A Brute Force Attack occurs when someone attempts to gain access to your site by repeatedly trying various admin/password combinations. WordPress Brute Force Attacks are on the rise and it’s essential that your website is secure. While 1&1 customers benefit from various security features, it is each customer’s responsibility to secure their WordPress installation. From choosing a strong WordPress admin password to restricting access to your site, there are quite a few tactics that can lower your risk of being compromised by a brute force attack. Apply some of these seven methods to improve your level of protection:
1. Choose a strong password. First and foremost, using a strong, uncommon password makes a significant difference. Bruce Schneier, an internationally renowned security technologist, wrote a great article for choosing a secure password. It’s worth reading the whole article, but I will quote Schneier to summarize:
“So if you want your password to be hard to guess, you should choose something that this process will miss. advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.”
Try to make sure your password is easy to remember, but unique enough that a brute force script won’t be able to guess it in the first place.
2. Don’t use the standard ‘admin’ username. I cannot emphasize enough the importance of a good WordPress admin password and username combination. You might try the Admin Renamer Extended plugin to change the default admin username. Don’t forget to always keep your WordPress, theme and plugins up to date all of the time.
3. Use plugins that prevent Brute Force Attacks. Various plugins have been created to specifically protect from these types of attacks. Many of these plugins are available for free from the WordPress Plugin Directory. Again, always keep your WordPress installation and plugins up to date. Plugins that block access to wp-admin are also useful.
4. Password protect wp-admin. Restricting access to a section of your website files (wp-admin) so only those with the password are able to view it. Password protection can be enabled via the .htaccess file. Instructions for how to password protect to a directory can be found in the 1&1 Help Center.
5. Protect wp-admin based on your IP. Only allowing logins from your IP will add another layer of security from outside intruders. For hints on how to form the .htaccess, visit the 1&1 Help Center.
6. Deny access to no referrer requests. Usually when a user makes a comment to your page or is trying to log in as the WordrPess admin there is a referring URL. Spammers and hackers typically access these pages directly – without the referring URL. You can block traffic with no referrer by adding this code to your .htaccess:
# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>
7. Blocklists. You may block entire countries with your .htaccess file if you aren’t planning on doing business with them. Most Brute Force Attacks come from Russia, Kazachstan, and Ukraine, so it could be helpful to block access to these countries specifically. Use the same instructions as above (step 6) on making a .htaccess allow/deny.
These are just a small sampling of the ways you can protect your WordPress website. If you’d like to read more, please dig into the WordPress codex or seek help in the WordPress forum.
Photo credit: istockphoto.com / Brian A Jackson
