WordPress Brute Force
Attack Protection

Discover how Hide My WordPress Ghost helps you have a secure website!

What is a Brute Force Attack?

A brute force attack is an activity which involves repetitive, successive attempts using various password combinations to break into a website.

Hackers try various combinations of usernames and passwords, again and again, until they get in. When running their attacks, hackers use bots or automated tools to keep guessing your login information.

Which Websites are Targeted by Hackers?

Brute force attacks are common against popular CMS platforms (e.g., WordPress, Joomla, etc.) and against common services, such as FTP and SSH. Statistics show that WordPress has been the most affected CMS in recent years.

Most brute force attacks work by targeting a website, typically the login page and the xmlrpc.php file.

Usually, every common ID (e.g., “admin”) has a password. All hackers need to do is guess the password based on words in a dictionary.

Which are the Most Attacked Paths?

The majority of password-guessing attacks will target your admin and login URLs (/wp-admin or /wp-login for WordPress; /administrator for Joomla)

an API endpoint URL that accepts a username and password (e.g., /xmlrpc for WordPress).

According to the Data Breach Investigations Report in 2020 by Verizon, the brute-force method was, in some way or another, used in over 80% of the attacks.

WordPress Brute Force Attack Protection Steps

1. Enforce the use of strong passwords.
2. Hide the fact that you are using WordPress as your CMS.
3. Limit login attempts.
4. Restrict access to authentication URLs.
(Deny the IP address after a few failed attempts.)
5. Use reCAPTCHA or human recognition.

How to Prevent a Brute Force Attack

In the following paragraphs, we’ll explain every step that you should take to have a secure website.

You’ll also learn more about how to use Hide My WordPress Ghost to protect your website from hackers.

Limit Login Attempts

By default, WordPress allows unlimited login attempts, either through the login page or xmlrpc.

Therefore, you need to limit the number of login attempts for incorrect usernames or passwords.

How Hide My WordPress Ghost Will Help You

Hide My WordPress Ghost plugin limits the rate of login attempts and temporarily blocks the IP address.

By default, the maximum number of failed login attempts is 5, and the ban duration is set to one hour.

With one click, you can access the Brute Force Protection Settings Tab, and simply customize the maximum number of failed attempts and the ban duration.

On the login page, you can also let the user know how many login tries they have left, as well as provide information regarding lockout time.

Restrict Access to the Authentication URLs

Which are the URLs that you need to restrict?

The most important URLs are the login page and the admin page.

If possible, we recommend allowing login page access to authorized IP addresses only, as this will help prevent unauthorized login attempts.

You can do this by editing the .htaccess file. However, doing this requires having some knowledge in programming.

Hide My WordPress Ghost Will Help You:

Whitelist the IP addresses (or the range of IP addresses) that you want to have access to the login page on your website.

Also, you can ban the IP addresses or the range of IP addresses that you never want to be able to access the login page.

You don’t need developer skills for this, and it works with any kind of hosting server.

If you block your IP address by mistake, you can use the safe URL to log in and rollback your settings to default.

Hide the Fact that You Are Using WordPress CMS

You can prevent a lot of problems by simply hiding the fact that you are using WordPress.

Filters that you can add into the .htaccess file to protect your website:

Protect your WordPress admin area
Password-protect WordPress admin folder
Disable directory browsing
Disable PHP execution in some WordPress directories
Protect your WordPress configuration file (wp-config.php)
Set up 301 redirects through the .htaccess file
Ban suspicious IP addresses
Protect .htaccess from unauthorized access
Disable access to xmlrpc.php file using .htaccess
Block author scans in WordPress

You can do this manually – OR you can use Hide My WordPress Ghost.

Admin area protection

Limit the access to selected IP addresses only.

Password Protect Admin Folder

If you access your site from multiple locations, then limiting access to specific IPs may not work for you.
You can add additional password protection to your WordPress admin area.

Disable Directory Browsing

With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file.

Disable PHP execution in some wp directories

Sometimes, hackers break into a WordPress site and install a backdoor. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders.

Protect your configuration wp-config.php

The wp-config.php file is probably the most important file in your website’s root directory. This file contains information about your WordPress database and how to connect to it.

Ban suspicious IP addresses

Are you seeing unusually high requests to your website from a specific IP address?
You can easily block those requests by blocking the IP address in your .htaccess file.

Protect .htaccess from unauthorized access

Due to the power and control it has on your web server, it is important to protect it from unauthorized access by hackers.

Disable access to xmlrpc. file

This file allows third-party apps to connect to your WordPress site. Most WordPress security experts advise that if you are not using any third-party apps, then you should disable this feature.

Blocking author scans in WordPress

A common technique used in brute force attacks is to run author scans on a WordPress site and then attempt to crack passwords for those usernames.

Previous slide

Next slide

Use CAPTCHA

CAPTCHA = Completely Automated Public Turing test to tell Computers and Humans Apart

The primary goal of a CAPTCHA is to provide an extra layer of security on sensitive pages.

When used as part of a registration, login process, or order form, this feature can help stop malicious bots from creating spammy comments or getting access to your personal information.

If you’ve ever been asked to solve a simple math problem or “prove you’re human” before performing an action on a website – you’ve encountered a CAPTCHA.

Google has even implemented a new service they’re calling the No CAPTCHA, reCAPTCHA, which only requires you to check a box.

Choose Your Passwords Carefully

The goal of your password is to thwart password-guessing attempts and make it difficult for a brute force attack to succeed.

There are many automatic password generators available that can be used to create secure, strong passwords.

Things to avoid when choosing a password:

– Using any permutation of your own real name, username, company name, or name of your website.
– Using a word from a dictionary, in any language.
– Choosing a short password.
– Using numbers-only or letters-only (a mixture of both is best).

Love what you see?

I want to know more about Hide My WordPress Ghost

30-Day Money-Back Guarantee. No Long-term Contracts

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.