Guide to Stopping Brute Force Attacks in WordPress

Our WordPress security plugin blocked a brute force attack the other day. “Brute force” is a really exciting and fear-inducing way of saying “they tried to guess our admin password”. There are nifty automation tools available on the Dark Web that can make this pretty easy; the attacker makes some assumptions about what a username and password might be, then the process uses that as a launching point, methodically trying logical combinations against the WordPress password interface on a website at very high speed (this is where the brute force part comes in) until a hit happens, then the process reports this success to the attacker. This approach can be remarkably effective against weak passwords and password combos where the username is known or can be deduced. Statistics vary, but in most surveys at least 50% of successful attacks against all websites (not just WordPress) are some sort of brute force variation.

What can be done to prevent an attacker from using Brute Force methods to compromise WordPress websites? Here are some simple things any website owner can do today:

  • First, strong passwords for ALL WordPress users, not just the admins. Opinions on what a “strong” password is vary wildly. We think that the passwords WordPress suggests might be a little too strong, and are too long to type in reliably even if you are reading it from something, and they certainly can’t be memorized by most of us. A password at least eight characters long (ten is much better), upper and lower case letters, two numbers and two special characters is often good enough. It should not have any obvious meaning.
  • It is also important to protect admin user names. Never post as an admin user, exposing an admin user name openly. (Tip: if you accidentally publish something with your admin password, open screen options on the edit page and be sure the Author box is checked. Scroll down to the author and change the Author of the post to someone with Editor privileges or less).
  • Never embed the string “admin” in a username, that’s an obvious giveaway.
  • Do not share user accounts, if you need a new user create a profile for them, and be sure they understand the password rules.

A strong, protected password combo is the most effective thing you can do to protect against brute force, but you can also stop them from happening with many available plugins. We use and recommend the versatile and well-proven Wordfence. Here’s the notification we got last week:

Subject: [Wordfence Alert] User locked out from signing in

A user with IP addr XXX.XX.XX.XXX has been locked out from signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 10. The last username they tried to sign in with was: ‘admin’.
The duration of the lockout is 4 hours.
User hostname: User location: Philippines
(identifying information removed)

The maximum number of login failures is configurable, don’t make it too low, or you may lock yourself out one day. The brute force programs work at such high speeds that any lockout over 5 minutes is probably adequate, the process will move on, but we like to go with a few hours. Note that the attacker tried “admin” first. This used to be the default starting user name (today when standing up a WordPress site you have to pick one), and sadly many people still pick “admin”, so this is an excellent choice.

Strong, protected password combos backed by a repetitive login attempt blocker are a simple example of a layered defense. Some security plugins offer geo-blocking and two-factor authentication (these are paid features on WordFence) for even more security.

Brute force attacks would not be effective if people were not careless about security. You can do a lot to protect your site from Brute Force and many other attack vectors,  download our WordPress Security Checklist and start protecting your site!

A set of step-by-step instructions along with helpful WordPress security tips.

* indicates required