5 Options to Reduce Brute Force Attack on Your WordPress Website


Brute force attack is quite common in the web world. Indeed, if you have a website, you have certainly experienced attempts to connect to your website or application. This article explains how to better secure your website to avoid brute force attacks. We will focus on the WordPress application. If you had third-party software, it would be a pleasure to redo this article for your tool in a later article. Simply leave us a message. In this article, we will talk about protecting WordPress login options. We will also see some measures you can apply to better strengthen the security of your website.

The different login approaches on a WordPress website

It is important to know what approaches users use to connect to websites. Indeed, to access your website, you necessarily need a login form or a link offered by the application. Before asking the question of how to better protect your site against the brute force attack, let’s explore the connection options.

1- Connection via the default link wp-admin

Even a beginner using WordPress knows that all they need to do is add wp-admin to the domain name to connect to a website. You can access it through the domain name/wp-admin link when you install a WordPress website. Generally, this page allows you to connect, change your password or create an account.

2- Connection from a personalized form on its website

You can create a custom form on your website to allow your users to log in. This will allow users to use the link you provide to access the website. Generally, this approach has several advantages:

  1. Users may not know that you are using any technology. Hence more changes to manage security.
  2. You can compensate for the limitations of the default login link.

3 – Using the WordPress xmlrpc.php file

With a little knowledge of web programming, it is possible to use the WordPress Xmlrpc.php file to connect to a website. This is the preferred approach of cybercriminals simply because many site owners are unaware. The approach will consist entirely of making a POST (computing term) request. Many do this automatically from PHP code.

4 – Connection using APIs

You can use a connection to your website through APIs to access the website. It would also require a minimum of knowledge in web development.

There are of course several other approaches. However, the ones we listed above are the main ones. Below we will talk about what you can do to better protect your website.

4 Steps to Reduce Brute Force Attack

If you receive connection attempt notifications; or if you have sometimes seen unwanted users registered on your website, you must first take the time to validate your configuration. Indeed, WordPress by default offers the possibility of protecting a website. Validate, for example, that you have disabled the account creation option (if you do not allow account creation). You can make this adjustment in your admin panel. Look in the option Configuration ⇒ User account. If you authorize account creation, validate that the administrator email works to be able to receive notifications in the event of account creation. This will allow you to better control who has access to your website.

Option 1 – Protect your website login forms with captchas

The vast majority of the time, the people who will try to access your website are not physically present there. They use scripts that make chain connection attempts. This allows them to easily achieve their goals.

With captchas, you can curb the possibility of using scripts to access your website. The captcha could, for example, use artificial intelligence to validate if a user is real. Alternatively, there would be a question to validate to continue with the connection. We offer you this extension that we have developed. It uses versions 2 and 3 of Google that you can activate on the login or account creation form.

Option 2 – Completely change the wp-admin name to any name.

As we mentioned above, many know that you have to add wp-admin to the domain name to have access to the connection. To protect your website, you can change wp-admin to any name. To achieve this, you can use a WordPress plugin. It is also possible to modify manually if you know web programming. Via this link, you will find a set of links that WordPress offers.

Option 3 – Block additional access to the wp-admin link and activate it only at your IP address

If you are the only administrator of the WordPress website, you can disable the wp-admin link. Thanks to the .htaccess file available in the main directory of WordPress sites, you can control access to your links. Below is an example of code you can use:

<Files wp-login.php>
order deny,allow
Deny from all

# allow access from my IP address
allow from 168.98.10.2

# allow access from my IP address
allow from 168.98.10.6
</Files>

The code above 168.98.10.2 is assumed to be your IP address. You can add as many addresses as you want as needed. It is important to note that this approach is only valid if you have a static IP address. In case you have a constantly changing address, it is difficult to make changes all the time.

Option 4 – completely block access to WordPress’s xmlrpc.php file or use a plugin to restrict

As we said above, the xmlrpc.php file is also a gateway to your website. You can completely limit access to this file (if you don’t use it through extensions). Alternatively, you can restrict access mostly to apps that use it on your website. Below is a sample code you can use to block access

<Files xmlrpc.php>
order deny,allow
Deny from all

# allow access from my IP address
allow from 168.98.10.2

# allow access from my IP address
allow from 168.98.10.6
</Files>

Option 5 – Use two-tier authentication

Several platforms are opting for two-tier authentication as a means to combat the brute force attack. This would simply require the user to provide two login options. To this end, at each connection attempt, the user must present a validation code to access the website. This is all the more effective since even if a cybercriminal manages to have your password, he should have access to your phone or email.

Conclusion and final reflection

Cybercrime, including brute force attacks, is a problem that could target anyone in society. Indeed, it is possible in particular to protect oneself from known approaches. However, cybercriminals are constantly on the lookout for vulnerabilities they can exploit. As an individual or a company, you must apply a set of processes to be as safe as possible from possible attacks. If you need assistance in evaluating and proposing possible solutions to strengthen the security of your website, contact us.

Did you find this post useful or insightful?

Yes            No