enough time of writing this, Disable REST API may be the only plugin that may block Rest API from displaying usernames.

So install and activate Disable REST API on your own website and the plugin will automatically disable the API.

→ Manually Preventing Rest API From Displaying Usernames

You can insert a code snippet into your function.php file.

Note: The manual method involves making changes to WordPress files that is risky. One small misstep can break your site. Go ahead with this particular method only when you have understanding of the inner workings of WordPress. Moreover, we strongly suggest going for a website backup with a WordPress backup plugin in order that if something goes wrong, it is possible to quickly restore your website back again to normal.

Step 1: To find the event.php file, log into your WordPress hosting account. Head to cPanel > File Manager > public_html.

Step 2: In the public_html folder, access wp-content and choose the theme that’s active on your own site.

We have ‘personalblogily’ activated on our site and for that reason we choose that folder.

Step 3: Located within your active theme folder may be the function.php file. Right click and choose Edit.


theme functions file


Step 4: In this task, place the next code snippet in the function.php file. That’s it.

function wpbeginner_remove_version() 

return '';

add_filter('the_generator', 'wpbeginner_remove_version');

Remember to save lots of the file.

3. Limit Login Attempts

Earlier in this article, we spoke of how in brute force attacks hackers deploy bots on your own WordPress login page.

The bots are programmed to test combinations of common usernames and passwords to get access to your website. We also spoke about how exactly bots can make a large number of attempts within the span of one minute, that may break your password combination easily.

But what if you can stop the bot in its track?

Our brute force attack prevention plugin allows only 3 login attempts. After making three login attempts with the incorrect credentials, visitors is blocked from the login page.

In case a user has genuinely forgotten their credentials, there's a method for them to unblock themselves quickly.

The plugin presents an individual with a CAPTCHA to resolve. After the user solves it, they are able to make an effort to login again. This prevents bots from going further because they cannot solve CAPTCHA codes.

To activate our brute force attack prevention plugin, you will need to take the next steps –

Step 1: Create an account and activate our plugin on your own website.

After activation, the plugin will automatically implement CAPTCHA-protection measures.


malcare firewall


Step 2: From the plugin dashboard, you can examine the facts of the bots which are being blocked by the plugin.


malcare blocked login details.


4. Change Default Login Page URL

Earlier in this article, we discussed how every WordPress website includes a default login URL that appears like this – www.example.com/wp-admin.

Since hackers know the format of the default login URL, they are able to easily find your login page to launch brute force attacks.

But in the event that you move the login page to a fresh URL (like http://www.example.com/newurl), then it’ll be harder for hackers to get the login page.

Hackers rarely target an individual website. They prefer launching attacks on multiple websites so if they're struggling to find your default login URL, they're likely to move ahead with their next target.

There are a amount of plugins that’ll help change your URL like Easy Hide Login, Change wp-admin login, WPS Hide Login, etc.

We’ve chosen WPS Hide Login to show changing the URL predicated on its ratings in the WordPress repository. Over 60000 folks have it actively installed which is being updated frequently. This means that that it’s a reliable plugin and is safe to utilize.

To change the your default login page URL with WPS Hide Login, you will need to take the next steps –

Step 1: Install and activate WPS Hide Login on your own WordPress website.

Step 2: From your own WordPress dashboard, head to Settings and choose WPS Hide Login and set the new login URL. Be sure you save the setting.


wps hide login


And that’s it.

5. Implement Two-Factor Authentication

You will need to have noticed how you have to take two steps to log into popular services like Gmail and Facebook. In step one, you enter your account. Then your service sends a code to your smartphone that you've to enter to gain access to your account.

This two-step method means that the specific user is logging in to the account by verifying themselves in real-time.

You can implement this two-step method on your own WordPress website by installing a two-factor authentication plugin.

After enabling the plugin, if you are logging into your site, you'll be sent a distinctive code on your own smartphone. Only after entering the code is it possible to access your WordPress dashboard.

For more descriptive steps, follow this guide on How to include WordPress Two-Factor Authentication?

6. Implement HTTP Authentication

You can truly add another layer of protection on your own WordPress login page through HTTP authentication. HTTP authentication is really a technique using which you are able to block hackers from accessing your login page.


http authentication on login page


When you open a login page of an internet site with HTTP authentication installed, a sign-in box appears at the top of the page requesting your credentials.

A HTTP credential isn't exactly like your login credential. HTTP authentication could be implemented on your own website utilizing a plugin. During the installing the plugin, you'll be asked to make a HTTP credential. This is actually the credential you will need to insert to be able to access the login page.

Without these credentials no-one can access the login page.

At enough time of writing this, HTTP Auth may be the only plugin that allows HTTP authentication. To set up the plugin, it is possible to follow these steps:

Step 1: Install and activate HTTP Auth on your own WordPress website.

Step 2: On your own WordPress dashboard, you ought to be able to start to see the HTTP Auth option on the left side of the screen. Select HTTP Auth > Settings.

Step 3: Next, you must do the next –

    • Choose a Username and Password
    • Select the choice Login and WordPress Admin Pages
    • Select the choice Active HTTP Authentication
    • Hit Save Changes


http authentication plugin settings


That’s it. HTTP authentication is currently active on your own website.

Note: When you have multiple users then be sure you share the HTTP credential together with your users in order to access the login page of one’s website.

7. Use Firewall Protection

Wouldn’t it be great in the event that you could identify hackers and stop them from accessing your site to begin with?

A firewall might help you do that.

A WordPress firewall filters the nice traffic from the bad. It allows only the nice traffic to access your site as the bad traffic is promptly blocked.

How does a firewall identify bad traffic?

Anyone who visits your site is utilizing a device such as a smartphone or laptop to see your site. Each device is connected with an unique Ip.

When hackers perform malicious activities, their IP addresses are identified and classified as malicious.

The firewall includes a database of malicious IP addresses which it uses to recognize hackers and bots.

When a visitor tries to gain access to your site, the web site firewall first checks their Ip against its database. If it identifies that the IP is marked as malicious, it blocks visitors promptly. Thus, preventing a hack attempt.

Our security plugin MalCare includes a WordPress firewall that is automatically implemented once you install the plugin.


malcare firewall


8. Implement Geoblocking

Geoblocking is really a method using that you can ban all IP addresses from a particular country.

While hackers exist around the globe, data exhibits that a great deal of hack attacks are usually launched from the handful of nations. To reduce the probability of a brute pressure attack, it is possible to block countries.

The Middle for Strategic and International Research (CSIS) discovered that China and Russia have already been the biggest resources of cyber attacks.

If your website will not target Chinese and Russian visitors, then consider implementing geoblocking.

Our safety plugin MalCare, provides an very easy and reliable solution to block unwanted visitors from accessing your website. You can choose the countries of your selection and block them in only several clicks.


malcare geoblocking


Right here’s helpful information that may help you carry out geoblocking on your own website – WordPress country blocking.

We are confident that should you implement these protection measures, your website will undoubtedly be safe and sound against WordPress brute push attacks.

Final Thoughts

Brute force episodes are perhaps one of the most common attacks in WordPress sites. It includes a high rate of achievement because website owners are inclined to using fragile credentials.

However, in the event that you implement the steps that people have laid away in this specific article, we are confident that you could prevent hackers from brute forcing into your site.

That said, there are various types of assaults that hackers can start against WordPress sites. Because of this, we recommend safeguarding your website not only from brute force episodes, but all typical hack attacks.

You may use a safety plugin like MalCare to make sure that your site is protected from all sorts of hack attempts. The plugin includes a firewall that’ll block malicious visitors, offers login protection actions to avoid bots from accessing your website, an everyday vulnerability scanner to make sure that there’s zero malware infection, a computerized cleaner to eliminate malware before items escalate, among other activities.

Try MalCare Security Services AT THIS TIME!

The write-up How to safeguard YOUR SITE From WordPress Brute Force Attacks? made an appearance first on MalCare.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!