WordPress Blogs has been under massive brute force attack from the past few days. This has increased to such an extent that all the major web hosts have informed their customers about the attack and asking them to take precautionary measures. Popular hosts such as Hostgator, Hostdime, Liquidweb have all issued warnings via Emails.
What is Brute Force BTW?
Brute forcing is a technique used to login to panel by guessing passwords. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. Brute forcing ensures 100% success rate at hacking. But the downside to this hacking attempt is the amount of time it can take to crack the password. A well set password can take years to crack.
Now you know why you should change your password often right? Imagine someone has decided to brute force your account and it will take months. Now when he is about to succeed at the end of 2nd month, You change your password.. He is doomed! 😉
Usually a brute forcer doesn’t go through the normal systematic way of guessing every alphabet. He uses what is known as a Dictionary which contains the most common passwords anyone would set and mind you people have compiled very huge dictionaries even ranging upto 50-100GBs.
Here we will help you protect your WordPress blog with these simple yet powerful procedures. Follow these steps and you can decrease the extent of your vulnerability to a great level.
Step 0. Backup!
Before you do anything, Just. Simply. Backup. Backup your entire wordpress blog, There are plugins to do that and also do an entire Cpanel export.
Step 1. Lock Down Your Blog Login Page.
Install a wordpress plugin known as Limit Login Attempts. It is a plugin that will block unlimited login attempts, By default wordpress allows anyone to try any number of password for a username and brute forcers love this! This plugin will block further attempts to login after a certain number of failed attempts.
This might not work in this case since the Login Attempts come from different IP Addresses at a constant rate, But still you should keep this installed.
Search for it in your WordPress Plugins page or Download it from here : Limit Login Attempts.
Step 2. Put in a Captcha for that Bot.
When massive amount of attacks are carried out, ‘They’ usually use Malwares and Bots to perform the attack. In that case you can put up a Captcha on the Login page to ensure these are ruled out. Although captchas can be bypassed (Deathbycaptcha,Decaptcher services) but still this adds an extra layer of protection.
BONUS : It also prevents SPAM!
To install captcha on your blog, Go to WordPress Plugins page and search for “Captcha” and install the BestWebSoft’s plugin or Download it from here : Captcha.
Step 3. Power UP Your Password. (Change it)
Your password is the main vulnerable target in this scenario, So ensure you have a secure and strong password. Much like the following passwords:
Don’t use the above 😛 They are just examples.
Once you have chosen one, Check its strength using the Microsoft’s Password Strength Checker.
Step 4. Password Protect the wp-login.php File.
You can password protect your Wp-Login.php file which is the WordPress’s login page. Follow the tutorial by Hostgator to accomplish this : [LINK]
Step 5. IP Block Frequent Abusers.
If you have checked your logs to find the IP addresses from where the attacks are originating, Then you can use .htaccess to block those IPs or IP range from accessing your blog.
To Ban Single IPs use the code below :
deny from 192.168.1.2
deny from 10.130.130.6
deny from 172.16.130.106
allow from all
To ban a whole IP range, such as from 192.168.1.1 to 192.168.1.254 you can use the code below :
deny from 192.168.1.
allow from all
Step 6. Use Extra Layer of Protection with CloudFlare.
Cloudflare is a a Content Delivery Network with added security measures, They offer a free version of their services. I encourage you to setup Cloudflare on your website so that the traffic is routed through their servers and unauthorized attempts are filtered out. Earlier I had explained how to setup Cloudflare on your blog, Although it hasn’t been updated for a long time but it might help, take a look : [LINK].
Step 7. Use Stealth Login Page.
Using Stealth Login Page plugin you can protect your wp-admin and wp-login.php pages from being accessed by obscuring the WP login form URL. This plugin creates a secret, customizable, login URL string. Those attempting to gain access to your login form will be automatically redirected to this customizable URL. Much like hiding your real Login page.
Search for it in the Plugins page or download it from here : Stealth Login Page.
Step 8. Harden WordPress Security.
Read more about hardening your wordpress security by following this official guide from WordPress creators : [Guide]