Brute Force Attack on my WordPress website

Protect WordPress sites from intrudersFor the past two weeks I’ve been receiving notifications from my web host that my website, dandelionwebdesign.com is under brute force attack! I’m not alone.

According to HostGator, “there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence”.

How can we protect our WordPress sites from intruders?

  • Delete any the standard “admin” WordPress username: If your WordPress installation has an administrative login that is “admin” you are at increased risk. Read more about how to remove “admin”.
  • Use a strong password: Strong passwords contain upper and lowercase letters, are at least eight characters long, and include “special” characters (^%$#&@*).
  • Limit the number of allowed login attempts: Go to Plugins -> Add New and search for “Limit Login Attempts”. Install and activate the plugin. You can adjust the number of allowed attempts under Settings -> Limit Login Attempts. This however won’t stop hackers from continued attempts using different IP addresses.
  • Change where you login: The Stealth Login Page plugin will prevent a brute force attack on your wp-login page. What it does is change where you login and send anyone going to the standard wp-login away from your site.Go to Plugins -> Add New search for “Stealth Login Page” and install it. After you activate it, go to the settings page under Settings and you’ll see a simple set of options: Enable/Disable, the redirect URL (just enter http://google.com), the question (one short word), the answer (one short word), and an option to e-mail the site admin the new URL string to access the login page. You will want to bookmark your new login page and notify your web developer and any others who need access of the change.
    stealth-screenshot-1You will now login at http://yourdomain.com/wp-login.php?question=answer (replace question and answer with the words you entered in the plugin setting.
  • The best way to ensure that your WordPress site is safe is to pick a web host that only hosts WordPress! I’m in the process of moving my site to WP Engine [affiliate link]. They are more expensive than the cheap shared hosting I’ve used up till now, but worth it!

Want more? Here’s a detailed list of Security tips from WordPress.

[cross posted on dandelionwebdesign.com]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.