How To Protect Your WordPress Site From A Brute-Force Attack

Learn how to protect your WordPress site from being brute-force attacked, or having its security compromised by hackers or bots.

WP SecurityPowering millions of sites worldwide makes WordPress a target for hacker attacks.

In early 2013, WordPress installations around the world were subjected to mass brute-force attacks.

These attacks were caused by infected computer networks programmed to attack other sites (botnets).

How To Protect Your WordPress Site From A Brute-Force Attack

Brute Force Attacks

A brute-force attack is a technique used to break an encryption or authentication system by trying all possibilities.

(Source: Chinese University Of Hong Kong)

There are many methods hackers use to try and break into WordPress sites. One of these is by trying to guess the site admin’s login username and password. This is achieved using scripts and software that automatically tries to guess hundreds of possible logins in minutes.

If you’re using predictable login details, your site could be easily hacked by a malicious software’s persistent attempts to guess your site’s login details.

This is called a “brute-force” attack.

What Are Botnets

A botnet is a number of Internet-connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network.

(Source: Wikipedia)

A “Botnet” is a network of private computers that have been infected with malicious code, which are then controlled remotely as a group, typically without the computer owners’ knowledge.

Botnets are typically used to blast out mass spam emails from computers of compromised user accounts.

Below is a screenshot taken from an internet security monitoring site showing the locations of the command centers of a botnet that has been actively compromising computer networks all around the globe since 2009 called “Zeus” …

The Zeus botnet has been actively compromising computer networks all around the world since 2009.

(ZeuS is a botnet that has been actively infecting computer networks all around the globe since 2009. Screenshot image: SecureList.com)

These were well organized and highly distributed attacks on WordPress. Over 90,000 IP addresses were identified by several webhosting companies just in the initial attack, when millions of attempts to force their way into WordPress user admin areas took place. The worldwide brute-force attacks continued after this, with over 30,000 WordPress blogs being hacked per day.

News of this brute-force attack was reported by all of the major webhosting companiesand leading technology media publications, such as TechNews Daily, Forbes, BBC News, Tech Crunch, PC Magazine, and even on the official US Department of Homeland Security website …

WordPress is often the target of attacks by hackers, due to its global popularity

(WordPress often is targeted by hackers)

Does This Mean WordPress Is Not Secure And We Should Stop Using It?

No. In fact, there are many very good reasons why you should continue using WordPress if you are concerned at all about the security of your website.

To learn why WordPress is a secure platform for websites, see this article: How Secure Is WordPress?

Important Info

It’s important to note that, in the case of April 2013 mass brute force botnet attack described above, there was no WordPress vulnerability being exploited (the same script was also attacking sites built using other CMS applications like Joomla).

Mike Little, one of the co-founders of WordPress, said this about the brute force attacks:

It is a “simple” script that attempts to login using the admin login and a generated password. So if your password is too short or based on dictionary words it will be guessed and then the script can login legitimately and do whatever it wants including installing scripts (as plugins) or editing files. The attack tries to guess your password, if it succeeds, the most secure site in the world is wide open because they have your password.

(MikeLittle.org)

Protecting Your WordPress Website From Brute-Force Attacks – Ten Security Checks

Every website with a security vulnerability provides some value opportunity to hackers. A vulnerable website or blog presents hackers with a valuable platform for DDoS attacks, spreading malware and to engage in information theft.

If a hacker can discover a web software weakness that allows them to gain stealth control of your site, the website can then be used to attack more valuable websites.

Additional undesirable consequences of being hacked include being blacklisted by Google, having spammy links promoting things like gambling, cheap offers on brand names, etc. inserted in your content and page title and descriptions, redirecting visitors to phishing sites and other websites, data exfiltration (stealing customer details or Personal Identifiable Information from your web applications), and lots of other nasties.

The reality is that hackers are most likely trying to hack into your site right now. Whether they can successfully break in will depend on how hard you can make things for hackers to continue trying until they discover a way to get access, or are forced to give up and go look for a more vulnerable target.

How Much Information Are You Broadcasting To Hackers About Your Site?

Do you own a WordPress site? If so, visit Hackertarget.com and run your site through their WordPress security check …

Hackertarget - Website Security Scan(Website Security Scan Screenshot source: Hackertarget.com)

You will see that the test returns various results and details about your website …

Hackertarget - WordPress Security Scan

(Hackertarget – WP security scan results. Source: Hackertarget.com)

It should be obvious after using the tool shown above that if you are able to access all of this information, then hackers can too.

WP Security Scan(Product image: Blog Defender)

The ability to see which version of WordPress you are using, which plugins and themes you have installed, and which files have been uploaded to certain directories in your site can be valuable information to hackers, as this informs them about potentially exploitable holes or weaknesses, especially where site owners haven’t updated their files.

If your site or blog is driven by WordPress and you are not taking steps to harden your site, we can practically guarantee that, at some point in time, someone will attempt to hack your installation, because these attacks are systematically hitting WordPress installations all the world!

Whenever a website gets hacked, website owners can find themselves completely “locked out” of their own site, or notice that their files have been interfered with or even entirely wiped out. Typically, compromised sites will become infected with malicious software or viruses without the owner even being aware that this has occurred.

To help avoid the heartache and frustration of discovering that your website or blog has been hacked into, we have listed below ten essential and effective security checks that will help to prevent your WordPress site from being attacked by brute force hackers.

Note

Note: Some of the recommended measures below need some technical skills to modify core WordPress and server files. If you are not technical, or don’t want to mess around with file code, then ask your web host or a professional WordPress technical provider for help.

***

Security Measure #1 – Contact Your Web Host

Get in touch with your hosting provider and ask them what security measures are in place to help prevent your site from being attacked, and what is done to make sure that your WordPress sites are being regularly backed up.

Check that your host is backing up your server files and that, if anything happens, you can quickly and easily get back your files.

Security Measure #2 – Perform Complete WordPress Backups And Keep Your Website Or Blog Regularly Updated

You should never rely only on your webhosting service provider for your site backups. Instead, learn how to manage your WordPress site or get this service done for you and develop a habit of performing a complete WordPress site maintenance routine on a regular basis (e.g. weekly, monthly, etc …)

A proper WordPress maintenance routine ensures that:

  • All unnecessary files and data are deleted,
  • All WordPress files and data are free of errors, optimized and backed up,
  • All WP software, plugins and themes are up-to-date,
  • etc …

A complete WP site maintenance routine looks like this …

Maintaining your WP site regularly backed up and up-to-date is vitally important for WordPress security.(Maintaining your WordPress installation regularly backed up and updated is vitally important for WordPress security. Screenshot source: WPTrainMe.com)

Again, we cannot stress enough how vitally important maintaining your WordPress website or blog frequently backed up and updated is. WP maintenance is not hard to do or time-consuming, but it must be done to ensure the security of your website. If you don’t want to learn how to do WordPress maintenance yourself, pay a professional to do it but make sure it gets done. Backing up your website is the next most important thing you must do after making sure that you still have a pulse!

If you don’t want to perform manual backups, there are many WordPress plugins you can use. Learn about a WordPress backup plugin that can automate your site backups here: Back Up, Duplicate & Protect Your WP Web Sites With Backup Creator Plugin For WordPress

Security Measure #3 – Make Sure That Your Username Is Not “Admin”

The mass brute force botnet attack on WordPress is mostly an attempt to compromise site administrator panels by exploiting WP installations with “admin” as the user name.

For reasons of website security, never set up a WordPress site with the username “admin”. This is the first area of potential vulnerability hackers will test. If your site’s user name is “admin”, then change this immediately.

For a simple step-by-step tutorial that shows you how to change your username, go here: Changing Your WordPress Admin User Name To Another Username

Security Measure #4 – Choose Strong Passwords

A “brute force” attack occurs when a malicious script persistently hits a login or password field with different character strings in an attempt to guess the right login combination that will give them entry to your website.

Unless some measure is put into place to stop the brute-force attack (see further below for a couple of simple and effective ways to do this), the “bot” will just continue attacking your site until it eventually gets access.

Passwords that are easy to guess, therefore, become really easy targets for botnets. Make sure that you change your password to something that is at least eight characters long, and that includes upper and lowercase letters, combined with a few “special” characters (^%$#&@*).

Practical Tip

You can use a password management tool like Roboform to help you generate hard-to-crack passwords …

You can use a password tool like Roboform to create  passwords(Roboform is a password program that lets you generate secure login passwords)

For a step-by-step tutorial created especially for non-technical admin users that shows you how to change your password, go here: What To Do If You Need To Reset Your WordPress Password

Security Measure #5 – Prevent Access To Your WP Config File

The wp-config.php file allows WordPress to communicate with the database to store and retrieve data and is used to define advanced options for WordPress.

wp-config.php

(wp-config.php)

If hackers break into your site, they will typically look for the wp-config.php file, because this file contains important information about your site’s database, security keys, etc. Getting access to this information would allow them to change anything in your database, create a user account, upload files and take control of your site.

In order to protect your WordPress site from being attacked and even being used as part of a bot net, therefore, prevent people viewing your wp-config.php file. This requires knowing how to edit database information, move files around in your server and changing access permissions.

Security Measure #6 – Delete Or Rename Unnecessary WP Installation Files

Rename or delete your install.php, upgrade.php and readme.html files.

You can remove these files after installation. If you don’t want to delete these files, then just rename them.

Security Measure #7 – Keep Your WordPress Files, Themes & Plugins Up-To-Date

Hackers look for vulnerabilities they can exploit in older versions of WordPress, including out-of-date versions of WordPress themes and plugins.

Make sure to keep all of your files, themes, plugins, etc. up-to-date.

Security Measure #8 – Disable The WordPress Theme Editor

WordPress installations come with a built-in editor that lets you edit plugin and theme files from the dashboard area.

In WordPress, you can access the WordPress Theme Editor by selecting Appearance > Editor from the main menu …

WordPress Theme Editor Menu

(The WordPress theme editor can be accessed using the dashboard menu)

This means that anyone logging into your site can view and modify all of your theme templates, or cause mayhem on your site.

To prevent people from being able to access your WordPress Theme editor, you will need to disable it. This can be done by editing your wp-config.php file.

Security Measure #9 – Secure The WordPress Uploads Folder

The WordPress “uploads” folder stores all the media files that get uploaded to your blog.

By default, this folder is visible to anyone online. All someone has to do to see the contents in the “uploads” folder is visit your directory using their web browser …

(WordPress has an uploads folder where media content is stored)

(WordPress has an uploads folder where media content is stored)

If any directories in your website have vulnerabilities that can be exploited by hackers or malicious users, this could threaten the security of your website.

Protecting your directories will prevent online users from viewing your ‘uploads’ folder and other important directories. This can be done using plugins, setting file permissions, adding a blank index.php file (this is literally a blank file named “index.php”) to your uploads directory, and so on. Again, it’s best to ask help from someone who knows what they are doing if you are unsure about what to do.

Security Measure #10 – Use WordPress Security Plugins

There are a number of great security plugins for WordPress available that will address common security issues faced by WordPress site owners, such as preventing unauthorized users from accessing your site, protecting your files from malicious scripts, preventing unauthorized file uploads, etc.

Many WordPress plugins address some but not all areas of WordPress security. One plugin that does a comprehensive job of scanning, fixing and preventing potential issues that could lead to hackers accessing your website files and damaging your site is SecureScanPro.

SecureScanPro - WordPress total security software

(SecureScanPro – WP total security software solution)

SecureScanPro is easy to install and easy to use, and fixes most of the security areas that WordPress users need to address.

Another great plugin you may want to consider using is BlogDefender.

Blog Defender

Blog Defender Security Suite For WordPress Websites & Blogs(Blog Defender Security Solution)

This product is a suite of WordPress security video tutorials, WordPress plugins and tools, plus WordPress security documentation in PDF and DOC formats.

BlogDefender shows you where potential security holes in your WordPress installation are …

Blog Defender Security Product Suite For WordPressAnd lets you easily fix these …

Blog Defender Security Product Suite For WordPress BlogsIf you don’t want to buy a security plugin like SecureScanPro or BlogDefender, then use various free plugins, such as Limit Login Attempts

Limit Login Attempts - WordPress Security Plugin

WordPress is a very secure platform, but neglecting essential maintenance tasks like keeping your WP core files, WP plugins and WordPress themes up-to-date, tightening file and data protection and taking other necessary precautions can expose your site to malicious by hackers and bots.

Regardless of the type of business you run or plan to run online and how small you think your web presence is, you simply cannot afford to ignore the importance of securing your web sites.

As one last reminder of the importance of website security, below is the advice given by a website security expert to all WordPress users after the global brute force attacks by botnets on WordPress in April 2013 …

Owners of websites based on WordPress CMS must improve at least basic security settings and implement best practices such as the use of robust passwords and the accurate management of “admin” accounts.

Pierluigi Paganini, Chief Information Security Officer, Security Affairs

***

As you can see, WordPress security is very important if you run a WordPress site. Hopefully, the above article will help keep your WordPress site protected from brute force attacks. If you need any further help or assistance with WordPress security, please consult a professional WordPress security specialist, or search for a professional WordPress service provider in our WordPress Services Directory.

Also, please remember to subscribe to WPCompendium.org to receive notifications when we publish new tutorials on WordPress security and tutorials about new WordPress security plugins and solutions.

***

"I love the way your email series "Infinite Web Content Creation Training Series" is documented and presented. It is very absorbing and captivating. The links and tutorials are interesting and educational. This has motivated me to rewrite my content following the concepts I am learning from the email series." - Mani Raju, www.fortuneinewaste.com

***