Whether you’re fairly new to WordPress or an experienced developer, you might be surprised at just how often your websites are under attack. You might also be wondering who, or what, is carrying out this type of activity – not to mention why they’d target you.

The answers are simple. In most cases, the bad actor is an automated bot. And you’re being targeted simply because you happen to be running WordPress. As the most popular Content Management System (CMS) out there, it is directly in the crosshairs of malicious actors.

While there are all sorts of different attacks floating around out there, the brute-force variety are among the most popular. And that happens to be our subject for today.

Let’s take a look at what brute-force attacks are and some ways you can better protect your WordPress website.

What Is a “Brute-Force” Attack?

A brute-force attack, according to Wikipedia:

“…consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.”

In the real world, this means that a malicious script runs repeatedly, entering usernames and passwords into the WordPress login page. It’s possible to see hundreds or even thousands of attempts like this per day.

Of course, if this were all completely random, it would be pretty difficult to successfully log into a website using such a technique. But there are two major reasons why these attacks can sometimes work:

  1. The use of weak login credentials, such as using an ultra-common username and password.
  2. Using credentials that have been previously leaked elsewhere.

If either of these scenarios are in place, that raises the odds of a successful attack. And once the attacker has access to your WordPress dashboard, they can wreak all sorts of havoc.

But even if unsuccessful, these attacks can be both an annoyance and a drain on server resources. Therefore, it’s important to put policies in place that can help mitigate their damage.

Binary code on a computer screen.

Ways to Fight Back

Thankfully, there are a number of things you can do to better protect your WordPress website against brute-force attacks. The most basic being instituting common sense security measures, such as using strong passwords and virtually anything other than “admin” as your username. These steps alone will at least make your site more difficult to crack.

However, there are some even stronger actions you can take, including:

Limit Access to the Login Page

Depending on your web server’s setup, you might consider blocking out access to the WordPress login page to all but a specific group or range of IP addresses. On an Apache server, for example, this could be done via the .htaccess file.

The caveat is that this strategy depends on administrators having a static IP address. In corporate environments, this would likely be the case. However, other scenarios may make this method more difficult. The official WordPress documentation has some further advice that is worth a look.

Another approach is to password-protect the login page at the server level. While this adds a bit of inconvenience, it does help to ensure that only authorized users gain access to the dashboard.

Utilize a Plugin

There are a number of WordPress plugins that are dedicated to security, with several offering features designed to protect against brute-force attacks. Some of the more popular options include:

Jetpack’sProtect” feature, which will block unwanted login attempts.

Wordfence employs several login-specific measures, such as two-factor authentication, reCAPTCHA and brute-force protection. There is also a companion plugin that solely focuses on login security.

Login LockDown is a plugin designed to limit brute-force attempts. It automatically locks out offending IP addresses after a set number of failed logins.

iThemes Security offers several login-related protections, including brute-force protection, two-factor authentication and the ability to rename the /wp-admin/ folder in order to thwart bots.

Employ a CDN/Firewall

Content Delivery Networks (CDNs) not only improve the performance of your website, they offer the side benefit of serving as a barrier between malicious bots and your WordPress install.

CDN providers often include methods to block out IP addresses or even entire countries from accessing your site (or, at least your dashboard). Depending on the service you use, there may also be protections specifically targeted at stopping brute-force attacks.

The beauty of this approach is that you can significantly lighten the load on your web server. How? Attackers are stopped by the CDN’s firewall before they ever reach your site. It’s kind of like having a giant flyswatter out in front of your house, rejecting pests before they make it to your front door.

A hammer smashing glass.

When It Comes to Security, Be Proactive

Unfortunately, doing nothing to combat brute-force logins is not a viable option. These attacks are both ubiquitous and relentless. And the landscape certainly doesn’t look like it will get better on its own. Therefore, it’s up to us to take preventative measures.

Thankfully, it’s not really that difficult. The options above, while not 100% perfect, are fairly easy to implement. And each one makes things that much tougher on the average bot.

Plus, when you think about it, the relative cost of mitigating these attacks now is much less than having to deal with a hacked website later on. That alone makes being proactive more than worth the effort.

Written by Eric Karkovack

Eric Karkovack is a web designer with well over a decade of experience. You can visit his business site here. In July 2013, Eric released his first eBook: Your Guide to Becoming a Freelance Web Designer. He also has an opinion on just about every subject. You can follow his rants on Twitter @karks88.