◦ Comprehensive security
◦ 24/7 support
WordPress Guide → Security → Backup Manually
How to harden WordPress sites against brute force attacks
When logging in to a WordPress site, users supply a username and password that WordPress associates with their account. If an attacker can guess the right username and password, they can authenticate in the same way. The process of guessing is called a brute force attack: the attacker tries different combinations of usernames and passwords until they discover one that works.
Brute force attacks are effective when WordPress users choose usernames and passwords that are easy to guess. Criminals use automated botnets — which are usually made up of compromised WordPress sites — to make thousands of login attempts with different credentials.
Towards the end of December, WordFence wrote about the largest brute force campaign they had ever seen. An attacker was attempting to brute force access to thousands of WordPress sites. Once they had access to the site, the attacker installed malware which had two tasks: to compromise more WordPress sites and to run the crypto mining software.
Get fast, reliable hosting for WordPress
Power your site with the industry’s fastest, most optimized WordPress hosting
Cryptomining software hijacks the resources of a server to mine cryptocurrency. Cryptocurrencies like Bitcoin and Litecoin are generated by carrying out the computationally intensive math. Cryptomalware uses the resources of compromised machines to do the work of generating coins. In this case, Monero, a cryptocurrency that can be mined with CPUs rather than GPUs, is being generated. According to WordFence, the campaign has created well over $100,000 for the attacker.
Victims of the campaign have their sites compromised and their server resources used to generate coins rather than serving the site. Because the malware also carries out attacks on other sites, there’s a strong chance of infected sites being blacklisted by security companies and browser developers.
Protecting WordPress sites against brute force attacks is straightforward. It’s only possible to guess usernames and passwords if they are simple and if the WordPress site lets an attacker make lots of login attempts.
Use complex passwords
The obvious solution is to insist on complex passwords that are difficult to guess. A long, random password takes much longer to guess than a short dictionary word. A random password of 16 or more characters might take millions of years to guess. A short dictionary password like “password” can be guessed in less than a second.
Use two-factor authentication
I advise WordPress site owners not to rely on users to create secure passwords: people tend to choose convenience over security. Installing a two-factor authentication plugin on your WordPress site removes the risk of brute force attacks without relying on users to do the right thing.
There are many TFA plugins available for WordPress. Two Factor Authentication is among the most popular.
Limit login attempts
To find the right username and password combinations, attackers have to make a lot of guesses. By limiting the number of login attempts that can be made from an IP address, site owners reduce the likelihood that the attacker will ever guess the right combination.
WP Limit Login Attempts can temporarily block IPs if they make too many login attempts and display CAPTCHA tests to suspected bots.
Getting started hardening WordPress sites against brute force attacks
In 2018, we expect to see more attackers taking advantage of crypto mining malware as cryptocurrencies rise in value. By following the steps we outline here, WordPress site owners can prevent their sites from being used to make money for criminals.
Liquid Web has been leading the industry in WordPress hosting for decades. And if you select managed WordPress hosting, our team of experts will manage server IT for you — so you can focus on growing your brand.
Click below to explore options or start a chat with one of our WordPress hosting experts now to get answers to your questions and further guidance.
Additional resources
Comprehensive guide to securing WordPress with ModSecurity
→
This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.
The 15 Top Critical Security Threats and How to Fix Them →
Here are the 15 most common types of Internet security issues or web security problems and some relevant steps you can take to protect yourself, your data, and your business.
Why security matters for WordPress enterprise hosting
→
Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.
Andrew Reynolds is a Solutions Consultant for the Liquid Web Family of Brands, helping prospects choose the best solution. He is a technology enthusiast and is always looking for ways to expand his knowledge in different areas. Andrew has a passion for languages — both programming and human.