How to STOP Brute Force Attacks On WordPress Site? [2024]

WordPress Brute Force Attack protection

WordPress Brute Force Attack


Brute force attacks are common against web services. Any website is a potential target. However, criminal actors usually choose the most popular to increase their chances of success. WordPress is one of their favorite targets. This platform is so popular that out of one million top websites on the Internet, over 75% are created using WordPress. Being such a strong market leader makes WordPress an attractive target for attackers. One popular type of attack is password brute force on WordPress websites.

brute force attack wordpress

One of the methods many hackers use to access a WordPress site is to launch a brute force attack. Like any hacking attempt, these attacks are intended to allow hackers to access the system so that they can delete content, add their own content, or perform other Machiavellian actions. A brute force attack is one of the easiest ways to access a system.

? In this article, we will cover some major aspects including – What is Brute Force Attack, its impact, consequences and tips to stop brute force attacks on your WordPress site.

? The basic idea behind this type of hacking is simple: the attacker (usually an automated system) tries as many passwords as possible until he finds the one that works. It may seem that this approach takes some time, but it is really effective since many people do not use complex passwords. In addition to compromising your system, these attacks also slow down the loading time of the site. They can also completely crash it, because the attacker usually tries ten passwords every few seconds.

brute-force-attack on wordpress website.

? What is a Brute Force Attack?

The brute force search or exhaustive search method is a method of solving problems in the fields of cryptology, computer science and game theory. This method is aptly named because it is based on the use and testing of all possible solutions hence also the term exhaustive search. Usually this kind of attack is done by botnets.

The largest brute force attack, recorded in June, was 3,547,074. With the size of the average attack from January to June being 55,993.

The goal of a brute force attack [see:wikipedia]  is to obtain valid credentials for the WordPress site and use them to access the admin panel. Access to the admin panel means that the attacker gains complete control over the website. Compromised WordPress sites can be used for different purposes: deface, steal credentials, host malicious files, inject malicious code to the pages, or make the website part of a specific malware infrastructure.

This technique is used when there is no better valid algorithm. Hackers who use this method are particularly eager to crack passwords and can easily access personal data. Brute force attacks are effective because many users don’t choose secure passwords. If users follow basic guidelines when creating passwords, or, even better, use a password generator, the chances of a bot guessing the right password are tiny. A sufficiently complex password takes centuries to guess.

For this, they use software with a simple algorithm that quickly and sequentially tries a large number of character combinations including numbers, spaces and letters up to a defined maximum length.

The shorter and simpler the password, the faster it can be cracked with the brute force method. This is why passwords with different characters are generally recommended and it is also advisable to use an encoding system for very large keys or passwords.

Since the amount of computing power needed to perform a brute force attack becomes more and more readily available, it means that attack attempts can be made in a shorter period of time, making full protection against attacks.

Due to the potential number of requests being sent, a brute force attack can actually function similarly to a WordPress DDoS attack, taking many sites down due to high utilization of CPU/memory.

password-length-vs-the-amount-of-time-to-crack-it-using-brute-force-hacking

? Is Your WordPress site Under Brute Force Attack?

Here are conditions that could indicate a brute-force attack or other account abuse on your website:

  • Many failed logins from the same IP address
  • Logins with multiple usernames from the same IP address
  • Logins for a single account coming from many different IP addresses
  • Excessive usage and bandwidth consumption from a single use
  • Failed login attempts from alphabetically sequential usernames or passwords
  • Logins with a referring URL of someone’s mail or IRC client
  • Referring URLs that contain the username and password in the format http://user:password@www.example.com/login.htm
  • If protecting an adult Web site, referring URLs of known password-sharing sites
  • Logins with suspicious passwords hackers commonly use, such as ownsyou (ownzyou), washere (wazhere), zealots, hacksyou, and the like

? Impact of a brute force attack on enterprises

There are many potential negative consequences that may occur if your businesses website is hacked-

  • Disclosure of confidential information and compromise of industrial secrecy
  • Business disruption
  • Trust and reputation damage
  • Damage to the reputation of the company
  • Personal or sensitive data loss
    • Confidential business information including emails and financial records
    • Credit card details of customers
    • Personal details of customers
    • Trade secrets including recipes or schematics
  • Website downtime

?Types Of brute force attacks

There are two types of brute force attacks that can take place.

  • Vertical brute force attacks.
  • Horizontal brute force attacks.

Wordpress Brute Force Attack Types

[source -.cisco.com]

In the vertical brute force attack – every bot attempts a full dictionary attack against a single website. This type of brute forcing can be easily detected and blocked using a simple counter for user login attempts. In a standard brute force attack, an infected user systematically tries different user name and password combinations. In a distributed and vertical brute force attack, each infected user targets a specific website and systematically tries every credential provided by the bot master.

In the horizontal brute force attack, the bot master handles the dictionary used for the attack. Each bot receives a small subset of it, attempting a few user name and password combinations against a single website. In horizontal brute force attack, an infected host attempts a single user name and password combination per WordPress website. This makes detection much harder as simple counters do not trigger an alarm in this scenario.

? Brute-Force Botnet Attacks

Bots are not very smart. The goal of the a botnet is to force hundreds or even thousands of connections in a short period of time. The above text simply prevents malicious bots from “publishing” combinations of usernames and passwords directly to your default WordPress login page.

Administrators or subscribers connecting through the WordPress login page will not be blocked.

This method has much less impact on a customer’s daily process than most others and no additional steps are required, making it the easiest way to mitigate connection attacks.

If, on the other hand, you find that this surgical approach of preventing malicious bots from posting against your login page URL does not fully meet your needs, try the options below.

? Best WordPress Brute Force Protection Plugins

Plugins Active Installs Required WordPress version Tested up to Ratings
Loginizer 700,000+ 3.0 4.9.8 4.8/5
Login LockDown 200,000+ 3.6 4.9.8 4.6/5
Limit Login Attempts Reloaded 100,000+ 3.0 4.9.8 4.6/5
WP Limit Login Attempts 40,000+ 3.0 4.9.8 4.6/5
Brute Force Login Protection 20,000+ 2.7.0 4.8.7 4.3/5
Limits Attempts by Best Web Soft 10,000+ 3.9 4.9.8 4.6/5
Limit Login Attempts 5,000+ 2.0.2 4.9.8 3.7/5
WPS Limit Login 2000+ 4.2 4.9.8 5/5
BruteGuard – Brute Force Login Protection 100+ 4.4 4.9.8 5/5

WordPress Brute Force Attack Protection 2024

How to Protect WordPress from Brute Force Attacks

Whether the objective of a brute force attack is the password of your central system, or to get information from users, these events show the importance of protecting yourself against decryption methods.

When it comes to private system passwords, you can take charge yourself. Indeed, it suffices to use combinations that consist of many different types of characters.

In the best case, you can use uppercase and lowercase characters, special characters and numbers for your passwords. All this to make it more difficult to pirate your keys.

But the situation is complicated for the creation of passwords for online services. In fact, you are dependent on the requirements of the supplier. In general, a typical password has a maximum of 8 characters and is often limited to numbers and letters, which is not optimal for security.

In this case, you should then look for what precautions the website operators take in order to protect themselves from brute force attacks. When you are operating a website with a login mechanism, it is your responsibility. There are two possible approaches for this:

  • Secure the password mechanism
  • Setup Two-factor authentication (2FA)

Securing the password mechanism should be the basis for any login, but the iCloud scandal has shown that this is unfortunately not always the case. The purpose of the protection mechanism is to make the work of brute force software much more difficult.

This means, for example, that when an incorrect password is entered multiple times, no further attempts can be made and the login function is blocked.

Moreover, it is also possible to increase the time after and between each login attempt. You can also choose an additional step, as now applies Apple, which is to block the entire account of the user in case there are multiple attempts to login.

Many sites now also offer the option of multifactor authentication. This results in a more complicated login process since several components are needed in addition to the password. This can be the answer to a secret question, the return of a PIN code, or answer a Captcha test. A Captcha test is a short test that consists in checking if the login process is done by a person and not as in the case of brute force software, by a bot.

Prevent & Protect Against Brute Force Attacks WordPress

 

? Block bad bots

If you are the only administrator and your IP address rarely or never changes, then this advice is for you. Add this to the top of your .htaccess file:

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^xxx.xx.xx.xxx$

RewriteCond %{REMOTE_ADDR} !^xxx.xx.xx.xxx$

RewriteRule ^(.*)$ – [R=403,L] </IfModule>

Just replace the xxx.xx.xx.xxx entries with your IP address.

Suggested ReadWordPress .htaccess hacked – Cleanup & Prevent .htaccess Attack

? Use 2-factor authentication CAPTCHA, or Passcodes

To add another layer of protection, you can enable the Protected Page option. You simply specify the page you want to protect, and choose whether to enable two-factor authentication with Google Authenticator, throw up a CAPTCHA to stop bots, or add an additional passcode. Begin using Two-factor authentication (2FA). This way, even if someone guesses your password, they will not be able to access your site because they do not have the security key. We recommend doing this as soon as possible where the Google Authenticator plugin can be helpful. A passwordless login authentication give boost to the security of you WordPress website.

Do you want to protect the data stored on your portal and prevent unauthorized access? So enjoy an extra level of security by enabling two-factor authentication. In this case, if someone decides to hack your WordPress, even having your password will need your phone to access it.

To enable two-factor authentication

For the SaaS version, two-factor authentication with SMS is enabled by default when creating the portal. Default SMS service provider is selected according to the portal region: smsc is used for CIS, Twilio used for all other regions. You can add other SMS providers available later in the Settings -> Integration -> Integration to the third-party services section.

If you are using the server version, you must first connect at least one SMS Provider in the Settings -> Integration -> Integration to Third Party Services section so that you can enable the Two-factor Authentication option.

Enable two-factor authentication via plugin

Setup Two-factor authentication (2FA) in WordPress. This way, even if someone guesses your password, they will not be able to access your site because they do not have the security key. We recommend doing this as soon as possible where the Google Authenticator plugin can be helpful. You can also add HTTP authentication.

? Use longer and longer delays

At each login failure, the user will have to wait longer and longer before they can try again.

Let the user prove that he is not a bot:

  • Use a reCAPTCHA that forces the user to copy a word or solve a simple calculation. The disadvantage is that the user experience will suffer.
  • Ask the secret question after two or three unsuccessful login attempts
  • This not only prevents automated attacks, but it will also prevent the hacker from entering your system even if it has found your username and password.
  • Allow or deny access based on IP addresses
  • Do not allow p. ex. a connection only from one or more IP addresses when you collaborate with fixed collaborators within a certain network. Remember, however, that IP addresses can change, and hackers can hide their IP addresses.
  • Give a separate login URL to certain groups
  • You can increase the risk of being attacked so avoid using/my-admin or/admin as the login URL.

Timeout

Timer is a complementary technique that consists of preventing more than 2 attempts in a row by ns seconds. Your visitors will see no change if you take a margin of 2 seconds, while the robot that must enter hundreds of attempts per second will be delayed. So you reduce the speed of attack.

To add the timer, there are PHP sleep () and usleep () functions

The  sleep () function is second and usleep () in microsecond.

Here is an example:

sleep (1); // pause for a second

usleep (1000000); // pause for a second

? Pay attention to suspicious incidents!

Keep an eye on the log files of your server. Each connection failure result in the recording of an HTTP 401 code in the log files of your web server. The following events should put you in the spotlight:

  • Multiple failed login attempts from the same IP address
  • Connections with multiple usernames from the same IP address
  • Connections to the same account from different IP addresses
  • Exceptionally high usage for the same user
  • Failed login attempts with usernames or passwords in alphabetical order 

? Use a secure password

This is something that we cannot let go, and it is to use a strong enough password. These brute force attacks try to guide all the most common passwords users use on their sites. A secure password contains uppercase and lowercase letters, numbers and symbols.

Do not use the same password in more than one location. It’s never too late to start using a password management solution like 1Password or LastPass.

strong-wordpress-password

You can also use Force Strong Passwords, which enforces strong passwords for users with publish_posts, upload_files & edit_published_posts capabilities

Few basic requirements for a strong password:

  • Include numbers, capitals, special characters (@, #, *, etc.)
  • Can include spaces and be a passphrase
  • Change passwords every 120 days, or 4 months
  • Be long (10 characters – minimum; 50 characters – ideal)

strong-passwords-to-protect-from-brute-force-attack-on-wordpress

Use passphrase instead of a password

The use of Pass-Phrases is a solution that is increasingly used on the Internet. Pass-Phrases are similar to passwords, but with some differences. First, Passphrases only requires the characters. They can be numbers, special characters or others. The key is the length of a password.

Passwords or sentences with at least 16 characters offer the best protection. For each additional character in the code, its hacking will take longer to calculate the additional possibilities. The longer the code grows, the longer the computer has to work, so it is less likely to discover a valid password through a “brute force” attack.

Although passwords have several requirements, Passphrases usually have simple requirements:

  • 16 characters or more
  • Include an uppercase letter or number

 prevent wordpress brute force attack security tips

? Password protect the WP-Admin directory and limit login attempts

It is always advisable to limit the connection attempts of the users, although this alone cannot protect us from all attacks, since a botnet contains 90,000 IPs. Another thing you can do is password-protect the wp-admin directory, where it is recommended to limit the wp-login.php file to a specific IP address.

wordpress-lockedout-login

Restricting the number of failed attempts basically prevents and protects from brute force attack on your WordPress site.

? Change your default “ADMIN” and WordPress username

change-default-wordpress-admin-log-in

It is very common for beginner users to use very common usernames or that come by default as admin, administrator, test … Recently, the main hosting companies warn us that user names are being targeted at the moment.

If you have a generic username (like admin) on a WordPress site, then you must change it right now. [?ReadHow To Change Your WordPress Username?? – 3 Easy Ways]

By default, during a WordPress installation an “admin” user is automatically created. The connection to your blog is done via two fields: the username and password, leaving “admin” as an identifier in the list of users, you leave the door open to hackers, who just have to find the associated password, which very often, in this case, is very easy to find.

Usernames such as:

  • Your first name
  • The name of your dog (or cat)
  • The brand of your car
  • The name of your favorite artist

A WordPress username should not be simple to find, especially not looking at the names of the article authors. For your safety, try to generate a complex name, and put it in a safe place, so you can find it easily.

There are two easy ways to change your username:

  • The plugin
  • The code to insert
  1. Change your Username with a plugin

If you are not a technician, and do not want to play with the values ​​of the database, you can use a plugin to make this change.  Username Changer is a perfect plugin for this task.

  1. Change your username with code to insert

Add the following code for your theme functions.php the file after current replacement -Username and New-Nickname values ​​in the code:

global $ wpdb;

$ wpdb-> query ("

UPDATE wp_users

SET user_login = 'New-Username'

WHERE user_login = 'Current-Username';

");

In the code above, replace Current-Username with the current name, and New-Username with the new username.

Caution: Delete this code immediately after the change for security reasons. You only need to run this code once, it is not necessary to keep it in your theme.

? Disable WP directory browsing

Directory browsing allows any visitor to your site to see and browse the contents of the folders in your WordPress site. Everyone can visit a directory of your site, see the files and open them at will. By default, the majority of hosts have chosen to block access to directories, for obvious reasons of security, however, there are still many hosts that do not disable access to the directory of hosted sites. [ ?Also Read  – How To Disable Directory Browsing in WordPress Via .htaccess ]

During a brute force attack, hackers can use directory browsing to search for vulnerable files. To resolve this problem, you must download the .htaccess file from the root of your domain and make a copy. You should always have a copy of your .htaccess file when you make changes, because if things do not work out as expected, you can go back through your backup copy.

Notepad – Open the downloaded file with a text editor such as Notepad ++, available for free.

Go to the Encoding menu

Enable Encoder in UTF-8 (without BOM) to avoid creating unnecessary errors on your site

  • Add the lines below at the end of your .htaccess file :

# Disable Directory Browsing

Options All -Indexes

  • Save the changes and upload the new .htaccess file to your site, overwriting the existing one.

? Disable the execution of PHP code in WordPress directories

We will see below, how you can easily disable PHP code execution using the .htaccess file.

Disabling PHP execution is really easy. To start, create a new text file, name it .htaccess, and copy/paste code into the file you just created.

<Files * .php>

deny from all

</ Files>

Now, you have to put this file in the directories to protect. To do this, launch your favorite FTP client and download the file you just created into the directories, “wp-includes” and “/wp-content/uploads/”.

With this simple trick, you can block the execution of any PHP code in these vulnerable directories.

? Make regular backup copies of files and databases

The best security we can have for our website is to have a backup copy on a regular basis. We can make our copies manually from our hosting manager, there are also plugins as we will see later that can do this work automatically.

It is important to make these copies periodically, since hosting companies usually do not do them. [?Also See – How To Export WordPress Database ]

? Start using WordPress Security plugin

Most of the attacks suffered by WordPress are due to vulnerabilities caused by plugins, weak passwords and obsolete software. One of the most popular plugins is Loginizer where among many functions it hides the sites that are more prone to these attacks, keeping the most sensitive places like login, administration, etc., out of danger.

If we do not take into account these precautions it is easier than it seems to leave our site exposed to injections of malicious code and attacks of any kind, and this is something that we can avoid using the aforementioned tips.

? Also ReadBest WordPress Security Plugins To Protect Website in 2019 [Updated]

? Identify the attacker

The solution to identify the attacker is to mark him by giving him a cookie or use his IP address, while unfortunately, these two techniques are no longer sufficient because the hacker can change his IP address by using a proxy, or a VPN or simply restart the connection modem.

? Country Based Blocking

Most brute-force attempts come from a handful of countries. If you aren’t doing business there, you can completely block all visitors from those IP ranges. Block the top three attack countries by default.

  • Block the attacker’s IP address

If you notice an IP address that is making an extreme number of bad login attempts, then configure your Apache server to block this IP address.

Apache has commands to forbid access to these addresses using the <Directory>, <Files >, and <Location> directives, so you can use User-agent, or the information available in them.

To deny access to an IP address you can use: deny from 20.1.2.3

Or for all IP addresses starting with 10.0: deny from 10.1

This is the most effective method to block a remote user through the web server that handles HTTP requests.

  • Block the attacker with the Cookie

If an attacker has entered ten attempts, we create a cookie that will allow us to mark it when he returns to the site. This cookie will have to block it for 10 minutes. It is a small protection that is simple and can save you some difficult situations.

The script is as follows:

<? Php

if ($ _COOKIE ['counter'] 10) {

header ("HTTP / 1.0 404 Not Found" quot;);

die ();

}

setcookie ('counter', $ _ COOKIE ['counter'] + 1, time () + 3600); ?>

Admittedly, the script is basic but terribly effective against this type of attack!

? WordPress wp-login.php Brute Force Attack – Hide login page

There are 40 million brute force attacks on websites every day, so it is very likely that your site will be attacked. One of the simplest methods to protect your WordPress blog is to hide your login page.

There are several ways. One of the most common methods is to rename the file wp-login.php. This is the default login page, one that attacks hackers. Plug-ins can be used for this purpose. This plug-in, Change wp-admin login, is available on the WordPress website.

After installation and activation, this plug-in will direct users to the Permalinks section of the Control Panel Settings page. It will give users the ability to enter a new login URL. You will find other options as well. Most WordPress experts recommend that you also change the Common Settings from the default (Default) to the Post Name.

For the login URL, you can leave it as such, but you can also change it to some pretty unique one. In this case, the full login URL will be your site/the name of your login page. Remember that you should add to your favorites or write down the name you gave on the login page so you don’t forget it. You will also need to share this new URL with people who will need to connect to your WordPress site.

Hackers will now see a 404 error page that says the page is not found when they get to wp-login.php. However, WordPress will still dedicate resources to loading this page. Another trick is to edit the .htaccess file (htaccess file). Add the following code at the end of the file:

<Files wp-login.php>

deny from all

</Files>

This will return a 403 error rather than a 404 error. This is the banning error – anyone who tries to access wp-login.php will see a message saying that they do not have the permission to access /wp-login.php. When a 403 error is displayed, WordPress does not load any resources. Therefore, no slowdown occurs.

There are other methods to protect WordPress against brute force attacks, but this one is one of the easiest and fastest to set up. Another benefit of this method that can completely prevent hackers from accessing your login page is that it can also protect you against other forms of hacking.

Hiding the login page will help prevent different hackers from applying brute force to your WordPress blog to test several password combinations.

You can create a new login page with a new URL and hide your login with code in a few simple steps, which will add an extra layer of defence to your site.

You do not have to install plugins and it only takes a few minutes to get implemented.

Without further ado, let’s start.

  • Back It Up:

Since you need to make changes to your .htaccess file to hide your login page, it is important to create a full backup of your site. Your .htaccess file is important to the point that even a small error could completely make your site unavailable. It is better to make your arrangements now.

If you do not think your blog could be a victim of an attack, then at least make a backup of your .htaccess as well as the theme folder you are using.

Do not hesitate to have a look at these wordpress database backup plugins.

No matter which option you choose, you can edit the necessary files directly with your FTP client, with clients like FileZilla or in the cPanel, you will be able to access the files of your hosting.

  LockDown WordPress admin using .htaccess

You can do this by using Login LockDown plugin or manually by making changes in .htaccess. The code you need to add should be included at the top of your .htaccess file for WordPress unique installations or after the following lines on a multisite network:

RewriteEngine On

RewriteBase /

RewriteRule ^ index \ .php $ - [L]

Here is the code you need to add:

# BEGIN Hide login page

RewriteRule ^ mylogin $ https: //% {SERVER_NAME} /wp-login.php?key=123&redirect_to=https://% {SERVER_NAME} /wp-admin/index.php [L]

RewriteCond% {HTTP_REFERER}! ^ Https: //% {SERVER_NAME} / wp-admin

RewriteCond% {HTTP_REFERER}! ^ Https: //% {SERVER_NAME} /wp-login.php

RewriteCond% {HTTP_REFERER}! ^ Https: //% {SERVER_NAME} / login

RewriteCond% {QUERY_STRING}! ^ Key = 123

RewriteCond% {QUERY_STRING}! ^ Action = logout

RewriteCond% {QUERY_STRING}! ^ Action = lostpassword

RewriteCond% {REQUEST_METHOD}! POST

# END Hide login page

Make sure to change mylogin to the second line for the slug you want to use for your login page. If you do not change, you can find your login page as well  www.adminsite.com/mylogin.

It is recommended to change the “slug” because the default one is publicly available, which means that hackers have access to it as well. If you use a custom slug, then it will not be able to access it, because the only location where this slug is displayed is on this file.

Also, be sure to change 123 on lines two and seven for something else. It’s a secret key that will not be visible to hackers. You should choose something that is not easy to guess. Choose a value that is composed of letter and number.

Back up your .htaccess file and make sure your site is always available. If you get an internal 500 error, it means that you made a mistake somewhere. Restore the file and try again.

? Deny Access to No Referrer Requests

Extended from Combatting Comment Spam, you can use this to prevent anyone who isn’t submitting the login form from accessing it:

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .*/(wp-comments-post|wp-login)\.php.*
	RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]
</ifModule>

Nginx – Deny Access to No Referrer Requests

location ~* (wp-comments-posts|wp-login)\.php$ {
        if ($http_referer !~ ^(http://example.com) ) {
          return 405;
        }
      }

Change example.com to your domain. If you’re using Multisite with mapped domains, you’ll want to change example.com to (example.com|example.net|example4.com) and so on. [ Sourcehttps://codex.wordpress.org/Brute_Force_Attacks  ]

? Temporarily disable CPU-intensive login limit plugins

Blocking this attack with .htaccess rules is the preferred method because connection-limiting plugins cannot only cause problems to trigger our own internal security rules, but they will not be effective in this type of attack.

? Update WordPress

Just like your computer, your anti-virus, WordPress updates provide fixes for bugs that have been detected, security patches as well, and improvements to the program itself. These updates are published regularly by WordPress and sometimes several times a month.

Without the regular update, your website is weakened and more easily hackable or may be affected by viruses. Cleaning up a site that has been hacked or attacked requires many hours and high technical skills to get the site up and running safely, to avoid the risk of another attack. Extensions, themes and plugins are also affected by security vulnerabilities and improvements are proposed by the new WordPress releases updates.

If the update is not done, the risk (low) is that a hacker uses the flaw that has been explained in detail on the official website. He can then hack all sites that have not yet done the updating job. The new releases that come out become a real constraint in time, and loss of money.

WP Brute Force Attack Protection – Expert Recommendations

✅  Based on the research done, We recommend not to use the delay strategy but the Captchas one. • Sometimes you find the server weak, this because there are a lot of brute force attacks and the servers CPU have to run a big number of sleep(); functions.

✅ Also, technically you can not avoid thousands of Login tries by delaying the repeated ones from single IP that is because using cloud nowadays hackers have the facilities to use thousands of virtual IPs.
✅ So if you publish your application on local server, its CPU is fully loaded by sleep(); calls. •
And if you publish your application on the cloud, you might pay more money.

✅ “Brute force attacks against un protect contact forms or logins. Malicious attacks often target login and contact forms in order to penetrate a site. Repeated, constant attacks on unprotected sites drive up compute cycles as the infrastructure processes each attempt. Many plugins are available to provide contact form and login protection and can mitigate the processing of illegitimate traffic. Captchas are very popular for addressing this threat.

✅ Other points to remember are –

  1. Use a slightly complicated password
  2. Your password must not be a date of birth
  3. Password should not be a word in the dictionary
  4. Do not use “azerty”, “qwerty”, “123456”, “password” or “football”

What we can say is that the brute force attack is more likely to fail if you react faster. To make the work of the hackers more difficult, you can also add the delay, an extra layer of protection. In the fight against brute force attacks, the most important thing is to save time, and not to make the task of the hacker too easy.

In The End,

If you liked this article, then you will love the WP Hacked Help . Secure your WordPress and get 24×7 support from our team of WordPress security experts. If you have the slightest doubt about the state of health of your site in terms of Security, Trust, receive a report of securing your WordPress site in under 36 hours.

The report includes the results of the various tests are aggregated, compared and crossed in order to highlight the biggest weaknesses of your sites, as well as the points on which you will not have to derogate.

We can help you Cleanup & Prevent .htaccess Attack, Remove Malware From WordPress Site, alongwith protection against WordPress XSS Attack, Web Shell PHP Exploit, WordPress Pharma Hack, Malware Redirect Hack, Google Blacklisting and Brute Force attacks on WordPress website to keep your site trustworthy and secure.

Best WordPress Security Service

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)