How to help prevent wordpress bruteforce attempts.

When you use wordpress for your website needs its inevitable scam bots will try to gain access to your site, I guess it comes with the territory of using something over 1/3rd of websites on the web use. So what can you do to better prepare your wordpress website from attackers?

    1. Using one user for admins and one user for creating posts and pages.
      What this does is allow you to set a lower user who’s name appears on the website as the publisher with only certain access, for instance setting a user with the ‘Author’ role doesn’t get much access to the core system as someone with the ‘Admin’ role.
    2. Using the free Akismet Plugin
      Now Akismet will require you to create an account, but if your website is non profit and does not promote paid work, like mine for example, then you can get an account which is free, once you have this setup and installed you get automatic ‘Brute Force’ protection, banning an IP that attempts to login to many times, it also lists the IP addresses which you can see here. 
    3. Remove access to xmlrpc.php
      A few years back xmlrpc was used for mobile apps and a few plugins like JetPack, this allowed remote access to the system, most smart phones and tablets these days display the wordpress admin panel quite sufficiently without the need of using xmlrpc, but hackers seem to still try and use this old remote access method to gain access to your wordpress admin panel as it bypasses any security including google recapcha. So the best thing to do is to disable external access to the file through your .htaccess file. I would recommend accessing your site via FTP or your control panel like cPanel or Plesk and editing the .htaccess manually, if you are using FTP a simple text editor like notepad will read and be able to edit the file with no problems, all you need to do is add the following code in at the top
    4. <Files xmlrpc.php>order deny,allow
      deny from all
      </Files>

    5. Change your wp-admin login
      As standard the way to access the admin panel and enter in your login information you would go to “www.yourdomain.com/wp-admin/” you would either be represented with a login form or if you were already logged in straight to your admin panel. Hackers know this, so why not change it to something less obvious? There is a great addon called Change WP Admin Login, what this will allow you to do is make it so “www.yourdomain.com/wp-admin/” redirects back to your website with no login form or to another page, some people like a little haha page or 404 nothing found page. Once you have installed the plugin you would head to Settings then Permalinks you will see the following options

      Once you have changed them click ‘Save Changes’ and the login form will no longer be shown at “www.yourdomain.com/wp-admin/” or “www.yourdomain.com/wp-admin.php”, pretty neat huh?

    There are other methods to help prevent attackers gaining access but these are simple starting points, I would also recommend you install a plugin called Simple History, what this does is keep a simple log of changes made within wordpress, whilst not really protecting your website from attackers it does show any attempts with wrong passwords, as well as when someone does login, you can check to make sure the time, date and IP match.

    I hope this post has been of help to you.

Leave a Reply

Your email address will not be published. Required fields are marked *