More than half of the websites in the world are built using WordPress for their CMS. WordPress is popular because it is easy to use, install and customize. Unfortunately this popularity also makes it a target for cyber-attacks. According to a Sucuri report WordPress CMS infections rose from 74% in 2016 Q3 to a staggering 83% in 2017.
Brute force attacks are some of the lowest level attacks your site will face. Basically hackers use automated methods to try to gain access to a WordPress site by trying to login with commonly used usernames and passwords.
Attackers build a list of hundreds of commonly used usernames and passwords and try each one on your site. The attack script will do this over and over until it gains access or the list is exhausted.
Unless you have preventive measures in place it only takes minutes before attackers gain access. Here’s what you can do to prevent these types of attacks.
Change Login Page URL
Attackers gain access to your login page by trying the default settings first. For WordPress this means going to www.YourSiteName.com/wp-admin or /wp-login.
Thankfully WordPress is smarter than hackers because you can use a plugin called WPS Hide Login. It allows you to change your login URL to whatever you specify.
Use A Secure Web Host
Most website owners choose a host based on performance and cost. However, security also needs to be one of the determining factors when choosing. A reputable web host pays attention not only to strengthening internal solutions but in advising their customers as well.
A good web host deploys security and also helps clients resolve security issues when their sites are hacked. If you’re hesitating because changing hosts is a hassle, it’s easier than you think. Aside from security measures, many good hosting providers also help clients migrate websites for free.
Testing Website Regularly
Aside from putting up measures to prevent attacks, you should also test them regularly. Security experts and security audits are expensive but tools like WPScan is free and easy to use. A good alternative is Hacker Target, a vulnerability scanner.
Install Security Plugin
Security plugins like Malcare can provide against multiple types of attacks. This tool is very comprehensive and offers enterprise-grade features at affordable prices. It offers basic as well as brute force protection and enables you to carry out activities like IP blacklisting, website hardening, and firewall management.
Use Complex Passwords
Even after experts warn against using “username” as a username and “password” for a password, using them are still pretty common. Since hackers use commonly used passwords, it makes sense to make your passwords complex.
Ideally it’s best to have a complicated username and password. A mixture of uppercase, lowercase and special characters as well as numbers is advised.
Using 2-Factor Authentication
2-factor authentication or 2FA is a good and easy way to double security on your website. As the name implies, it requires users to checking login credentials twice.
For example after providing the correct username and password the system will send an authentication code to an email or cellular phone number that you will need to login.
This is a good way to prevent brute force attacks against your site.
Using a reCaptcha is a good first line of defense against cyber-attacks. BestWebSoft is a good reCaptcha provider which makes sure that you’re human by asking you to perform additional tasks before you are allowed to login.
For instance it might ask you to type an image-based authentication code. This method is a good way of preventing automated script attacks.
Setting-up CloudFlare CDN
CloudFlare is a Content Distribution Network (CDN) that stores your site’s content from multiple servers. It has an interesting side effect against hackers because it makes your website more resilient against brute force attacks. It also has features like rate limiting which block users block users from sending too many login requests within a certain time frame.
WordPress security is often neglected before it’s too late. This is mainly because it is online and not physical so few owners see the need for additional security measures.
However, aside from potentially losing control of your site poor security can also lead to it being used against a tool against others. This means securing your website is your primary responsibility.