How to Prevent Brute-Force Attack in WordPress

Last week, many security analysts reported a massive brute attack specifically targeting WordPress platform. According to arstechnica.com, the attacks were originated from 90 000 different IPs to brute WordPress login page.

One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic. – Cloudflare.com

Moreover, Sucuri.net also has shared some insights and data about this attack.

The chart above shows username distribution of the brute-force attack. From it, you can see that the attackers had tried to brute-force WordPress sites using ‘admin’ as the username for more than 1 millions times! This is not shocking at all since we all know that ‘admin’ is a default username when installing new WordPress site.

By default, the login page of your WordPress site will be:

yourdomain.com/wp-login.php

Once the attackers know your login page, it will be easier for them to brute-force it.

Security Tips for WordPress

I’m not a security researcher. However, as a WordPress developer, I found something like this to be useful to learn something new. From this brute-force attack case alone, there are three important security tips I want to highlights:

1. Do not use ‘admin’ as your username – Seriously, do not use it. I believe 95% of the time, this is the first username an attacker will guess to log in to your site.

   If you are still using the ‘admin’ username, do not worry. I’ve written a tutorial on how to change the default username to another username.

2. Change the default login URL to your WordPress site – Before this, I have written a tutorial about changing the default login URL of your WordPress site. By changing the login URL, the attackers won’t be able to brute-force you again in future. Why is that so? Because 99% of the time, this kind of attack is done automatically using ‘tool’, which means they will target the default URL.
3. Limit login attempt to your WordPress site – Before this, I’ve also written a tutorial on how to limit login attempts to your WordPress site with the help of Limit Login Attempt plugin. Please read the article to know more.