You probably know that in the past week there have been some massive brute force attacks on WordPress powered sites. Or perhaps you didn’t know this. Either way, we’ve written up this WordPress Brute Force Attack checklist to help you maintain the security of your site.
And help avoid the huge headache that comes in dealing with a hacked site.
1. Implement multi-factor or two-factor authentication
From Sucuri – “By far, the most effective strategy to defend against such an attack is through the implementation of some form of multi-factor or two-factor authentication. This is a more effective long-term strategy, whether through the implementation of a plugin like Google Authenticator or Duo Security. There are also a series of other techniques that could prove very beneficial, specifically employing a whitelist approach to those allowed access to your wp-admin panels.”
2. Create an IP Whitelist
Again, from Sucuri – “A white-list approach will allow you to dictate which IP’s are allowed, while explicitly denying all other IPs. This can be done via your .htaccess files and/or via your web application firewall (WAF). Another effective strategy would be through a second layer of authentication using some of the basics like Basic Access Authentication. This would provide an effective defensive layer against automated attacks targeting default wp-admin panels.”
Also check out this post about banning WordPress spammers using the .htaccess file. This .htaccess banning generator may also come in handy.
3. Remove the Admin Username
This alone will not protect you fully, but making the username more difficult for automated bots to guess is one step in a larger security plan that should not be ignored. Need to know how to do this without locking yourself out of your site? Have a look at this post at iThemes and look under the “Remove the admin username”. The basic steps are:
- Create a new administrator user
- Log out and login as this new user
- Delete the “admin” user, and attribute all posts to the new user created in step 1
4. Choose a STRONG Password
Yes, I know. Strong passwords are difficult to remember. Time for some tough love…hacked sites are even harder to fix!
Here are some helpful links to password managers that have been recommended. I personally use 1Password and can’t live without it.
5. Limit Login Attempts
Install the Limit Login Attempts plugin. This plugin provides a very handy way to lessen the number of times your site gets hit with incorrect login requests. Have a look at what Limit Login Attempts can do for you.
6. Keep WordPress & Plugins Up To Date
Always keep WordPress and all your plugins up to date. New vulnerabilities are often found and patched. Make sure your site does not have any “holes” or “back doors”.
7. Check Your Site Now!
Plugins We Recommend
- The WordPress Brute Force Attack Timeline – Sucuri
- Ongoing WordPress Security Attacks, The Details and Solutions – iThemes
- Hardening WordPress – WordPress Codex
- WordPress Security Cutting Through the BS – Sucuri
- WordPress False Security – Mika “Ipstenu” Epstein
What Happens When the Worst Happens?
When the worst happens and you get hacked, it’s like getting punched in the gut, then slapped across the face, then getting a nipple twister on top of it all. Then depression sets in.
But don’t give up hope! We’ve had our sites hacked before too and used to spend countless hours cleaning up our site and database…until Sucuri came along. If you get hacked, or if you want to just monitor your site, then do yourself a favor and go get a Sucuri account. It’s well worth the minimal fees.