Updated December 28, 2022
Reading Time: 3 minutes
Protecting WordPress against the recent (and massive) brute force attack has been a popular subject on online newswires lately. While security attacks on open source platforms (like WordPress) are nothing new, this latest barrage has become truly sensational. Let me clear up what’s really happening and, more importantly, what you can do to protect your WordPress website.
WordPress Security & Recent Brute Force Attacks
High-profile web hosting firms are taking on the brunt of the attack. If your site is hosted by HostGator, LiquidWeb or GoDaddy, you’ve probably received an email reassuring you and providing advice on how to prevent a breach. Even if hackers haven’t infiltrated your site, it’s probably affected your hosting service. The onslaught has been overloading servers, affecting administrative access and site up time.
While your hosting provider is doing what it can behind-the-scenes, the best offense is a great defense. And your best defensive move is to implement robust and complex passwords that aren’t easily hackable. It’s also recommended to have unique passwords for each system. That way you are spreading out the access risk. For example, have a password for your banking site that’s different from your Groupon or Facebook login. Protecting yourself takes a little common sense and ongoing diligence.
Protecting WordPress: Practices to Implement
Are there other measures you can put into place to protect your WordPress website? Yup. Here are our top 6:
1. Don’t Use Admin As a User Name
Having “admin” as a user name is a rookie mistake. Change it immediately. If you use WordPress.com to host your site, follow Matt Mullenweg’s advice and implement two-factor authentication.
2. Implement Strong Passwords
If you are your website’s Webmaster, we recommend installing Force Strong Passwords. This is a five-star rated plugin; it will guide your users to build robust passwords for WordPress administration access. A good password has the following elements:
- A minimum of 8 characters
- A combination of upper and lower caps (min: 2 upper case)
- At least two numbers (0-9)
- At least one special character
- The password must not be a word you can find in the dictionary (there is such a thing as a dictionary attack)
- If you can remember your password it’s not a good one
3. Block Hackers at IP Source
We use IP Blocker to blacklist hackers. While this isn’t foolproof — and it is not a defense against the recent brute force attack — it permanently blocks hackers at the IP address level. For our maintenance clients, we keep on top of black listing hackers as they alter IP locations in their repeated attempts to break in.
4. Limit Login Plugin
Blocking the bad guys is unfortunately part of “business as usual” for any type of website. It’s not a matter of “if” a bad guy will come knocking on your WordPress door, it’s just a matter of “how many times they will try to break in.” That’s why we recommend a plugin that limits the number of login attempts. Blocking at the IP source plus limiting attempts is an effective combo in protecting WordPress. Sadly brute force hacking software is easily available, complete with how-to videos on YouTube.
With that said, we want to be absolutely clear. The combo of IP Blocker and Limit Login plugins are effective general security measures. They are ineffective against the recent brute force attack. Again, the best way to protect yourself is with robust passwords.
5. Hide WordPress Version
Protecting WordPress starts a the database level. We use a plugin to hide the WordPress version and ensure that default prefixes (“wp_”) have been altered (another layer of protection). Hackers that use brute force software zero in on websites where these defaults are used.
6. Keep Core Up to Date
Automattic, curators of WordPress’ core, regularly update the code with WordPress security updates. Keeping your version up to date takes advantage of changes they implement to address new threats and trends. Same goes as to security plugin updates/upgrades.
Brute force attacks are unfortunately increasing and becoming more commonplace. The good news is that several security features make protecting WordPress websites easier. Not sure if your site is vulnerable? We offer an affordable audit where we analyze your WordPress installation. You’ll receive specific recommendations on how to safeguard your website.
More Info About Brute Force Attacks & WP
Keeping your website secure is not a “one-and-done” endeavor. If you’re technically minded, I suggest this WordPress.org article on some of the code you can add to protect your site further. If you need help with your WordPress website’s maintenance and other security measures, simply reach out.
Blog Traffic: Attraction Factor – Part 2
I do agree with all the ideas you have presented in your post. They are very convincing and will definitely work. Still, the posts are too short for novices. Could you please extend them a bit from next time? Thanks for the post.
Thanks for commenting. For WordPress newbies, I don’t suggest DIY, especially when modifying or adding code.
I do agree with all the concepts you’ve introduced in your post. They’re very convincing and can definitely work. Still, the posts are too brief for newbies.
May just you please prolong them a little from next time? Thanks for the post.
Thanks for commenting. For WordPress newbies, I don’t suggest DIY, especially when modifying or adding code.
There is no doubt that your post was a big help to me. I really enjoyed reading it.
Thank you for the kind words Jeremy. Protecting your WordPress website from a breach is no easy task.
Please provide me with additional details on that. I need to learn more about it.
Hi Milton. Here are more articles related to this topic.