How to Protect your WordPress Website from brute force attacks

You may have heard the news about the brute force attack against WordPress sites and the servers that host them. Unfortunately, it’s real. The attack is global and very organized, and is not directed at any one web host. This unknown organization is using more than 90,000 IP addresses to hack into your website and take control.

Read more about the brute force attack here.

What you can do right now to protect yourself

1. Change your password.

This attack is primarily (but not exclusively) targeting sites with the username “admin”, which is the default WordPress username if you did not choose a different one when you created your account. The best passwords use a combination of upper and lowercase letters, are at least eight characters long, and include “special” characters (^%$#&@*).

Go change your password now.

2. Install a plugin that limits login attempts.

I use the Limit Login Attempts plugin, and you can get it either on the WordPress website or in your “add plugin” section of your WordPress website.

These types of attacks try to log into a website are sort of like throwing something against a wall until it sticks. The “bots” try hundreds of thousands of password combinations until they find the one that gets them in. This plugin monitors those attempts and locks out anyone who exceeds the number of attempts that you’ve set.

Here’s what someone sees when they’re locked out:

dos_lockout

And here’s a screenshot of the settings options:

dos_settings

This will go a long way in protecting your site. Go install and activate that plugin now.

3. Take a backup of your site

If you’re on a maintenance plan with us, this is done for you on a regular basis. If not, you should be taking regular backups in case you ever have to restore your site. I use BackupBuddy, but if you want a free backup plugin take a look at this one. I haven’t used it personally but it gets good reviews.

Now you’ve done what you can, and you have to leave the rest to your web host.

Don’t blame WordPress or your host

This is attack is not an indication of whether any one web hosting company is better than another. I’m seeing different companies starting to point fingers at each other on their blogs in an attempt to increase sales, so don’t buy into any of that. If you have a decent web host you don’t need to switch. If your mother’s-neighbor’s-friend’s-cousin-who-took-a-class-in-college is hosting your site, you might want to consider switching to someone like HostGator or A Small Orange (both of which I use personally).

This is also no fault of WordPress. Hackers don’t waste their time targeting software and services that aren’t popular. WordPress is used by hundreds of thousands of websites around the world, so it’s an easy target. It’s still a solid website platform and will continue to be. As a matter of fact, they’re celebrating their 10th anniversary next month. You can read about that here.

So make the changes I recommended above, then sit back and know that you’ve done what you can. This particular attack will pass, and you’ll be better prepared for the next one. It’s a reminder to all of us to be vigilant in protecting our websites.

UPDATE:

Here’s a link to a tool that will scan your site for malware: http://sucuri.net

And if your username is “admin”, you can change it. The easiest way without digging into the database is to create a new user with administrative rights (use your name as the username and set a strong password), then log out and log back in as that user, and delete the original “admin” user. You’ll be asked if you want to attribute posts written by the original user to the new user – say yes. 🙂

Questions? Comments? Discuss below.

  • Great information! Thanks so much for sharing it, AND, thanks so much for taking care of this threat for your clients. (that would be me…) It’s a great relief knowing you’re on top of all this mischief and are looking out for us.

    Thank you for your great service!

  • Lisa,
    THANK YOU so much for this posting and for sharing not only the information about the attack, but for generously gifting to us followers your priceless knowledge and instruction on how to protect our websites.
    Your insights are always valuable and appreciated! Many thanks for all you do!
    Karen Pike

    • Wow, Karen, thank you so much! You just made my day. I’m glad you find the info I share helpful. 🙂

      Lisa

  • Thanks for sharing, Lisa! I’d heard about the attack but wasn’t quite sure what to do beyond changing my password. The info about how to change “admin” is especially helpful!

  • Hey Lisa,

    this is good information. I like the fact that you also provided links to tools we can use to help get our websites protected one way or the other. These attacks are nasty, and we only hope it doesn’t ruin a lot of businesses out there. Thanks for sharing, all the best.

    Otoabasi U

  • Hi Lisa,

    This is great information, especially since so many people are using WordPress, but don’t forget that there is such a thing as a bad host. And bad hosts often are more vulnerable to attack than good hosts.

    If you’re using a bottom-rung host — you should probably use services like cloudflare for additional layers of security.

    • Oh yes, Joseph, I completely agree. There are some really crappy hosts out there. I posted this post a while back, but it’s still relevant.

      Thanks for your insight!

  • Thanks, Lisa!

    I do have highly secure passwords (I use 1password to come up with them and to store them), but after reading this, I’ve gotten rid of two accounts whose user name was admin, and I’ve installed the limit login attempts plugin.

  • Lisa,
    Thank you for a very informative post. Have changed my password and installed some security plugins.

    I’ve heard of sites being attacked since installing the Limit Login Attempts plugin. Do you know of another plugin?
    I did read in this thread (http://wordpress.org/support/topic/scary-limit-login-attempts-lockout-bypassed) that Limit Login Attempts has some flaws and hasn’t been updated in almost a year. One user recommended Login Security Solution as a better solution: http://wordpress.org/extend/plugins/login-security-solution/
    Have you heard of this plugin and whether it is reliable?

    Thanks,
    Ian

    • Hi Ian – thanks for that info. I have not had that experience with the Limit Logins plugin – it’s been working as it should for me. I haven’t heard of the other plugin but if it has a good rating you could always drive it a try. It forced you to change passwords after a certain time which while potentially a hassle, is a good practice to get into.

  • This could not have been more timely. Attempts to hack into my website brought down one of my provider’s server! We won this time… In addition to the changes we already made, I implemented your suggestions and sent the article to my provider… Thank you for these timely and incredibly useful suggestions!

Comments are closed.