FAQ: Preventing Brute Force Attacks on WordPress

A brute force login attack can come in different forms, and a range of attack software is available to those intent on getting into your website and/or server. The objective is to “guess” an administrator’s login credentials, and gain access to the website. From there, anything can happen, including installation of phishing code, malware, deletion of defacement etc. For a full outline of brute force login goals and methods, see:

Citation: Defensive hacking – how to prevent a brute force attack

A heavy Brute Force Login attack launched simultaneously from multiple sites and aimed at your server could have an impact similar to a DoS or DDoS attack:

• The server load increases sharply.
• Websites become unresponsive.
• Access to WHM, cPanel of FTP may time out.
• Sites may display an “Error connecting to database.”
• In some cases, one or more databases may be corrupted.

Preventing brute force attacks is a high priority for all websites! Best to do it before an attack commences, than to be flailing around in the midst of a crisis trying to implement an effective WordPress brute force protection solution. Effective DDoS prevention is time-consuming and costly.

Any excessive activity on YOUR site has an immediate negative impact on neighbouring websites on the same server. A sustained login attack can generate an impact similar to a Denial of Service attack.

Your hosting company may suspend your website’s hosting account for repeated over-use of server resources.

There are multiple proactive methods to protect your website and a combination of methods will serve you best:

1. Install a security plugin such as Limit Login Attempts Reloaded, or Wordfence Login Security
2. Sign up for Cloudflare and implement login security.
3. Reduce the server loading by ensuring page load speed is optimised and working to your advantage, and resources are not being hogged by bloated plugins.

Anything you do to reduce the load on your website significantly helps your hosting server cope with external loads generated by someone intent on harm.

1. Install and configure good caching plugins: WP Rocket Cache plus SQLite or Docket Cache (object caching & OP cache) and Asset Cleanup will boost your WordPress page load speed and make your site faster and leaner. Anything that eases server resource consumption enables greater resilience.
2. Offload some of your server load to a Content Delivery Network such as Cloudflare – which also has additional security layers at the network level – i.e. before an attacker actually reaches your site. In my experience, careful implementation of Cache Rules can offload over 70% of your origin server’s workload! That’s especially important if you are on a standard “shared hosting” plan with limited resources.

A “basic” account is free, so there is little excuse for not using this CDN. Its easy enough to set up and has multiple security functions that can help you screen out attackers. My experience with Cloudflare is extremely positive – every site I own is on it, as are most websites I manage. It’s truly epic value and I’m always appreciative of what it does…

• Security Rules: certainly should be applied to the wp-login.php and xmlrpc.php as that’s where attacks are usually focused.
• Bot Fight mode: blocks known bad bots from reaching your site.
• Email Obfuscation: this stops bots from harvesting your email addresses listed on your website.
• Security Rules: can also be used to set known bad Countries (Russia, Belarus, China, Iran, Nth Korea, Indonesia, Turkey, and Brazil) to “Managed challenge” to slow down queries and block the known bad actors. As part of DDoS prevention services, set rules for Layer 7 attack protection.

The $5 per month APO (Automatic Platform Optimization) for WordPress is a very good thing if you have a Woocommerce shop installation.