5 Options to Reduce Brute Force Attack on Your WordPress Website

5 Options to Reduce Brute Force Attack on Your WordPress Website

Brute force attack is quite common in the web world. Indeed, if you have a website, you have certainly experienced attempts to connect to your website or application. In this article, we explain how to better secure your website to avoid the brute force attack. We will focus on the WordPress application. If you had third-party software, it would be a pleasure to redo this article for your tool in a later article. Simply leave us a message. In this article, we will talk about protecting WordPress login options. We will also see some measures you can apply to better strengthen the security of your website.

The different login approaches on a WordPress website

It is important to know what approaches users use to connect to websites. Indeed, to access your website, you necessarily need a login form or a link offered by the application. Before asking the question of how to better protect your site against the brute force attack, let's explore the connection options.

1- Connection via the default link wp-admin

Even a beginner using WordPress knows that to connect to a website, all they need to do is add wp-admin to the domain name. When you install a WordPress website, you can access it through the domain name/wp-admin link. Generally, this page allows you to connect, change your password or create an account.

2- Connection from a personalized form on its website

You can create a custom form on your website to allow your users to login. This will allow users to use the link you provide to access the website. Generally, this approach has several advantages:

  1. Users may not know that you are using any technology. Hence more changes to manage security.
  2. You can compensate for the limitations of the default login link.

3 – Using the WordPress xmlrpc.php file

With a little knowledge of web programming, it is possible to use the WordPress Xmlrpc.php file to connect to a website. This is the preferred approach of cybercriminals simply because many site owners are unaware. The approach will consist entirely of making a POST (computing term) request. Many do this automatically from PHP code.

4 – Connection using APIs

You can use a connection to your website through APIs to access your website. It would also require a minimum of knowledge in web development. There are of course several other approaches. However, the ones we listed above are the main ones. Below we will talk about what you can do to better protect your website.

4 Steps to Reduce Brute Force Attack

If you receive connection attempt notifications; or if you have sometimes seen unwanted users registered on your website, you must first take the time to validate your configuration. Indeed, WordPress by default offers the possibility of protecting a website. Validate , for example, that you have disabled the account creation option (if you do not allow account creation). You can make this adjustment in your admin panel. Look in the option Configuration ⇒ User account. In the event that you authorize account creation, validate that the administrator email works to be able to receive notifications in the event of account creation. This will allow you to better control who has access to your website.

Option 1 – Protect your website login forms with captchas

In the vast majority of the time, the people who will try to access your website are not physically present there. They use scripts that make chain connection attempts. This allows them to easily achieve their goals. With captchas you can curb the possibility of using scripts to access your website. The captcha could, for example, use artificial intelligence to validate if a user is real. Alternatively, there would be a question to validate to continue with the connection. We offer you this extension that we have developed. It uses version 2 and 3 of Google that you can activate on the login or account creation form.

Option 2 – Completely change the wp-admin name to any name.

As we mentioned above, many know that you have to add wp-admin to the domain name to have access to the connection. To protect your website, you can change wp-admin to any name. To achieve this, you can use a WordPress plugin. It is also possible to modify manually if you have knowledge of web programming. Via this link you will find a set of links that WordPress offers.

Option 3 – Block additional access to the wp-admin link and activate it only at your ip address

In the event that you are the only WordPress site administrator, you can disable the wp-admin link. With the .htaccess file available in the main WordPress site directory, you can control access to your links. Below is an example of code you can use:

 <Files wp-login.php> order deny,allow Deny from all # allow access from my IP address allow from 168.98 . 10.2 # allow access from my IP address allow from 168.98 . 10.6 </Files>

In the code above is assumed to be your IP address. You can add as many addresses as you want as needed. It is important to note that this approach is only valid if you have a static IP address. If you have a constantly changing address, it is difficult to make changes all the time.

Option 4 – completely block access to WordPress's xmlrpc.php file or use a plugin to restrict

As we said above, the xmlrpc.php file is also a gateway to your website. You can completely limit access to this file (if you don't use it through extensions). Alternatively, you can restrict access mostly to apps that use it on your website. Below is sample code you can use to block access

 <Files xmlrpc.php> order deny,allow Deny from all # allow access from my IP address allow from 168.98 . 10.2 # allow access from my IP address allow from 168.98 . 10.6 </Files>

Option 5 – Use two-tier authentication

Several platforms are opting for two-tier authentication as a means to combat the brute force attack. This would simply require the user to provide two login options. To this end, at each connection attempt, the user must present a validation code to access the website. This is all the more effective since even if a cybercriminal manages to have your password, he should have access to your phone or email. Also Read: How to Fix “Error Establishing a WordPress Database Connection”?

Conclusion and final reflection

Cybercrime , including brute force attacks, is a problem that could target anyone in a society. Indeed, it is possible in particular to protect oneself from known approaches. However, cybercriminals are constantly on the lookout for vulnerabilities they can exploit. As an individual or a company, you must apply a set of processes to be as safe as possible from possible attacks. If you need assistance in evaluating and proposing possible solutions in order to strengthen the security of your website, contact us .

Gilblas Ngunte Possi

Gilblas Ngunte Possi

Founder and Full-Stack Developer at Prositeweb.

My proficiency with modern tools and a keen analytical sense regarding information technology enable me to provide superior guidance in the development and implementation of your web solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Gilblas Ngunte Possi

Typically replies within an hour

Hi there👋

How can I help you?
Chat with Us