WordPress is a powerful website building tool that is undoubtedly popular because it makes it easy for anyone to build a website. Statistics show that 36% of all websites and 63% of all CMS websites are built using WordPress – and there is strength in numbers – but this incredible popularity comes with the unfortunate downside of attracting an incredible amount of hackers.
A brute force attack is one of many different methods hackers or might try to gain entry and take control of your website. During this type of attack they use a trial and error method to discover username and password combinations, which can effectively drain your website’s resources and take your website offline even if they don’t manage to gain entry.
How do brute force attacks work?
Attackers typically use programs to methodically check unlimited passwords until the correct one is found. Depending on your server settings they might be able to try hundreds or even thousands of different password combinations in less than a minute.
How to protect your WordPress website from brute force attacks:
1. Use strong passwords
Here are some examples of some of the most common passwords:
- 123456
- 123456789
- qwerty
- password
- 111111
- 12345678
- abc123
- 1234567
- password1
- 12345
These passwords and variations of them are used by a surprising number of people and therefore will automatically be tried because they are so common. Using passwords like these makes your website extremely vulnerable to attacks. If you use a weak password you are welcoming brute force attacks and should change your password immediately.
2. Don’t share your password or username with anyone
Create separate usernames and passwords for all of your websites and user accounts and change them on a regular basis.
3. Never use ‘admin’ as your username
Pretty much anything is better than admin, the default WordPress username. This is the first username attackers will try.
4. Limit failed login attempts
It’s wise to block the number of login attempts that can come from one computer. Adding this security feature will reduce the number of times attackers can try different password and username combinations.
5. Add two-factor authentication
If you use the default single-factor authentication mechanism and attackers guess your WordPress user’s password, they can login to your website and cause serious damage. If you use two-factor authentication, even if the attackers guess your password they still won’t be able to login. I strongly recommend enabling this feature on any WordPress website or blog.
Which of these methods are you using? Get in touch with me – I’m happy to hear from you.