Brute force attack is the method of trying to unlock the password protected webpages by trial and error method. Hijackers use complicated bots to guess the username and password on the forms on login, registration and other pages and try to take over the site. The bots continuously attempt to guess the credentials and put lot of load on your server. So even if you are not thinking from security perspective it is essential to block those bots / users in order to reduce the load on your hosting server. In this article let us discuss how to prevent brute force attack in WordPress.
Stop Brute Force Attack in WordPress
There are different methods to protect your login pages and stop brute force attack in WordPress. However, you need a plugin for enabling these features and in this article we will explain primarily with Jetpack and All In One WP Security and Firewall plugins. Sometimes your hosting company may provide a dedicated plugin for this purpose. For example, you can use SiteGround Security plugin when hosting with SiteGround.
1. Using Jetpack Plugin for Brute Force Prevention
Jetpack offers many modules and “Security” is one of the modules to stop brute force attacks.
- Go to “Jetpack > Settings” menu in your admin panel.
- When you are in “Security” section, scroll down and activate the “Protect” module.
- When enabled Jetpack will automatically protect your site without any visible captcha on the login form.
- In addition you can click on the “Protect” option and add a list of IP addresses for allowing access to your login page. The plugin will only allow the listed IP addresses to access your WordPress login page and all other IPs will be blocked from login to admin dashboard.
2. Brute Force Prevention with All in One WP Security & Firewall Plugin
Jetpack’s brute force prevention is very simple and does not have many other options. All in One WP Security & Firewall plugin is one of the popular and free security plugin helps to protect your WordPress site effectively. Install and activate the plugin from your WordPress dashboard. It will create a new menu “WP Security” on the admin dashboard’s sidebar.
The plugin measures the security of your site on points scale and activating individual security options will add up the points. In order to prevent brute force, navigate to “WP Security > Brute Force” section to see multiple options like below:
Ensure to have the followings before processing with any of the security settings:
- Backup the entire site with site files and database. The plugin will create database tables and modify site files like .htaccess.
- Ensure you have FTP access to your hosting server. This is required to restore the files when you are locked out of your admin dashboard and not able to login.
- Enable only if the option is applicable and required for you.
We will explain other options available with this plugin in the following sections.
3. Rename Login Page
WordPress login page can be easily accessed by adding the suffix “/wp-admin/” or “/wp-login.php?action=login” to your site. Since anyone can access your site with one of these URLs, the first step in brute force prevention is to rename the login page. Check the “Enable Rename Login Feature” box and provide the desired string which is hard to guess.
For example, if you want to change the login page URL to like “yoursite.com/login/” then enter the word “login” in the text box.
- Renaming login page will log you out and you need to login again with the new URL.
- This function will affect all the users, hence do not activate if you have user registration or registration required for commenting on your site.
- This function will affect the feature of any other plugins using default login page.
4. Cookie Based Brute Force Prevention
The next option to prevent brute force attacks is based on the cookie available on your browser. Enable the check box “Enable Brute Force Attack Prevention” and provide the secret word on the next “Secret Word” text box.
For example, if you want to add the secret word as “test” then the login URL will be “http://yoursite.com/?test=1”. You can add “/?secret-word=1” to your site URL to access the login page. In addition you can set the “Re-direct URL” to redirect the unauthorized users to that page. Generally you can set this as localhost IP address “http://127.0.0.1” to prevent load on your server. If you have password protected pages then enable the checkbox “My Site Has Posts Or Pages Which Are Password Protected”.
If you have a theme or plugin uses Ajax then enable the checkbox “My Site Has a Theme or Plugins Which Use AJAX”. Generally most of themes and plugins use Ajax, hence you should enable this option and test whether your site is loading properly.
- This method is similar to the rename login page so all warnings mentioned above are applicable for this method as well.
- Since both “rename login page” and “cookie based brute force prevention” methods will change the login page URL, you can use either of the one method at a time on your site.
5. Login Captcha
Since the first two options will affect multiuser environments like sites with login, registration and ecommerce features, just enabling captcha is one of the simplest method you can use to stop brute force attack. Under this section you have three options to enable mathematical captcha on the forms:
- Add captcha on default WordPress login page.
- Enable captcha on all forms used on the site that uses the WordPress function “wp_login_form()”.
- Enable captcha on lost password request form.
6. Login Whitelist
Similar to Jetpack’s whitelist management, All in One WP Security & Firewall plugin also offers “Login Whitelist” option. This will allow only the listed IP addresses to access your WordPress login page and all other IP addresses will be blocked.
7. Honeypot Protection
The last option is to enable “Enable Honeypot On Login Page”. This will set a new field on the login form which will be invisible to human users and visible only to the bots. Since robots used to fill all the fields on the login form, the plugin will stop access if the hidden field is filled. Thus helps to stop the robots effectively.
8. Limit Login Attempts
Limiting login attempts is the major solution to prevent brute force attack in WordPress. All In One WordPress Security plugin also has an option to limit the number of login attempts. However, if you do not want to use the heavy plugin, there are dedicated plugins available only for limiting login attempts. For example, you can use Limit Login Attempts Reloaded plugin to configure the allowed number of attempts anyone can try to login. If the limit is reached, the plugin will block the IP address and notify the administrator. In this way, you can allow legitimate users to login while blocking automated bots after few attempts.
All in One WP Security & Firewall plugin offers exhaustive ways to secure your WordPress site. Though this looks attractive, ensure to test each feature and use only if it is required for your site. Rename login page, cookie based option and IP whitelisting can be used on a single user sites having no user registration. Remaining options like enable login captcha and honeypot can be used on all types of sites without any issues. You can also use “Jetpack” and “All in One WP Security & Firewall” plugins together for stopping brute force attacks on your site.