Brute force attacks… the scary and very real threat for WordPress website owners. If a person figured out your WordPress username and password, your site could be destroyed, taken hostage, or simply be deleted.
As terrifying as it is, when your website is the target of a brute force attack, there are certain precautions you can take to mitigate your risk.
Brute force attacks on WordPress websites generally take advantage of common username and password combinations.
You wouldn’t intentionally leave the door unlocked at the office, so why wouldn’t you lock the website?
Take these steps to make your WordPress website more resilient to potential attacks.
What is a Brute Force Attack?
Let’s start with the basics. Essentially, a brute force attack is a technique hackers use to gain access to your WordPress website by guessing the password for your administrator account. It is regarded as the most basic type of attack, but also the most common.
There are a variety of ways to compromise your WordPress website: finding a vulnerability in the website’s code, tricking your site’s users into revealing their password, or even hijacking a users computer with a key-logger on a target’s computer and stealing the password.
Since 2018, the FBI estimates over 100,000 businesses have experienced some form of brute force attack that was successful. Other estimates suggest that 98% of businesses experience an attempted brute force attack weekly!
Interesting attack vector modeling… almost looks like art. Brute force attacks are easily modeled.
What differentiates brute force attacks from other cracking methods is that brute force attacks don’t employ an intellectual strategy; they simply try using different combinations of characters until the correct combination is found.
Hackers or attackers are pretty lazy. They resort to lazy methods: guessing, or guessing a lot.
As many people have usernames and passwords that are very easy to guess, it is surprisingly quite effective.
And that is exactly what a brute force attack on WordPress is: a hacker tries the most common usernames and passwords… over and over, until they make it in.
Protecting your website against brute force attacks is just one of many efforts used by engineers to secure your website, and just a part of what makes up a WordPress security plan for your organization’s website.
To make this faster, hackers will use automated programs to guess for them. These tools will guess hundreds of combinations in a few seconds. Running through a list of common passwords, they try for an easy win. If the attempt fails, they may either move on. Determined attackers will even use random combinations of words, letters, and symbols until they get it right.
Weak passwords can take as little as .33 milliseconds to crack.
Is WordPress vulnerable to Brute Force Attacks?
Yes. Any software is vulnerable to this type of attack.
WordPress runs over one third of the web. This popularity make it a likely target for attackers.
“This sort of attack is not endemic to WordPress, it happens with every webapp out there, but WordPress is popular and thus a frequent target.”
Really, all they have to do is guess your username and password, and they have access to anything and everything.
Protecting Your WordPress Site from Brute Force Attacks
Taking just a few extra precautions yourself and you’ll fend off the brunt of these attacks. When using WordPress, the platform includes basic security precautions to protect you.
Let’s get into the best ways to protect your WordPress website from brute force attacks:
1. Choose a strong password
The best prevention for brute force attacks on a WordPress website isn’t complex software, firewalls, or any other ‘trick’. The very best thing you can do to protect your website from brute force attacks is simple: choose a strong password.
We’ll repeat that: choose a strong password!
Our tips for choosing a solid password:
Try the in-browser password generator for a complex password
Minimum 6 characters long! No exceptions.
Mix of capital and lowercase letters, include numbers, and some symbols.
Don’t mix passwords. Never use the same password for more than 1 website, especially your own WordPress.
Unless you’re planning your retirement, don’t use common usernames or passwords.
Don’t be inspired! No personal information: name, address, dates, or even the name of your pet. This will be the first thing someone who knows you will try.
More tips from one of our engineers working at Harvard here.
A strong username and password will stop 99% of all brute force attacks.
Protect yourself by creating strong passwords that are unique and hard to guess. Use 2-step verification where it is available, manage all your passwords in a password manager, and NEVER share your password with anyone else.
Whichever security plugin you choose, you’ll be better off, and certainly better secured, than if you had not bothered to install a security plugin for WordPress.
3. Hide the Login Page
By default, WordPress designates the url /wp-admin/ as the login page. Protecting your WordPress login page is crucial to slowing attacks from any vector. Brute force attackers take advantage of this. If an attacker doesn’t know where to login, it is going to be harder for them to attack your website.
Simply moving the page won’t trick everyone. There are other ways of finding the login page, but most attackers would not bother.
There are several options for WordPress plugins that move or hide the login page. WPS Hide Login allows you to change your login page URL, simple as that. No one will be able to access the normal login pages. While there are workarounds, this will put a stop to most hacking attempts.
4. Enable Two-Factor Authentication
Two factor authentication adds an extra step to logging in.
Most two factor authentication systems send a text or notification to your phone with a code to enter. Involving another device, like a phone, is the best way to prevent brute force hack attempts on a WordPress website.
Among its other security features, Wordfence includes two-factor authentication.
5. Limit Login Attempts
Brute force attacks rely on the ability to test dozens or even hundreds of username and password combinations as quickly as possible. For a standard installation of WordPress with no security plugins, the only thing slowing down this attack is your server capacity.
Limiting login attempts on your WordPress website means that when an attacker uses the wrong password a few times in a row, they will be locked out. This prevents them from trying many combinations. The attackers software cannot continue to try new combinations. The attacker is essentially defeated, and they generally move on to weaker targets.
How to limit login attempts on WordPress
The best and easist way to lmit login attempts on a WordPress website install a plugin. Plugins are available to lmit the number of attempts that a user can try before they are locked out.
Any of these will help take care of this vulnerability and all easily limit the login attempts on WordPress.
To create a strong password that is easy to remember, use a mix of alphanumeric characters, upper- and lowercase letters, symbols if the system allows it (as long as spaces are not used), choose an acronym for an easily memorable phrase or quote and replace certain letters with numbers or symbols. You may also want to incorporate the first few letters of a website into your password if you are creating one for that particular site.
For best password security, do not use common words such as names, ID numbers or user IDs in any form; avoid passwords that contain fewer than 8 characters; do not use names from popular culture or acronyms associated with geography via products; refrain from using single words preceded by digits and/or punctuation marks. Combining all these techniques will result in a strong but easy-to-remember password!
A hacked WordPress website can be devastating to any business. Having to rebuild from scratch may be the only choice.
Using a complex secure password is always the best security you can have.
If you’re really worried about your website and think about website security a lot, you should probably explore our website and learn more about what we could do for you.
For starters, we could help you stop worrying about your website and let you get back to your real responsibilities… check out how WordPress management services (like, full-service, never-worry-anymore…) could be lifechanging for you and maybe even let you get your job done. Our engineers are experts in WordPress security, WordPress maintenance, and supporting your organization’s mission online.
Join hundreds of other leaders, founders, and influencers in our growing community.
Join our free newsletter. Insight you can’t get anywhere else. #buildtogether
"You could charge a high fee for this... I can't believe its free..."
Katrina is a developer, designer, author, and thought leader on topics including Security and WordPress. For more from Katrina, find her on twitter and follow her on medium.
Get a FREE 30 minute 1:1 consult with a BIG consultant and get a FREE 7 page report on making digital work in your organization with key insight into paths for success and playbooks just for your unique needs.
Please understand not all requests can be met. Please contact us with any questions.