How to Prevent Brute Force Attack in WordPress?
Brute force attack is the method of trying to unlock the password protected webpages by trial and error method. Hijackers use complicated bots to guess the username and password on the forms on login, registration and other pages and try to take over the site. The bots continuously attempt to guess the credentials and put lot of load on your server. So even if you are not thinking from security perspective it is essential to block those bots / users in order to reduce the load on your hosting server. In this article let us discuss how to prevent brute force attack in WordPress.
Using Jetpack Plugin for Brute Force Prevention
Jetpack offers many modules and "Protect" is one of the module prevent brute force attacks. You can just activate the "Protect" module to stop brute force attacks on your WordPress site.
When enabled, Jetpack will automatically shows a mathematical captcha on the admin login page and stops the bots. In addition you can also configure IPs under whitelist management. Only whitelisted IPs will be allowed to access your WordPress login page and all other IPs will be blocked from login to admin dashboard.
Brute Force Prevention with All in One WP Security & Firewall Plugin
Jetpack's brute force prevention is very simple and does not have many other options. All in One WP Security & Firewall plugin is one of the popular and free security plugin helps to protect your WordPress site effectively. Install and activate the plugin from your WordPress dashboard. It will create a new menu "WP Security" on the admin dashboard's sidebar.
The plugin measures the security of your site on points scale and activating individual security options will add up the points. In order to prevent brute force, navigate to "WP Security > Brute Force" section to see multiple options like below:
Ensure to have the followings before processing with any of the security settings:
- Backup the entire site with site files and database. The plugin will create database tables and modify site files like .htaccess.
- Ensure you have FTP access to your hosting server. This is required to restore the files when you are locked out of your admin dashboard and not able to login.
- Enable only if the option is applicable and required for you.
Rename Login Page
WordPress login page can be easily accessed by adding the suffix "/wp-admin/" or "/wp-login.php?action=login" to your site. Since anyone can access your site with one of these URLs, the first step in brute force prevention is to rename the login page. Check the "Enable Rename Login Feature" box and provide the desired string which is hard to guess.
For example, if you want to change the login page URL to like "yoursite.com/login/" then enter the word "login" in the text box.
Cookie Based Brute Force Prevention
The second option is to prevent brute force attacks based on the cookie available on the browser. Enable the check box "Enable Brute Force Attack Prevention" and provide the secret word on the next "Secret Word" text box.
For example, if you want to add the secret word as "test" then the login URL will be "http://yoursite.com/?test=1". You can add "/?secret-word=1" to your site URL to access the login page.
In addition you can set the "Re-direct URL" to redirect the unauthorized users to that page. Generally you can set this as localhost IP address "http://127.0.0.1" to prevent load on your server. If you have password protected pages then enable the checkbox "My Site Has Posts Or Pages Which Are Password Protected".
If you have a theme or plugin uses Ajax then enable the checkbox "My Site Has a Theme or Plugins Which Use AJAX". Generally most of themes and plugins use Ajax, hence you should enable this option and test whether your site is loading properly.
Since the first two options will affect multiuser environments like sites with login, registration and ecommerce features, just enabling captcha is one of the simplest method you can use to stop brute force attack. Under this section you have three options to enable mathematical captcha on the forms:
- Enable captcha on default WordPress login page.
- Enable captcha on all forms used on the site that uses the WordPress function "wp_login_form()".
- Enable captcha on lost password request form.
Similar to Jetpack's whitelist management, All in One WP Security & Firewall plugin also offers "Login Whitelist" option. This will allow only the listed IP addresses to access your WordPress login page and all other IP addresses will be blocked.
The last option is to enable "Enable Honeypot On Login Page". This will set a new field on the login form which will be invisible to human users and visible only to the bots. Since robots used to fill all the fields on the login form, the plugin will stop access if the hidden field is filled. Thus helps to stop the robots effectively.