An eventful Saturday evening was had this past weekend, with one of my clients experiencing a brute force attack on their WordPress website.
Thankfully, we’d completed a re-design some months ago which included a new backup schedule and security refresh. I’m sure that had we not done that, these nasty so-and-so’s would have gained access to the site and the result could have been catastrophic.
I am hearing a lot of business owners experiencing these awful brute force attacks lately, so thought I’d take some time to write out my top 6 tips for protecting your WordPress site against a brute force attack:
1. Have an appropriate security plugin installed (and properly configured!)
I use and recommend WordFence (although Sucuri and iThemes Security) are pretty awesome too). WordFence is quite straight-forward to set up and helps protect your website against hacking. With a robust firewall, the ability to block brute force attacks and great email notifications that warn you if it notices anything untoward, it’s one of the first plugins that I ever install on new client sites.
Once you have WordFence installed and configured, make it part of your regular schedule to log in and review your security settings and live traffic feed to get an understanding of what is happening behind the scenes. If you notice any suspicious activity, don’t be shy to manually block IP addresses!
2. Use a SUPER strong username and password
Whatever you do, DO NOT use the generic “Admin” as your username! Make it something ambiguous and hard to guess.
Same goes for your password – make sure it uses a combination of capital and lower case, numbers and symbols. Make it REALLY hard to crack!
3. Block, Block, Block, Block, BLOCK!
I’m a bit trigger-happy when it comes to blocking suspicious IPs/users from accessing my sites, but in this day and age it definitely pays to be very cautious of suspicious activity. I have my sites set up to immediately block anyone attempting to log in using an incorrect username and lock anyone out that gets the password wrong more than twice in a row.
Also, if I get too much suspicious activity generating from any one country, I will block all IPs from high-risk countries (India seems to be an issue at the moment and not my target market, so I’ve blocked the whole country!)
4. Keep your files up to date
Make sure your WordPress, theme and plugin files are always up to date. Out of date files are one of the “easiest” ways for unscrupulous hackers to gain entry to your site.
As a starting point, log in to your dashboard on a regular basis (at least monthly) and update any WordPress, theme and plugin files which are showing as being out of date.
As always, make sure you run a new backup before attempting any major updates.
5. Relocate your login page
By default, your WordPress login page is located at http://www.yourdomain.com.au/wp-login.php. Hackers therefore only need to know your domain name and they can pretty easily locate your login page!
Hiding your login page at a different location is a great way to foil a would-be brute force attack on your site. You can easily achieve this by installing a simple plugin like WPS Hide Login or Move Login.
6. Run backups regularly
Even putting all of these steps in place, it’s still not a guarantee that hackers won’t find their way into your site. In the event that this does happen, having an up-to-date backup means that your site can be re-established quickly. I use and recommend Updraft and Backup Buddy for backing up.
Hacking is such an overwhelming problem for websites around the world – not just WordPress. With the amount of time that goes into developing and maintaining your website, it’s a MUST to ensure that your site is properly secured against these unscrupulous so-and-so’s (who we all wish would just GET.A.LIFE already!) to ensure that your site is not the next to be hacked and leave you potentially losing everything that you have worked so hard to build.