Brute Force: You could say it’s like taking the “shotgun approach.” They are simply hitting the server looking for one thing, the correct login information for your WordPress site. ~ In Motion Hosting
We have been closely following the reports that Hosts who host WordPress are being targeted with Brute Force attacks. Basically, a Brute Force attack is when a hacker makes repeated attempts to access your WordPress installation through the admin user. It would appear to be the case after looking at several logs throughout our client sites.
We’d like to share some tips with you on how to protect yourself against these kinds of attacks.
1. Change your username if it’s “admin”. Instructions here.
2. Change your password to something that is a mixture of upper and lower case letters, numbers and symbols. Come up with a system that is easy for you to understand and remember and best of all – change monthly.
Example: Your favorite movie is “The Princess Bride”, you were born in 1975, the site’s name is “JollyGreenGiant.com” and it’s April. So you’d choose the acronym of your favorite movie, the last two numbers of your birth year, the first word of your site, and the month. I recommend that you substitute vowels for numbers and symbols. So your finished password would look something like this:Â TPB75j0lly@pr1l
3. Install two plugins now:  Limit Login Attempts and Better WordPress Security
The thing to understand about these attacks is that they play on the vulnerabilities of the end-user, which is you. If you aren’t doing your part, you may have some issues.
Please understand that every content management system experiences this type of attack at some point – it’s not just WordPress – so don’t be upset with the software. As long as you are doing your part, and your host is doing theirs, you should be fine.
Additionally, if you sign up for a Cloudflare free plan, you are automatically protected, as Cloudflare sits in front of a majority of the web requests and is able to stop the requests before they ever hit your site.
Please share this post on Pinterest:
Thanks. I’m beginning to take security more seriously. Does this work if me as admin is the only person on the blog? Also, have you written anything about Captcha and its glitches?
These are great tips! My host was having major issues last week fighting ff an attack. It caused my blog a lot of down time. I’m planning on installing one of the plugins to help keep my site safe. Thanks for sharing them.
You’re welcome, Jenn! The beset thing you can do is ensure that you are using a password that follows the rule of thumb I give in the post. Long…and with a mixture of characters. 🙂
Yes, it works whether you have one admin account or twenty. The important thing to remember is that you don’t use “admin” as you login and you use a strong password. As for the captcha, I haven’t written on it, but the only problems I know about with captcha are with the old or outdated plugins.