briankross.me
  • Home
  • Welcome
  • Contact
  • Donate!
brute force attack

Stop Brute Force Attacks Against Your WordPress Site

Brian K. Ross

22 Aug 2015 • 2 min read

With millions of active WordPress installations, it’s a popular target for those that want to do harm to your site, no matter how big or small. Here are some simple things you can do right now to stop brute force attacks against your WordPress login.

Identify Security Issues

It’s a good idea to install a WordPress security plugin such as Wordfence. This will give you detailed insight about what’s going on with your website security and can also send automated alerts.

One of the many wonderful things about Wordfence is the option to automatically block the IP of anyone trying to login with a username that does not exist.

Secure Your Admin Username

Automated systems love to brute force sites with usernames such as:

  • admin
  • administrator
  • + any username they can find from posts or pages

I recommend creating a unique admin username with spaces and punctuation, edit the profile, and “exclude user from author sitemap”. Also, stop posting as admin... see below.

Secure Your Password

You’re asking for trouble using usernames and passwords like this:

  • Username: admin
  • Password: 12345

I recommend using a password manager such as 1Password to store your logins and create secure passwords. You’ll never forget a password again!

Stop Posting as Site Admin

Keep your site administration account and posting account separate. Why? Posting as admin lets everyone see your admin username. If everyone can see your admin username, they have one of the two things they need to login as admin, making the job much easier.

There’s no super easy way to change your account username. One method is to create two new users, one for site administration and one for posting. You can then attribute all posts and pages to your posting account, have a more secure administration account, and delete the now unused account(s).

Add Google reCAPTCHA to Your Login

Add Google reCAPTCHA to your login such as Google Captcha (reCAPTCHA) by BestWebSoft, it’s “tough on bots, easy on humans”. More info on Google’s blog about their new “No CAPTCHA reCAPTCHA”.

Two-Factor Authentication (2FA)

Two-factor authentication identifies you by using two different components. These may be something you know, something you possess or something that is inseparable from you.

Some examples of WordPress plugins for 2FA include:

  • Clef
  • Two Factor Authentication
  • Wordfence Security

Hide Your Login Page (wp-login.php)

How do you completely subvert a login brute force attack? Hide the login page! With tens of millions of WordPress installations, it’s no secret where the login page is: yoursite.com/wp-login.php

You can hide your login page with a plugin such as WPS Hide Login. Now you can change the name of your login page to anything you like, and yoursite.com/wp-login.php will render as if it does not exist if accessed directly. This is particularly useful if you’re the only site user, just don’t forget your new login page URL!

After you hide your login page, it’s a good idea to remove the clickable login link from your site. In most cases, it’s a matter of removing the ‘Meta’ widget under ‘Appearance / Widgets’. Although you can keep this widget active, any links on your site that direct to wp-login.php will redirect to your new hidden login URL, which is a problem if you want to keep it secret.

Resources

  • Hardening WordPress
  • WordPress Plugins for Two-Factor Authentication

Capture Pilot Troubleshooting with ASUS Router RT-AC3200

Problem: After changing my home router setup, Capture Pilot can see the image server created in Capture One 10, but does not display images or have camera control when connected to my new wireless network. All it displays is "Connecting..." after tapping on the server name in the
30 Apr 2017 1 min read

WordPress: How to remove "Lost your password?" link from login page and disable password reset

If you run a WordPress site and want to increase security by removing the “Lost your password?” link from your login page and also disable the password reset functionality, you’ve come to the right place. I’ll show you how to to do either, or both. How to remove
07 Feb 2016 1 min read

Apple Watch Sport 42mm Shipped!

I’m happy to say that my Apple Watch Sport 42mm Space Gray Aluminum Case with Black Sport Band has finally shipped! I placed the pre-order right at midnight PST on April 10th, and it looks to arrive sometime this week. It is shipping right in the middle of the
18 May 2015 1 min read
briankross.me © 2025
Powered by Ghost