How to Block brute-force attacks on Wordpress?

Harry P

Well-known member
Registered
Joined
Feb 3, 2015
Messages
447
Points
28
When i check warnings on my server it showed me there are more brute-force attacks on my Wordpress site. My question is, How to Block brute-force attacks on my Wordpress site? I am using directadmin with cloudflare CDN. Any help.
 

Kaz Wolfe

Well-known member
Registered
Joined
Jul 7, 2016
Messages
609
Points
28
Brute-force attacks are one of the most common types of attacks targeting WordPress websites. These attacks attempt to guess a user's login credentials by repeatedly trying different username and password combinations until they find the correct one. In this guide, I will explain how to block brute-force attacks on WordPress using various methods.

Use Strong Passwords and Usernames
The first step to blocking brute-force attacks is to use strong passwords and usernames. Avoid using common usernames like "admin" and avoid using weak passwords that can be easily guessed. Instead, use a combination of letters, numbers, and special characters for your passwords, and avoid using the same password for multiple accounts.

Limit Login Attempts
WordPress allows users to attempt to login to their account an unlimited number of times by default. This can make it easier for hackers to launch a brute-force attack. To limit the number of login attempts, you can use a plugin like "Login Lockdown." This plugin will track the IP address of failed login attempts and temporarily block them from accessing your website.

To limit the number of login attempts on your WordPress site, follow these steps:

Step 1: Install and activate the "Login Lockdown" plugin from the WordPress repository.
Step 2: Once the plugin is activated, go to the "Settings" -> "Login Lockdown" page in your WordPress dashboard.
Step 3: Set the "Maximum Login Attempts" and "Lockout Duration" settings according to your needs. For example, you can set the maximum login attempts to 3, and the lockout duration to 15 minutes.
Step 4: Save your changes.

Once you have configured the plugin, it will start tracking failed login attempts and temporarily block the IP address that exceeds the maximum login attempts. You can also view a log of failed login attempts on the "Login Lockdown" page.

Implement Two-Factor Authentication
Another way to block brute-force attacks is to implement two-factor authentication. Two-factor authentication requires users to provide a secondary form of authentication, such as a code sent to their mobile device, in addition to their username and password. This makes it much more difficult for hackers to gain access to your account.

To implement two-factor authentication on your WordPress site, follow these steps:

Step 1: Install and activate a two-factor authentication plugin like "Two-Factor" or "Google Authenticator – Two Factor Authentication (2FA)" from the WordPress repository.
Step 2: Once the plugin is activated, go to the "Settings" page and follow the plugin's instructions to configure the two-factor authentication method of your choice.
Step 3: Save your changes.

Once you have configured the plugin, users will be required to provide a secondary form of authentication, such as a code sent to their mobile device, in addition to their username and password.

Use a Security Plugin
There are many security plugins available for WordPress that can help block brute-force attacks. Some popular options include Wordfence, Sucuri Security, and Jetpack. These plugins can monitor your website for suspicious activity, block malicious IPs, and provide real-time notifications of any security threats.

To use a security plugin on your WordPress site, follow these steps:

Step 1: Install and activate a security plugin like Wordfence, Sucuri Security, or Jetpack from the WordPress repository.
Step 2: Once the plugin is activated, follow the plugin's instructions to configure the security settings according to your needs.
Step 3: Save your changes.

Once you have configured the plugin, it will monitor your website for suspicious activity, block malicious IPs, and provide real-time notifications of any security threats.

Change the Login URL
By default, WordPress uses the "wp-admin" and "wp-login.php" URLs for login pages. Hackers often target these URLs with brute-force attacks. To make it more difficult for them to do so, you can change the login URL using a plugin like "WPS Hide Login." This plugin will allow you to customize the URL of your login page, making it more difficult for hackers to find.

To change the login URL on your WordPress site, follow these steps:

Step 1: Install and activate the "WPS Hide Login" plugin from the WordPress repository.
Step 2: Once the plugin is activated, go to the "Settings" -> "WPS Hide Login" page in your WordPress dashboard.
Step 3: Choose a new login URL that you want to use, and save your changes.

Once you have configured the plugin, it will allow you to customize the URL of your login page, making it more difficult for hackers to find.

Use a Content Delivery Network (CDN)
A CDN can help block brute-force attacks by caching your website's content and serving it to visitors from multiple servers around the world. This can help reduce the load on your server and make it more difficult for hackers to launch a successful attack. Some popular CDN services for WordPress include Cloudflare and StackPath.

To use a content delivery network (CDN) on your WordPress site, follow these steps:
Step 1: Choose a CDN service provider like Cloudflare or StackPath, and sign up for their service.
Step 2: Follow the provider's instructions to configure your CDN account, and integrate it with your WordPress site.
Step 3: Save your changes.

Once you have configured the CDN, it will cache your website's content and serve it to visitors from multiple servers around the world, reducing the load on your server and making it more difficult for hackers to launch a successful attack.

Keep Your WordPress Site Up-to-Date
Finally, one of the most important steps you can take to block brute-force attacks is to keep your WordPress site up-to-date. This includes updating to the latest version of WordPress, themes, and plugins. These updates often include security patches that can help protect your website from attacks.

I hope this helps you secure your WordPress site against brute-force attacks.
 

LynnShape

Member
Registered
Joined
Mar 27, 2023
Messages
19
Points
1
Thank you dude for this answer. Everything is perfect in it, super constructive answer, thank you again for your help in this matter, just the best!
 
Latest Threads
Replies
1
Views
15
Replies
0
Views
170
Replies
1
Views
36
Replies
2
Views
80
Similar Threads
Replies
3
Views
348
Replies
10
Views
1,834
Replies
7
Views
5,472

Latest postsNew threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top