WordPress Security: Brute Force Attacks and Why not to use Default Usernames and Weak Passwords on WordPress

For the last few months, I have had a constant barrage of brute force attempts on my site. Thankfully I have it set up with a decent security plugin, so they have done nothing but waste a bit of hosting power. But it’s pretty eye opening to see the sheer size of their bot network. I’m not sure if it’s multiple attackers or just one big network, but I have seen over 6000 different IP addresses attempt to login to my site repeatedly.

It blocks them automatically, but they seem to have an endless supply of IPs to hit my site with from all over the world – mostly Russia and China, but quite a few from the USA. Most of them trying to use the username “Admin” or “Administrator.”

This is why security is important, for both PCs and websites. If this site had been like many on the web with a weak password and the default username of Admin I would have already been hacked by now.

The most basic WordPress security starts with strong passwords and usernames that people can’t guess easily. There are also many useful plugins and some useful settings you can change. I’ll go over a few that I have used.

WordPress Plugins

Wordfence

This is a popular plugin with a variety of features. The free version gives you some basic scanning and firewall functionality, along with IP blocking and brute force protection. The scanning part scans your files to see if core files have changed from those available online, which would detect alterations done by hackers. The paid version has more functionality, including cellphone authentication for login, country blocking, and a password audit function to check your users’ passwords. The free version is useful, even if you don’t get the paid version.

https://wordpress.org/plugins/wordfence/

Loginizer Security

For those wanting some basic brute force protection without all the rest, this one allows you to blacklist and whitelist IPs, as well as lock out IPs for failed logins. The pro version gets you MD5 scanning of core files similar to Wordfence, two factor authentication, and auto blacklists.

https://wordpress.org/plugins/loginizer/

Edit Author Slug

While not a security plugin, being able to edit the author slug is useful as it defaults to your username. A smart hacker would check your blog, click the link to your author profile, and attempt to log in using that as the password.

https://wordpress.org/plugins/edit-author-slug/

Other Security Concerns

Blocking brute force attacks helps a lot with security, but there are other things you can do. Disabling indexing by adding

Options -Indexes

to your .htaccess file will prevent indexing of your directories, preventing people from browsing your site’s files (some of which may be private, or help hackers find security holes).

Finally, you need to keep everything up to date. Old versions of plugins, themes, and WordPress itself may have compromised security. It is both a benefit and a detriment that WordPress is so widely used. Hacks are discovered for it all the time, but they are reported and quickly fixed. As long as you stay up to date, you can stay ahead of most security issues.

In summary: Don’t use the default admin username, have a strong password, get a plugin to limit brute force attacks, and keep things up to date. Following these simple steps won’t make you hacker proof (even large companies struggle with that one), but they will go a long way and will stop most common attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *