Someone’s trying to break into your WordPress right now. How do you stop them?

Brute force attacks suck. They’re easy to do, and what is even worse is that they are easy to automate. There is a very high likelihood that someone has already tried to brute force your site today.

What the heck is a brute force attack?

What is are brute force attack?

It’s when someone goes to the login page of your site and tries to guess your username and password. That someone is usually a bot and can guess passwords at a rate of 10,000 + passwords per second. They commonly use lists of common and compromised passwords and go until they either crack your password or exhaust their list.

The best way to combat this is to make it as time-consuming as possible for them. You can do this by following these 3 steps.

1. Use a kick ass password

Make your passwords tougher.

Nobody’s got time to crack a 20 + character password that has numbers symbols, upper case and lower case text.

“But how will I remember such a long password,” I hear you cry?

Use a password manager like LastPass or Bitwarden.

2. Block, block, block

Install the Wordfence plugin. This is a kick-ass security plugin that has saved us on multiple occasions. Best of all, it has a special section just for dealing with brute force attacks.

First, it hides your WordPress version number. This is information that hackers are usually searching for, as they can exploit vulnerabilities in old versions of WordPress.

Then it stops WordPress from confirming if your username was right or wrong.

Next it lets you ban the attacker’s IP address for X number of hours after Y number of unsuccessful attempts (replace X and Y with whatever you want).

Pro Tip: You can see commonly used unsuccessful usernames (such as admin, please don’t use admin as a username) and add them to a list in Wordfence that automatically locks their IP address if used.

3. Hide your login page.

Everyone familiar with WordPress knows that you can just tack wp-admin on to the end of a URL, and you get to a login page (if the site is a WordPress site). But you can use a plugin to change this behaviour. This makes finding where to log in a wee bit trickier (and a lot harder for a bot).

You can do this with a plugin called WPS Hide Login


So why go to the trouble. Well, if someone gets in, it’s a nightmare trying to undo the damage. They can fill your site with spam, porn, malware or whatever they like. They can redirect your site to another site. Furthermore, they get access to your customers details. Or they could hold your site to ransom. You don’t want any of this.

The other issue is it taxes your server. That means your site goes slow, which impacts your real site visitors. No one likes going to a slow website.

Do yourself a favour and knock off these 3 easy steps!