“WORDPRESS” a brand, popular worldwide, the only CMS that no one is ignorant weather site is hosted on Linux or Windows platform. It is a platform that supports a number of individuals and even organizations to build and run their business. But like a saying goes, “Avoid popularity, as it brings along snares“. Hacking is the biggest ‘snare’ on the internet today and so as to WordPress. WordPress is facing the problem of brute force attacks. Unlike hacks that aim at causing vulnerabilities in software, a brute force attack aims at gaining access to a site, by continuously trying the username and passwords until they get into it. They can be very successful when people use passwords like ‘123456' and usernames like ‘admin.'.
The brute force attacks came into limelight in April 2010 and then since became a great threat to the WordPress. About 90,000 compromised servers are trying to break into WordPress websites by trying to guess the username and passwords to get into the WordPress ‘admin’ panel, continuously. Because of these attacks, the server runs out of memory due to a large number of continuous HTTP requests, causing a problem of storage and slow speed for the users.
This type of attack is widespread and common for websites but since WordPress is very popular, it has become the chief target for these attackers.
But, since technology has given rise to these evils, the same technology has the ways to resolve and tackle them. We can protect our website from these attacks if we follow certain protective rules.
Don’t use ‘ADMIN’ as your username. The past reviews say that a large number of WordPress websites were hacked as their owners used ‘admin’ as their username. So, if you have the account with this username, create a new one today and move all the posts and important data to it.
Passwords are a great way to secure our accounts. A good and tough password would make it impossible for brute force attackers to succeed in guessing them. So, select a good password for your account.
Things to avoid when choosing a password:
- Any combination of your name, username, company name, or a name of your website.
- A word from a dictionary, in any language.
- A short password.
- Any numeric-only or alphabetic-only password (a mixture of both is best).
- Plug-in can be used to limit the number of login attempts made on your site, or block people from accessing WordPress-admin. There are many different plug-ins used for various security purpose like Admin Renamed Extended, Enforce strong password, Limit Login Attempts, BruteProtect, Block brute-force attacks, etc.
- It’s a good practice to keep back up of your WordPress. By this way, you can be ensured that at least your data and posts are secure, even if the attacks continue.
- You should always keep your WordPress updated in order to protect your WordPress from any exploit.
- Even if your WordPress website has been hacked you can clean it up and continue with it.
These were some of the simple measures for protecting your WordPress. There are some technical and even more secure measures that can be implemented to secure your WordPress. These are illustrated as under:
- Keep an eye on your visitors to check who is trying to access your WordPress admin panel. This can be done using CPanel's ‘latest visitor’ tool. You might also find that you have a number of different IP addresses trying to hit your wp-login.php script at a much higher volume. This means your site could be under a WordPress brute force attack.
- You could set up a Cronjob to send the details of your daily attempts to WordPress. This can be under cPanel->Advanced->Cronjob->Cron email->Update email and perform required settings. These settings would give you a detailed list of all the IP addresses and how many times they tried to access your wp-login.php script. This would help you at times when you would not be able to review your WordPress account. You would know whether you are being targeted for the brute force attack and appropriate protective measures could be taken, if so.
- You can even block the unwanted IP addresses that you don’t want to access your WordPress admin by using .htaccess rules. These blocked IP addresses will immediately be given a 403 access denied error as they would attempt to access your wp-admin.
- You can also protect your server. When you lock down wp-login.php or wp-admin, you get a 404 or 401 error when accessing those pages. To avoid this, you should add the following code to your .htaccess file: ErrorDocument 401 default
- For Nginx, you can use the error_page directive with an absolute URL.
- You may also protect your wp-login.php file and wp-admin folder using a password to add more security to the server. You will need to create the .htpasswds file for this purpose. You can keep this file either inside or outside your public folder.
- Cloud/proxy services like CloudFare can also be used to block the IP’s you want before they reach your server.
- You can scan your website with an online malware scanner like sitecheck.sucuri.net/scanner to get an indication whether you are a target of brute force attack.
If these measures are used and implemented in a proper way, the problem of brute force attack could be avoided and resolved by everyone on an individual ground and this threat would no more prevail on the Internet.