Brute force attacks of this sort area unit nothing new. They occur once machine-controlled botnets try and gain unauthorized access to a website through trial and error. It’s a numbers game – the bots bombard the website making an attempt to guess the username and password till they notice the proper combination.
As WordPress designer, previously to secure the websites I was using the Limit Login Attempts WordPress plugin. This is good at preventing the certain brute force attempts as it blocks any IP address that continuously tries to enter a website with the wrong credentials.
Problem is that even though you block an IP address using a plugin, the bots will still access the login page and submit another login try. The try will fail as they're blocked out, but a request is still made to the server, utilizing resources and bandwidth. Though every try won’t use several resources, multiply this up to dozens of tries per minute or maybe per second, and you may notice your website slowing down considerably or maybe crashing the web server altogether.
Here are few easy steps that any WordPress website owner will take to protect against a brute force attack. Step 3 is going to be useful to deal with the resource/bandwidth issue:
1. Change the admin username
Most WordPress website owners still use ‘admin’ as their username. This is a bad idea, as a result of it makes it very easy for hackers to guess your username.
The problem is easy to fix:
- Create a new admin account with a more unusual username that hackers won’t guess (Users > New to the WordPress admin).
- Log in using this new account and delete the old ‘admin’ account. Click the button to attribute all the admin posts and comments to your new username.
2. Make your password secure
Use a secure password for your WordPress admin user account. Use the random password generator to form a super-secure password, or use several common but unrelated words joined together that you just will simply remember. Update your password via the Users link
3. Install the Custom Login URL WordPress plugin
Most WordPress websites have a regular login URL that hackers will guess like imanishbhagat.com/wp-login.php. Custom Login URL creates a unique login URL that creates it unlikely that bots can find the login page at all – let alone launch a brute force attack against it.
4. Install the Wordfence Security WordPress plugin
And for one final security measure, install Wordfence Security. This is much more sophisticated than Limit Login Attempts and has many more features including:
- Locks out brute force hacks
- Firewall to block common security threats
- Advanced IP and Domain WHOIS to report malicious IP’s or networks and block entire networks using the firewall
- See how files have changed. Optionally repair changed files that are security threats
- Scans for many known malware variants, loopholes, suspicious code and other security issues
- Blocks security threats such as aggressive crawlers, scrapers
and bots - Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create
denial of service.
As Wordfence includes login protection, you wouldn’t need the Limit Login Attempts plugin as well. However, the same limitation applies to this as mentioned above given the number of IP addresses used in this most recent attack. However, Wordfence offers a range of additional security measures as well as helping you to detect whether your site has already been hacked, so used in conjunction with steps 1-3 described above it’s definitely worth having.