Gabfire Themes BlogStay up to date with the latest news & announcements from Gabfire Themes

Brute Force Attacks on WordPress – Tips & Plugins

I thought the widely covered brute force attacks on WordPress sites were worth discussing in case any users aren’t aware of the this hot topic.

What are Brute Force Attacks?

Unlike hacks, brute force attacks take the easier approach of consistently trying to guess your username and password. Unfortunately, this works since not all site owners have the strongest credentials, especially those who still use the dreaded default ‘admin‘ username. Since brute force attacks don’t halt after a single failed attempt, they can take a devastating toll on your server memory causing performance issues.

How can you prevent brute force attacks?

To prevent these attacks on your WordPress site, follow these precautionary steps:

  1. Do NOT use the ‘admin‘ username. Create a new user with Administrator rights. Log out and log back into WordPress as the new Adminstrator, and delete the user ‘admin‘.
  2. Set a strong password with numbers, characters, and upper and lower case letters. Unfortunately, we occasionally see site owners with passwords that either match their domain, or are simple number strings such as 123456.
  3. Protect your site using plugins. These are 3 plugins that I highly recommend – use the one (or two) that meet your needs:
  • Limit Login Attempts – does what the name says.
  • Google Authenticator – allows two-factor authentication to login to your WordPress site. For some, this may seem like overkill, but you can never be too safe.
  • WordFence – a robust security plugin with built-in firewall, virus scanning, and a premium version to block specific countries.

Better Safe Than Sorry

Now that you’re informed, spend a few minutes to protect that awesome site. While you’re at it, take out the trash, spam, and erroneous users. Any questions or comments related to these brute force attacks, just ping us in the comments below.

Comments (14)

  1. Glenn Permalink Reply

    Hi Charlie, Ive seen a lot written about the recent brute force attempts by a bot net. However everything Ive read discusses how to protect yourself from the attack. Can you advise on what the attack actually is ? If they get in what do they do ? how do I know if they got in or not and what action to take if they did get in ?

  2. Bartek Permalink Reply

    Yeah , here in Poland my site (arts and culture theme based) nwas atacked my hosting catalogues were blocked (18.04).
    I am not able to write new articles.
    My login was not ”admin”
    And password had more then 10 characters (numbers and leatters).
    But yeah, no security plugins installed.
    Should Install new wordpress and updated theme now?

    • Mehmet Ozek Permalink Reply

      What was the results of attacks Bartek. Have they been able to access your files and edit any of them or blocked hosting by sending a lot of requests?

  3. Bartek Permalink Reply

    The hosting company blocked 2 catalogues :

    -ftp/lifelatte/wp-includes/js/tinymce/plugins
    -ftp/lifelatte/wp-includes

    They also said that the script was sending enormous amount of spam from my adress:
    /wp-includes/js/tinymce/plugins/spellchecker/includes/page.php

    Now it is impossible to write any articles, sometimes on slider You can only see php code instead of pictures, there are problems after loging onto site. The site is a bit unstable

  4. Roy Permalink Reply

    1) About the problem of accessing wp-includes, maybe creating a file called .htaccess on the folder with:
    #v The below v

    Order deny,allow
    Deny from all

    Allow from all

    #^ The above ^

    So that only this type of files are accessed by the users.

    2) To protect against password recovery to the e-mail (the e-mail can be sometimes be illegally accessed) I would suggest you edit file wp-login.php …

    Find:
    $allow = apply_filters(‘allow_password_reset’, true, $user_data->ID);

    Change it to:
    $allow = apply_filters(‘allow_password_reset’, false, $user_data->ID);

    And find:
    if ( !in_array( $action, array( ‘postpass’, ‘logout’, ‘lostpassword’, ‘retrievepassword’, ‘resetpass’, ‘rp’, ‘register’, ‘login’ ), true ) && false === has_filter( ‘login_form_’ . $action ) )

    And changed to:
    if ( !in_array( $action, array( ‘postpass’, ‘logout’, ‘login’ ), true ) && false === has_filter( ‘login_form_’ . $action ) )

    ( If some day you really need to recover a password, you can reverse the code… or follow the advice here: http://codex.wordpress.org/Resetting_Your_Password ).

    3a) To prevent brute force is relatively easy, free, and very very secure!
    Just go to: http://wordpress.org/extend/plugins/perfect-paper-passwords/ download it, activate it, and follow the simple instructions… make sure you read it twice!!… I first had problems because I didn’t read the instructions correctly (jumped some steps) and I was thinking the plug-in wasn’t working, when it was!
    Advantages of this plug-in:
    – Always reports a password error, either you input the correct password or not… as long you are not introducing the correct second factor authentication password;
    – Every single of the several present Card passwords can only be used once (but until someone use the correct one, it will stay valid… so your card can’t just go out of use because people is just trying all day long);
    – Can have between 2 and 16 characters long… easy or extremely difficult… you choose!
    – No send to e-mail, sms/ phone call… so no man-in-the-middle easy attack;
    – If you think the password card as been compromise (or just is ending), just go to the account, create a new secret, save the changes, copy the new Sequence Key to the GRC web site (make sure the Passcode length is correct) and you are set with new passwords.
    – If you loose the password card, you just need to know the Sequence Key and the Passcode length and you can create again the password card… so make sure you have both for example in a secure safe.

    3b) To prevent brute force on the login page you can also create a .htaccess in the main folder of the wordpress blog/web site with the following:

    Order Deny,Allow
    Deny from all
    Allow from xx.xx.xx.xx

    Where xx.xx.xx.xx is your IP like 100.021.282.112
    If you have dynamic ip’s search on-line for your operator main IP’s and you can for example use a more “wild” specification like:
    Allow from 100.021
    Allow from 100.022
    Allow from 100.023.022

    in this case includes for example 100.021.100.001, 100.022.022.012, 100.023.022.100 can access… not so much secure like just the full IP, but at least other people/ machines from other networks won’t be able to access it!

    You can also protect the access to the wp-admin with this same technique… just create a new .htaccess with:

    deny from all

    order deny,allow
    Allow from 100.021
    Allow from 100.022
    Allow from 100.023.022
    deny from all

    And put this file in the wp-admin folder.

  5. Roy Permalink Reply

    Unfortunately my previous comment was filtered and many of the essential tips (what needs to be done) have been wiped, so I post this on-line here: http://sharetext.org/nmH9

  6. Lorenzo Permalink Reply

    I also use Limit Login Attempts on my WP installation.

    For creating strong passwords, consider a password manager like 1Password or LastPass.

  7. Brice Lucas Permalink Reply

    Great article. I learned about the recent botnet being built out of wordpress sites using brute force attacks over on Ars Technica. Your posting is useful, but I wanted to add that not only is “admin” being targeted… so is “administrator”, “ADMIN”, etc, etc.

    Regardless, properly configuring your server and using great plugins like Limit Login Attempts will cover you.

    Thanks for the post!
    B

  8. Fred Permalink Reply

    Our site was hacked by a brute force method and they inserted Black Hat SEO spam links into the code. Any idea on how to remove it? I looked in the header, page, and even most of the php files but couldn’t find it.

    It inserts it after the header and before the body, so any suggestions on how to remove it are appreciated. It’s not showing up in the posts, but can be seen in the source code and is also picked up by Google search bots. Thanks

  9. Jeff Permalink Reply

    Why use limit logins plugin AND wordfrence plugin. Wordfence has limit login attempts features.

    Without deactivating the wordfence options that compete with the limit login options, these suggestions are bogus.

    • Mehmet Ozek Permalink Reply

      WordPress would allow you to enter as many username and passwords with no delay between each attempts. That is dangerous. Limit Login itself does the trick here and doesn’t allow continuous login attempts; which also avoids brutal force attacks.

  10. Dr. Shefali Dandekar Permalink Reply

    my website does not contain any malware buy google chrome / firefox always shows warning :(

  11. Pingback: Stop Brute Force Attacks on WordPress - TruWeb Host

  12. استخدام Permalink Reply

    Add this one
    4.Change login url. you can iThemes Security plugin to avoid brute force attacks :)

Leave a Reply

LATEST THEMES