The primary objective of a brute force attack is access to your admin account. Once the attackers have breached your login, they gain unrestricted access to your site’s resources, including your customers. Here are some handy tips that can be used to prevent your WordPress site from such attacks.

1. WordPress Brute Force Attacks

2. ❖ Brute force attacks follow a systematic trial
and error method to gain admin access
❖ Every combination is username and password
is tried
❖ If you own a WordPress site, you are likely to
come under attack

3. ❖ Once the attackers have breached your login,
they gain unrestricted access to your site’s
resources.
❖ They can use your site for economical gains,
denting your brand, or simply gaining
popularity.

4. Best Practices # 1
Use Strong Passwords
❖ Most commonly used passwords are abc123, qwerty,
123456 - very easy to crack!
❖ Use long unpredictable passwords, avoid dictionary
words, avoid reusing passwords, and change passwords
regularly

5. Best Practices # 2
Rename Admin User
❖ Using the default admin name (“admin”) - 50% job done
for hacker
❖ Use a unique, hard to guess username
❖ You must also change the corresponding user ID to a
higher value - it is 1 by default

6. Best Practices # 3
Limit Login Attempts
❖ Blocks out users once they
reach the pre-configured
number of failed attempts, for
example 3
❖ Very effective in limiting
indefinite login attempts by
bots
❖ Security plugins like Limit Login
Attempts, BulletProof Security,
Wordfence Security, etc help
you limit login attempts

7. Additional Measures # 1
Hide your Login
❖ Rename wp-login.php
❖ Not highly recommended
❖ Bots can still find the login page after a few attempts
❖ Impacts usability

8. Additional Measures # 2
Use htaccess Rules
❖ Ban a specific or a range of IP address
❖ Whitelisting - Allow only specific users
❖ Restrict access to certain files

9. Additional Measures # 3
Two Factor Authentication
❖ Another factor known only to the user is used along with
username/ password for authentication
❖ Effectively deployed using smart phones
❖ Provides better safety as there isnt a need to write down
these passwords

10. Additional Measures # 4
CAPTCHA
❖ Adding CAPTCHA to your
login form is very useful in
mitigating attacks
❖ You can use a plugin like
Captcha to do this
❖ The CAPTCHA must be
entered correctly along with
the username and password
in order to gain access
❖ Can be hard to read at times

11. ❖ Very difficult to put a complete stop to
brute force attacks
❖ Multiple measures need to be used for
effective prevention
❖ Act now, if haven’t done so already