brute force attacks pose one of the most persistent threats facing WordPress site owners today. With cheap cloud compute available to launch hundreds of login guesses per second, compromised sites are measurable in the thousands weekly. Left unprotected, the chances of having your administrator accounts cracked are steadily rising – risking data loss, reputation damage, and financial harm should your servers be hijacked for criminal use.
However, with some consistent, proactive security measures tailored to WordPress’s capabilities, you can drastically reduce exposure to brute force credential stuffing and gain peace of mind. This comprehensive guide draws from leading WordPress security experts and researchers to breakdown actionable steps for detecting and preventing unauthorized access attempts against your site.
How Serious is the Brute Force Threat to WordPress?
Let’s ground the conversation with some key statistics that demonstrate why brute force attacks should be top-of-mind for any WordPress site owner:
- The WordPress Security Team receives reports of over 1 million brute force login attempts per hour from sites running Jetpack’s protective plugin.
- Sucuri’s data shows over 90% of the WordPress sites they monitor see some form of brute force attack during a 12-month period.
- One study by Varnish Software detected 2,000+ failed WordPress login attempts per second on average across sites they analyzed.
Attackers clearly recognize that the popularity of WordPress – powering over 40% of all websites globally – presents a highly valuable target environment. Compromised WordPress sites can be used for anything from cryptomining resources to hosting phishing pages invisible to search engines.
With credential lists from past megabreaches like Yahoo and LinkedIn feeding brute forcers, the threat comes not only from your site having an easily guessed password but also password reuse by administrators. Defenses tailored to WordPress itself and best practices around passwords are crucial.
Start With Hiding wp-login Access
The weakest point of any brute force campaign is the first step – reliably accessing your WordPress login page hosted at /wp-login.php or /login. Without the ability to load this form, automated credential stuffing cannot begin.
Obscuring the location of this page disrupts attack scripts that directly target the standard URLs. Security plugins like iThemes Security and WPS Hide Login both offer the ability to:
- Set a custom path for wp-login.php instead of the default
- Instantly 404 error if anyone tries accessing wp-login directly
- Create rules to automatically block IPs after a limited number of failed access attempts to the login form.
For example, blocking an IP after 3 failed attempts for a 15 minute lockout window balances security with preventing accidental lockouts for legitimate users temporarily struggling to recall a changed password.
Hiding wp-login combined with IP-based rate limiting sets an initial defense perimeter against brute attackers by disrupting their ability to directly access your publicly known login form. However, further controls are still needed for those that eventually discover the new URL through guesswork.
Adding Two-Factor Authentication
An attacker that has managed to obtain or crack a legitimate password still cannot access an account protected by two-factor authentication (2FA). The second step of providing a temporary code or using a FIDO security key blocks them just as the login.
Based on Microsoft Research, two-factor authentication effectively drops an attacker‘s odds of gaining account access from 1 in 10,000 down to 1 in 1,000,000 by adding just a second identity confirmation form. A 100x increase in security from a basic SMS code – very worth the minor entry inconvenience!
Plugins like Two-Factor Authentication and Google Authenticator make activating 2FA simple:
With under 5 minutes to configure, every administrator login should leverage two-factor to erect another barrier against unauthorized access even with a breached password.
How Quickly Can Attackers Compromise Accounts?
To demonstrate why protections like hiding wp-login and requiring 2FA are truly vital, we must consider credential stuffing speed.
With freely available brute forcing tools leveraging rainbow hash cracking tables against stolen password lists, over 100 login attempts per second is possible from a single computer. Launch that from cloud infrastructure, and capacity expands exponentially.
At 100 guesses per second, allpermutations of 8 character passwords containing upper, lower, numbers, and special characters can be attempted in under 12 hours. Common passwords get guessed almost instantly – meaning a successful brute force attack can happen quickly against a site without proper rate limiting and lockouts.
By combining hidden login forms, 2FA, temporary blocks on failures, and other checks covered in this guide, we create time for detection and response before an attack reaches critical mass.
Monitoring Site Activity for Early Warning
A core principle of defense is maintaining visibility – both warranting from your security controls and auditing internally for anomalies indicative of breach.
While plugins like Wordfence, Sucuri, and Glenn can all send alerts when suspicious activity is automatically detected, tooling should not replace human intuition and contextual awareness. Make it standard practice to manually:
- Review server access and authentication logs for unusual patterns – use helpers like GoAccess or AWStats to analyze
- Audit user account permissions and changes for improper modifications
- Compare website file directories against known good snapshots to check for backdoors
- Keep real-time traffic dashboards like StatPing bookmarked to quickly identify spikes
Sometimes the clues that an attack is underway will appear in monitoring before automated triggers activate. The earlier a brute force or other unauthorized attempt gets discovered, the less likely lasting damage can take root.
Leverage a Specialized WAF for WordPress Sites
While hiding wp-login forms and requiring 2FA fortifies access at the account level, brute force attacks can still target vulnerabilities in content management core, themes, and plugins. Exploiting these can allow attackers to fully bypass the login process.
A cloud web application firewall (WAF) designed to protect WordPress sites specifically counters exploit attempts and other application-layer attacks out at the network perimeter. Integrated WAF offerings from WordPress security providers like Sucuri Firewall and Cloudflare for WordPress block requests trying to probe for weaknesses.
For small business-level sites, Cloudflare and Sucuri both offer products starting around $20 per month that:
- Blacklist known malicious IP ranges
- Prevent brute forcing of critical wp- includes
- Filter dangerous payloads sent in requests
- Limit excessive requests indicative of DDoS plays
With continuous rules updates based on emerging attack trends, WAFs stop threats before they reach your WordPress server. They provide efficient, scalable protection without burdening your environment.
Password Hygiene as a First Line of Defense
Obscuring login forms, requiring 2FA, and filtering malicious requests via hardware firewalls can all help prevent unauthorized access externally. But it‘s your internally configured user passwords that form the actual last line of keeping attackers out of your site.
Even just enabling WordPress‘ built-in password policy and forcing resets of any legacy admin credentials unknown to you ensures a baseline against brute forcing and credential stuffing. From there, take further steps like:
- Require minimum 12 character passwords
- Prevent top 500 common passwords from breaches
- Disallow any contextual strings like site names
- Force password changes every 180 days
- Only allow admin login from pre-approved IP ranges
Strong, unique passwords rotated routinely are your best internal front against attackers gaining that first foothold on your server.
Compartmentalize Access with Principle of Least Privilege
To minimize attack surface should any individual account somehow get compromised, restrict user permissions to only essential needs. Do not grant members admin privileges unless absolutely required for their duties.
WordPress plugins like User Role Editor make access management straightforward:
Segment users based on responsibility into editor, contractor, analyst, etc. groups and customize exactly what parts of WordPress they can change. Limit particularly sensitive areas like plugin installation and theme editing to just a minimal “emergency” admin team.
While doing audits, prune any old employee or unused test accounts still lingering as well to further trim exposure risk. Keep the principle of least privilege across all user levels, not just admin.
Stay Updated to Eliminate Exploitable Software
The most likely vector attackers use to establish initial access for brute forcing credentials is by exploiting expired software still running on the server level or within WordPress itself.
Old versions of platforms like PHP and content management cores no longer getting fixes for newly discovered vulnerabilities are prime targets for attackers to leverage and gain execution rights. Plugins and themes with unpatched security issues present similar infection channels.
Simply keeping WordPress, all plugins/themes, associated server stacks like LAMP or MEAN, and SSL certificates updated to current secure versions can cut off many common infection vectors misconfigurations aside. Utilize services like Wordfence Scanner and VIP Scanner to automatically audit site software for known vulnerabilities as an assist.
While environments grow complex fast, starting by at least enabling one-click WordPress background updates ensures you rapidly get new security fixes as they emerge. From there, consider policy requiring review/approval of changes for stability assurance based on your site’s availability needs.
Employ Layers of Protection to Fortify Security
What matters most is not any individual control but combining overlapping safeguards to mutual reinforcement. Employ multiple techniques like:
- Change default credentials behind any plugins/themes
- Hide wp-login location and require 2FA
- Confirm account activities with monitoring
- Filter traffic through hardware-accelerated firewalls
- Enforce password manager use for access
- Automate software updates for latest fixes
- Compartmentalize site roles under least privilege
With defense-in-depth instead of reliance upon singular safeguards, you significantly reduce the chances of brute force credential attacks, exploit breaches, or any other unauthorized access against your WordPress server.
Ongoing Education as Sites Scale
The strategies covered in this guide reflect leading practices observed from those keeping WordPress sites secured against continuously advancing threats. As your needs grow in terms of team size, data sensitivities, uptime demands, etc. invest in continued WordPress security education such as:
- WpSiteCare Training – Easy-to-understand courses for site owners/admins
- WordPress.tv – Free presentations from WordCamp conferences
- wpMail.me Newsletter – Customizable roundup of news and updates from across WordPress ecosystem
Staying current allows you to evolve protections in-line with an ever-changing risk landscape using both open source tooling through WordPress and leading managed services. While sites continue growing via the flexibility WordPress offers, so too does the necessity for ensuring security keeps pace every step.
Take Action Now to Establish WordPress Protections
This guide just outlined leading practices observed from those keeping WordPress sites secured against continuously advancing threats. No single specific product or tactic alone promises safety – only integrating defensive layers wrappings access controls, activity monitoring, perimeter filtering through hardware firewalls, and workload protections can mitigate risk. Fortunately, WordPress offers strong security capabilities natively and through plugins to harden sites without restricting essential content lifecycle.
I encourage putting this guide’s lessons into practice for your own WordPress servers, tailoring to your risk tolerance and resource constraints. Start with wins like hiding wp-login, requiring 2FA, and monitoring for anomalies – then grow to firewall filters and least privilege access models over time. Feel free to bookmark and share this page as reference material for teams as well.
Stay safe out there and proactively self-secure! Contact me via the information below if any questions arise when implementing your improved WordPress protections.
