Staving off an attack on your site can mean the difference between carrying on as normal, versus in the worst case scenario, having to rebuild your entire site again from scratch and losing valuable customers and business. One form of attack that WordPress users can fall victim to is a brute force attack.
These attacks are fairly basic and simply involve trying as many different username and password combinations as possible in order to try and gain access to your site. As these attacks aren’t usually carried out by humans, manually entering the combinations, but by automated bots, multiple login attempts can be made in quick succession, increasing the chances of success.
If you aren’t connived or are unaware of the regularity of brute force attacks on websites, then take a look at the activity map on the Wordfence website for a real-time overview of WordPress sites being protected.
WordPress Brute Force Protection Plugins
To help you protect your sites from such threats, we are going to take a look at two free security plugins for WordPress designed to defend against brute force attacks.
The free version of the Wordfence plugin has been downloaded over 1.3 million times. This is particularly good in this case because with this security tool, the more people that use the plugin the more effective it becomes. With Wordfence, if one site using this plugin gets attacked, and the attacker is blocked, then all sites using the plugin will then automatically block that attacker. This real-time blocking of known attackers means your site is constantly updating its list of blocked sites to prevent it from coming under attack. By using the power of the cloud, Wordfence gets better each day at protecting your site.
This WordPress security plugin also has other features to keep your site secure. These include a firewall, anti-virus scanning, and malicious URL scanning. The site’s blog also features new of the latest reports of brute force attacks taking place around the world. Wordfence can also email you if your site is at risk.
The plugin also has the ability to perform a site repair should your site get hacked. This feature uses the Wordfence source code verification tool to see what has been changed and then how to undo those changes. This works even if you aren’t keeping backups of your site.
When it comes to using Wordfence, the free version is available from the WordPress plugin repository so it can be installed directly from your site (Plugins > Add New > Search ‘wordfence security’). After installation you can perform a site scan. Once the plugin had ran its first scan on my site it detected that some of the users had passwords that weren’t very secure. Scheduled scans are only available to premium customers.
There are lots of setting for Wordfence Security, giving you plenty of control over how the plugin works. You can block users by their IP address, or addresses from a certain range, as well as blocking specific User-Agents (browsers) which could include known bots.
By entering one or more email addresses, you can enable email alerts for a range of situations. These can include when the plugin sends out a warning, when an IP address is blocked, when the lost password form is used, or when someone logs into your site.
The plugin also allows you to set security options for the login page. This covers how many login failures to allow before locking out the user, as well as how many forget password attempts to allow. You can also use the plugin to enforce strong passwords for new user accounts.
The premium version of Wordfence Security allows you to set scheduled scans of your site, block users from specific countries, secure your site with cell phone sign-in for two factor authentication, and carry out remote scans. The premium version is available for $39.
Installing Wordfence is an effortless way to tighten up the security of your WordPress site and utilise the power of the cloud to protect against brute force attacks.
This is another WordPress security plugin that uses the power of the cloud to protect sites against brute force attacks. The developers claim that this is the ‘only security plugin able to guard against botnet attacks’. The other optional features of the plugin allow it to monitor your site for downtime, scan for malware, and provide a secure login gateway for your site.
BruteProtect works by connecting sites using the service, allowing the plugin to track every failed login attempt. This creates a brute force attack counter force which grows with each installation of the plugin, which is currently listed at 33,751 downloads. The plugin also fully supports multisite installations of WordPress and can be enabled across all sites using just one API key for added convenience.
After installing the plugin directly from your site (Plugins > Add New > Search ‘bruteprotect’) and obtaining and entering the free API key, the plugin can be accessed from the BruteProtect menu entry. The plugin also adds a widget to the dashboard which is visible to logged in users showing the latest stats.
There aren’t many options for this plugin so it’s a lot easier to get up and running on your site, although it doesn’t provide as much functionality a Wordfence. BruteProtect does include the Clef plugin which allow you to use your smartphone for two-factor authentication to secure the login process for your site.
While this plugin isn’t as feature packed as Wordfence, it is a simpler option for those that don’t need the additional features such as site scanning, setting login limits, and getting email alerts. However, the lack of settings can make it hard to get a sense of what the plugin is actually doing in the background.
With more than 75 million sites using WordPress it isn’t surprising to learn that there are constant attacks against this platform taking place around the world. With such a large portion of the web powered by WordPress, creating bots, scripts and programmes to target this platform, makes sense if you are planning on carrying out large-scale brute force attacks and want to be able to go after as many sites as possible.
So with that in mind, doing whatever you can to tighten up your site’s security is a great idea. From installing a WordPress backup plugin, through to adding some extra protection against attacks, or even signing up to a maintenance service, you can go a long way towards preventing your site from falling victim to a malicious attack.
Has your site ever been hacked and if so what was the outcome?