WordPress Security: Defending your website against brute force attack

WordPress was launched as blog management software but developers quickly engineered it towards using as content management system to build various website because it’s easier to install but the default installation of it is hackers friendly. A website owner must take a proactive measure to protect their website.

Basic Security Measures
After the ultimate 5 minutes installation an experienced website developer must find a way to solidify WordPress to protect it from hackers at least to a comfortable level.

  • Use a strong password for all administrators account, change passwords regularly and if you have the time change username at least once in every 3 months.
  • The rule of thumb for WordPress is do not use the default admin username on the live website. Create a new user account and give it administrator role, login with and delete the default admin username.
  • Run updates regularly for WordPress, plugins, themes and any custom addictions to your website. Security patches are release almost on daily basis it will be wise to apply those updates.
  • After installation delete the config-sample.php file, generate permalinks that don’t show post or page ID and disable directory listing on your host.

A Brute Force Attacks
A brute force attack is where a user or script tries to gain access to your website with repeated guessing using different username and pa sword combinations. if your username and password combination are withing guessed range, a brute force attack will succeed on your website.

The unresponsiveness of your website could be due to many calls to PHP & MYSQL that increase server load and affect website performance. If you are unable to login into your website or your index page has been replaced, you probably under a brute force attack.

Defending Yourself Against Brute Force Attacks

To set up password protection for the WordPress login page, follow these steps:

1. Use your web browser to go to http://www.htaccesstools.com/htpasswd-generator.
2. In the Username text box, type a username.
3. In the Password text box, type a password for the user.
4. Click Create .htpasswd file, and then copy the line of text. The line of text should contain the username you specified, followed by a colon (:), and then the encrypted password. For example:

username:$apr1$IUQgDA6U$qbXb9wEnjirNCqxezpjoe5

5. Create a file named .wp-password in your Hosting account’s home directory (/home/username, where username represents your Hosting account username). Paste the line of text from the previous step into the file. There are two ways you can create and edit this file:

Log in to your account using SSH, and use a text editor from the command line.
Log in to your account using cPanel, and use an editor in the File Manager.

6. Save the .wp-password file and exit the text editor.
7. Create an .htaccess file in the directory where you installed WordPress.
8. Block IP addresses from accessing the WordPress login page
9. Change the WordPress login URL
10. Enable CloudFlare for your site