Digital Prosperity Blog

How To Stop Brute Force Attacks On Your WordPress Blog

A few weeks ago, our websites were under attack by a group of hackers.

They were using a "brute force" attack method, which involves repeatedly trying to guess our passwords, to the tune of over 100 requests per minute.

Aside from the security risks if you don't have strong passwords in place, this also slows your websites to a complete halt.

And that's what happened to us.

Our prospects, customers and clients could no longer access our websites.

We lost a ton of sales from potential customers, and luckily our customers are awesome so they understood completely - but it still threw a spanner in the works!

Eventually after trying multiple methods over a week of trial and error, we fixed this annoying issue for good.

In this blog post, I'd like to share exactly what we did in case you have a similar problem - and also to prevent it happening to you in the future.

Step #1 - Install The "Brute Protect" Plugin (Free)

It was impossible to access our own websites throughout most of the day, but occasionally there would be a 10-minute window where we could access our website without any issues.

As soon as you can, you need to install the "Brute Protect" plugin. They've recently integrated an updated version of the plugin into the "Jetpack" plugin, but either plugin will work.

And no, we're not getting paid to endorse them - it's just the plugin which worked well for us - and it's free!

This plugin automatically blocks known hackers from accessing your website in the first place, discovered other people using the plugin. It also intercepts new hacking attempts, too.

It's the equivalent of having your own security guard on patrol 24/7.

Pretty cool stuff!

Step #2 - Make Your Passwords Stronger

Luckily for us, we always create strong passwords so this wasn't an issue.

But if you currently use short passwords without any numbers or symbols, listen up...

You need to visit the Strong Password Generator website (again, it's a free online tool) and click the button to generate a stronger password.

Be sure to keep this password somewhere safe - maybe copy and paste it into a document somewhere safe.

Step #3 - Add A Captcha To Your Forms

Brute force hackers use an automated script/"robot" to continually guess your passwords.

However, you can stop them submitting their guesses altogether by using this free Captcha plugin.

This plugin adds a simple math puzzle to your login forms and comment forms (if you wish), meaning the automated robots get confused at the puzzle and can no longer submit their guesses.

See the screenshot to the right to see how it looks.

Just be sure to brush up on your math skills, as some of them test your brain a little (which isn't necessarily a bad thing!).

So with these 3 steps, we've blocked known hackers from accessing your website in the first place, and if they do get through, they can't get through the captcha system, and if they do somehow get through that, your passwords are nearly impossible to guess.

Now your business is safe, you can focus more of your energy on growing it 😀

To better security!
- James Francis.

P.S. For the hardcore security enthusiasts, this page from the WordPress folks should help with some additional security measures. But personally I feel it's a little overkill unless your business is attracting a lot of attention (i.e. over $5k profit per month).

P.P.S. Have you had any experiences like this? Share them in the comments section below!

Like this post? Please share it below:

Share on facebook
Share on twitter
Share on linkedin
Share on google

4 Responses

  1. Thanks for the info I use a limited plug in too that only allows people 3 chances a day to login or they get kicked off. These people have nothing better to do what a sham. They would do better building software and selling it.Quite being negative and start being positive. There life would be a whole lot better. I believe in Karma what comes around goes around...
    Thanks again

  2. I haven't had this happen myself, but I also recommend the Login Lockdown plugin to reduce/prevent brute force attacks. Here's the plugin description:

    "Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes."

  3. Hey James,

    I once had this issue.

    Then I installed WordFence (free plugin)

    And then I started getting a lot of emails saying how I just stopped another brute force attack.

    Another tip would be to make sure your Administrator username is not "admin" because that one is common in most attacks.

    Isaiah Jackson

Leave a Reply

Your email address will not be published. Required fields are marked *