This week has seen a surge in clients that have had their WordPress sites hacked in Brute Force Attacks, this has resulted in an abuse of bandwidth and some sites being taken offline due to high sever load. Although WordPress is a great system due to its scalability and usability there are a few measures you should take to protect your website.
This is a very widespread Brute Force Attack targeting all WordPress installations across the globe affecting all WordPress installations with any and every hosting provider.
Here are a few tips which we recommend you follow to prevent your WordPress website from falling victim to this attack:
Set A Very Strong Password
Change your WordPress’s admin password to a very strong password which is not easily guessed.
Here are the recommendations from WordPress:
Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this. The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords. WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.
Rename Your Admin Username
WordPress usually sets the default administrative username as “admin”. We suggest you to rename this to something that is not easily guessed and is the bare minimum we would recommend as a matter of urgency.
1) log into wordpress
2) Go To Users and Add New
3) Create a new username and set the role as Administrator
4) log into the new account and go to Users
5) delete the old account, when prompted select the new account as the author for pages and posts.
Password Protect Your “wp-admin” Directory & “wp-login.php” File
The best way to protect against Brute Force Attack is to prevent them from even reaching your login page in the first place.
Securing the “wp-admin” directory only is not enough as the attacker can still gain access to your WordPress login page with the “wp-login.php” file in the root directory of your WordPress installation.
To easily secure the “wp-login.php” file, simply follow the steps below:-
1) Use the Interworx File Manager or your FTP Client.
2) Navigate to the “wp-admin” directory.
3) Open the “.htaccess” file and copy the contents (from “AuthType Basic” till “require valid-user”).
4) Navigate to the root directory of the WordPress installation (your main directory for WordPress).
5) Type in “<FilesMatch “wp-login.php”>” below “# END WordPress”.
6) Paste the copied contents at a new line.
7) Type in “” below the pasted content.
8) Save the file.