{"id":27247,"date":"2021-07-24T17:00:16","date_gmt":"2021-07-24T15:00:16","guid":{"rendered":"https:\/\/qodeinteractive.com\/magazine\/?p=27247"},"modified":"2021-07-23T12:10:35","modified_gmt":"2021-07-23T10:10:35","slug":"protect-from-wordpress-brute-force-attacks","status":"publish","type":"post","link":"https:\/\/qodeinteractive.com\/magazine\/protect-from-wordpress-brute-force-attacks\/","title":{"rendered":"How to Protect Your WordPress Website from Brute Force Attacks"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]Hacking attacks are becoming more frequent in recent years, they\u2019ve made website security one of the top concerns of every webmaster. With WordPress being the most used content management platform, it means WordPress websites are the most common victims of those attacks.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]While WordPress has always strived to improve its security by patching any security vulnerabilities it discovers, it has always struggled against brute force attacks. The reason for it is that WordPress has a single log-in screen, which we\u2019re all familiar with. But, that means that your security against brute force attackers is as strong as your WordPress credentials.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]In this article, we\u2019ll explain how to shore up your website security and protect your WordPress site from brute force attacks. Additionally, we will cover what those attacks are so that you can fully understand the importance of the security methods we suggest. If you\u2019d like to skip ahead to any particular security suggestion, you can do so using the links below:<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;22px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#changing-the-wordpress-login-url\">Changing the WordPress login URL<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#using-strong-and-unique-credentials\">Using strong and unique credentials<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#limiting-login-attempts\">Limiting login attempts<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#adding-two-factor-authentication\">Adding two-factor authentication<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#adding-http-authentication\">Adding HTTP authentication<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#using-security-plugins\">Using security plugins<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#updating-wordpress\">Updating WordPress<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#using-a-firewall\">Using a firewall<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#regularly-making-backups-of-your-website-and-scanning-for-malware\">Regularly making backups of your website and scanning for malware<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#blocking-ips\">Blocking IPs<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;80px&#8221;][vc_widget_sidebar sidebar_id=&#8221;new-top-picks-banner&#8221;][vc_empty_space height=&#8221;80px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\">Understanding what brute force attacks are<\/h2>\n<p>[\/vc_column_text][vc_column_text]Simply put, brute force attacks are a type of hacking attack that relies on trial and error as a way of breaking into a specific website or network. More precisely, hackers resort to exhaustively guessing your login username and password as a means of getting access to the website.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Even though this might seem tedious or, even, pointless, it is far from it. Since WordPress doesn\u2019t include any default way of limiting failed login attempts, hackers can automate the guessing process and go through tens of thousands of common passwords in a matter of seconds. As such, your website could be seconds away from getting brute-forced, if you are using a password that is considered weak.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Once they gain access to the backend of your website, hackers can install malware, steal valuable information, deny you access to your website or delete it. On the other hand, even if they don\u2019t get in, a high frequency of HTTP requests towards your server can slow your site down severely, or even crash it. Because of this, it is important to tackle brute force attacks using multiple methods. This will let you avoid or negate any harm hackers could inflict on your website. Now let\u2019s take a look at what those methods are.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\">How to protect your WordPress website from brute force attacks<\/h2>\n<p>[\/vc_column_text][vc_column_text]Even though there are numerous security precautions you can take, we decided to cover only the ten most important ones in this article. Most of these methods can be applied using custom code, but we opted to make this article more beginner-friendly and offer alternatives accessible to all. Therefore, we tried to offer suitable WordPress plugins for every given method, wherever possible. It is also worth noting that, while perfect security against brute force attacks might not be attainable, using the methods from our list will make your website as secure as possible. So, let\u2019s begin.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\"><a id=\"changing-the-wordpress-login-url\"><\/a>Changing the WordPress login URL<\/h3>\n<p>[\/vc_column_text][vc_column_text]One of the biggest reasons why WordPress websites frequently suffer brute force attacks is that their default file and folder structure (and which file is responsible for the login process) are well-known. As a result, a WordPress site\u2019s default login URL can easily be accessed. This makes your credentials the only form of protection against brute force attacks. Therefore, the most obvious way of adding an extra layer of protection against those attacks is by changing the default WordPress login URL. You can accomplish this with custom code or with a suitable WordPress plugin.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]We have opted to show you how to change the default WordPress login URL using a plugin called <a href=\"https:\/\/wordpress.org\/plugins\/wps-hide-login\/\" target=\"_blank\" rel=\"noopener\">WP Hide Login<\/a>. This is a very lightweight plugin, made specifically for changing the login and redirection URLs. As the plugin page mentions, this won\u2019t change any WordPress core files or add rewrite rules in the .htaccess files. Instead, it works by intercepting page requests. Let\u2019s take a look at how it is used.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]After <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-install-a-wordpress-plugin\/\">installing the plugin<\/a>, <strong>navigate to Settings &gt; General<\/strong> and <strong>scroll toward the bottom of the page<\/strong>, where you will find the <strong>WPS Hide Login subsection<\/strong>.[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"555\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Login-URL.jpg\" class=\"attachment-full size-full\" alt=\"Login URL\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Login-URL.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Login-URL-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Login-URL-768x440.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Login-URL-620x355.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]In this section, you can change both the login and redirection URL, i.e. their respective endings. As a safety measure against brute force attacks, it\u2019s enough to change the login URL from the default <em>login<\/em> to something else. Once you\u2019ve done that, <strong>press the <em>Save Changes<\/em> button<\/strong> to change your login URL.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Please note, you will remain logged in after completing the URL change. However, if you log out and try to log back in by accessing the default WordPress login URL (<em>your-website-url\/login, your-website-url\/wp-admin<\/em>, or <em>your-website-url\/wp-login.php<\/em>), you will see a 404 screen instead. But, if you\u2019ve also changed the redirection URL earlier, then you will see the page you selected for it instead.[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"518\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Login-Error.jpg\" class=\"attachment-full size-full\" alt=\"Login Error\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Login-Error.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Login-Error-300x160.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Login-Error-768x411.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Login-Error-620x331.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]With it, you have completed the first and most important step in prevention against brute force attacks.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Before concluding this section, we wanted to share a tip\u2014if you get locked out of your dashboard and forget what your new login URL is, don\u2019t worry. Simply disabling the WP Hide Login plugin via FTP will reset the WordPress login URL to its default value. To learn how to do that, check out our article on <a href=\"https:\/\/qodeinteractive.com\/magazine\/disable-plugins-wordpress\/\">disabling plugins when locked out of WP-Admin<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\"><a id=\"using-strong-and-unique-credentials\"><\/a>Using strong and unique credentials<\/h3>\n<p>[\/vc_column_text][vc_column_text]One of the most effective ways of improving your website\u2019s security against brute force attacks is to use strong and unique WordPress credentials. This includes using unique usernames and, more importantly, longer and harder-to-crack passwords.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]First of all,<strong> you shouldn\u2019t use the default WordPress username (<em>admin<\/em>) for your administrator account<\/strong>. Therefore, if you are the site admin, you should consider changing your username. This can be done directly within the site\u2019s database. Alternatively, you can use the appropriate dashboard option in the Users section to add a new user with administrative privileges and give it a unique name. After doing that, make sure to delete the other administrative account which has the <em>admin<\/em> username. <strong>Don\u2019t forget to attribute all the content to your newly created administrator account.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"518\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Delete-Users.jpg\" class=\"attachment-full size-full\" alt=\"Delete Users\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Delete-Users.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Delete-Users-300x160.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Delete-Users-768x411.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/Delete-Users-620x331.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]As for the password, you should increase its strength by <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-reset-wordpress-password\/\">replacing your less secure passwords<\/a> with more complex ones. This includes using longer passwords with lowercase and uppercase letters, numbers, and special symbols (such as &amp; _ } !, and so on). Also, <strong>avoid using existing vocabulary words<\/strong> (e.g. password), or words directly related to your personal life (family member\u2019s name, date of birth, pet name, etc.), as well as existing keyboard patterns (e.g. qwerty or 123456). For obvious reasons, <strong>you should also avoid using the same credentials across different applications<\/strong>. As creating sufficiently complex passwords can be challenging, there are online tools like the <a href=\"https:\/\/privacycanada.net\/strong-password-generator\/\" target=\"_blank\" rel=\"noopener\">strong password generator<\/a> that can help you.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Finally, you should improve how you store your passwords to reduce the possibility of them getting stolen or of you simply forgetting them and ending up locked out of your dashboard. There are a few technological tools available to help you with this as well. To that end, we suggest finding a suitable <a href=\"https:\/\/qodeinteractive.com\/magazine\/best-password-manager-tools\/\">password manager<\/a>, after strengthening your password.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\"><a id=\"limiting-login-attempts\"><\/a>Limiting login attempts<\/h3>\n<p>[\/vc_column_text][vc_column_text]As we mentioned earlier, WordPress doesn\u2019t offer any default mechanism to limit login attempts. This makes WordPress sites more appealing targets for hackers\u2019 brute force attacks. They can use scripts and bots to quickly test tens of thousands of possible passwords, without WordPress trying to block them after the first few. This persistence presents a danger even to strong, complex passwords.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Therefore, the next layer of security that you should engage is to limit the number of failed login attempts. This should be accompanied by temporarily blocking the IP address that has exceeded that limit. This will, for a certain amount of time, deny access to the website to anyone trying to log in with incorrect credentials. As a result, this will make the hackers\u2019 efforts to brute-force their way significantly more time-consuming. Moreover, it might even dissuade them from attempting further brute force attacks, as it will no longer be practical.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]You can limit login attempts in WordPress by using a plugin such as <a href=\"https:\/\/wordpress.org\/plugins\/limit-login-attempts-reloaded\/\" target=\"_blank\" rel=\"noopener\">Limit Login Attempts Reloaded<\/a>. Its features include configuring the maximum number of login attempts and the duration of the ban if all the attempts are unsuccessful. It also has logging of blocked attempts and blacklist capabilities, allowing you to keep track of who attempted to log in and to blacklist those that tried brute force attacks.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]This plugin also includes a safelist capability, which can help you in case of accidental lockdowns. So, if a legitimate user makes a typo or misremembers the credentials, you can un-ban anyone that got locked out by mistake. These are some of the reasons why the Limit Login Attempts Reloaded plugin is our recommendation for implementing an additional layer of protection against brute force attacks. To learn more about installing and using this plugin, we suggest reviewing our article on <a href=\"https:\/\/qodeinteractive.com\/magazine\/limit-login-attempts-in-wordpress\/\">limiting login attempts<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\"><a id=\"adding-two-factor-authentication\"><\/a>Adding two-factor authentication<\/h3>\n<p>[\/vc_column_text][vc_column_text]Adding two-factor authentication is another great way of guarding the backend of your site from hackers. As the name implies, the two-factor authentication creates an additional layer of security by adding a second identification test. For example, this could include a verification code that is sent to the users via SMS or email. Then, anyone trying to log in would also need access to those codes, making a security breach significantly more difficult. Just like the previous method, this can be implemented using a suitable WordPress plugin. You can find more information about it in our article on <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-two-factor-authentication\/\">adding two-factor authentication<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\"><a id=\"adding-http-authentication\"><\/a>Adding HTTP authentication<\/h3>\n<p>[\/vc_column_text][vc_column_text]HTTP authentication is another way of adding a layer of protection, on the server level, to your login page. With it, every time a user tries to access your login screen, a new sign-in form will appear, with separate credentials. And users will be granted access to the WordPress login screen only after correctly inserting the proper authentication credentials to the sign-in form.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]You can enable this additional HTTP authentication within your hosting control panel. For us, that was cPanel. If you\u2019re using a different control panel, you should ask your hosting provider for the equivalent set of instructions. With that being said, let\u2019s take a look at how HTTP authentication can be enabled.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]First, <strong>log in to cPanel<\/strong> using your cPanel credentials and <strong>click on the Directory Privacy option<\/strong>, located in the Files section.[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"518\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Files-Directory-Privacy.jpg\" class=\"attachment-full size-full\" alt=\"cPanel Files Directory Privacy\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Files-Directory-Privacy.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Files-Directory-Privacy-300x160.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Files-Directory-Privacy-768x411.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Files-Directory-Privacy-620x331.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]In the next window,<strong> locate your website directory<\/strong> and <strong>click on it<\/strong>. Then,<strong> navigate to your root WordPress subdirectory<\/strong>, often called public_html. You will see three folders within it: wp-admin, wp-content, and wp-includes. Since we want to protect the login screen, we will make the wp-admin directory private. As such, <strong>click on the <em>Edit<\/em> button next to the wp-admin folder<\/strong> to change its privacy settings.[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"518\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Directory-Privacy-WP-Admin-Edit.jpg\" class=\"attachment-full size-full\" alt=\"cPanel Directory Privacy WP Admin Edit\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Directory-Privacy-WP-Admin-Edit.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Directory-Privacy-WP-Admin-Edit-300x160.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Directory-Privacy-WP-Admin-Edit-768x411.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Directory-Privacy-WP-Admin-Edit-620x331.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]On the following screen, <strong>tick the checkbox next to the<em> Password protect this directory<\/em> option<\/strong>, which will also display the name of the directory that will be protected. If you clicked on the right <em>Edit<\/em> button, the wp-admin folder will be the one shown as selected. To confirm this change,<strong> press the <em>Save<\/em> button<\/strong> below.[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"518\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Password-Protect.jpg\" class=\"attachment-full size-full\" alt=\"cPanel Password Protect\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Password-Protect.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Password-Protect-300x160.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Password-Protect-768x411.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Password-Protect-620x331.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]Briefly after, you will see a success message stating that the access permissions were changed. <strong>Press the <em>Back<\/em> link<\/strong> to return to the previous screen. There, you will see the second part of this setup, where you will need to create a user. To do so, <strong>insert a username and password<\/strong> of your choosing in the appropriate fields and <strong>click on the <em>Save<\/em> button<\/strong> when you\u2019re done. You should try to use strong credentials here as well.[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"536\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Create-User.jpg\" class=\"attachment-full size-full\" alt=\"cPanel Create User\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Create-User.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Create-User-300x166.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Create-User-768x425.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Create-User-620x343.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]Shortly after, you will see a success message that the user has been created. Then <strong>navigate to your login screen and verify that all is well<\/strong>. We advise using a different browser or the incognito mode in your current browser for testing. However, it\u2019s just as likely you\u2019ll get an error at this point. It happened to us as well\u2014we got the <a href=\"https:\/\/qodeinteractive.com\/magazine\/err-too-many-redirects\/\">ERR_TOO_MANY_REDIRECTS error<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"518\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Page-Not-Working.jpg\" class=\"attachment-full size-full\" alt=\"cPanel Page Not Working\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Page-Not-Working.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Page-Not-Working-300x160.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Page-Not-Working-768x411.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Page-Not-Working-620x331.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]Luckily, solving the error in this specific case is rather simple. The troubleshooting process has already been described in <a href=\"https:\/\/wordpress.org\/support\/article\/brute-force-attacks\/#protect-your-server\" target=\"_blank\" rel=\"noopener\">an article on the official WordPress Support page<\/a>. Anyone interested in exploring a more coding-intensive approach to fighting against brute force attacks will find the whole article well worth the read. As WordPress support explains, you only need to add the following line of code into your .htaccess file to solve this issue:[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">ErrorDocument 401 default<\/pre>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]To do this, <strong>return to the cPanel\u2019s main screen<\/strong> and <strong>click on the File Manager option<\/strong>, located in the Files section.[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"512\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/05\/Database-File-Manager.jpg\" class=\"attachment-full size-full\" alt=\"Database File Manager\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/05\/Database-File-Manager.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/05\/Database-File-Manager-300x159.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/05\/Database-File-Manager-768x406.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/05\/Database-File-Manager-620x328.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]Then, <strong>navigate to the root WordPress directory of your website, locate the .htaccess file, right-click on it<\/strong> and <strong>select the <em>Edit<\/em> option<\/strong>.[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"553\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-htaccess-Edit.jpg\" class=\"attachment-full size-full\" alt=\"cPanel htaccess Edit\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-htaccess-Edit.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-htaccess-Edit-300x171.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-htaccess-Edit-768x438.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-htaccess-Edit-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]This will open cPanel\u2019s native editor, which will allow you to edit the file. Simply <strong>add the line of code shown earlier below the # END WordPress comment<\/strong>, and <strong>click on the <em>Save Changes<\/em> button in the upper-right corner of the screen.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"517\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-ErrorDocument-401-Default.jpg\" class=\"attachment-full size-full\" alt=\"cPanel ErrorDocument 401 Default\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-ErrorDocument-401-Default.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-ErrorDocument-401-Default-300x160.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-ErrorDocument-401-Default-768x410.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-ErrorDocument-401-Default-620x331.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]When you\u2019ve done that, <strong>reload the page that was showing the error<\/strong>. Instead of the login screen, you will see the new HTTP authentication feature that you just enabled.<strong> Now you will be prompted with a sign-in window where you need to insert the appropriate credentials before you can proceed to the WordPress login screen.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;50px&#8221;]<div class=\"qodef-single-image-holder   qodef-has-border \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"518\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Sign-In.jpg\" class=\"attachment-full size-full\" alt=\"cPanel Sign In\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Sign-In.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Sign-In-300x160.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Sign-In-768x411.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/07\/cPanel-Sign-In-620x331.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;82px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\"><a id=\"using-security-plugins\"><\/a>Using security plugins<\/h3>\n<p>[\/vc_column_text][vc_column_text]As most WordPress users know, a quality security plugin can greatly reduce the threat of hacking attacks, including brute force ones. The <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-security-plugins\/\">best WordPress security plugins<\/a> offer a wide range of security-enhancing methods, some of which we\u2019ve already covered in this article. These include generating and pushing for strong passwords when creating new users, malware scanning, two-factor authentication, firewalls, audit logs, IP blacklisting and whitelisting, and many more. As such, a reputable WordPress security plugin can take the brunt of brute force attacks to safeguard your site. Still, for optimal security, we advise combining a security plugin with some of the other methods from this article.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\"><a id=\"updating-wordpress\"><\/a>Updating WordPress<\/h3>\n<p>[\/vc_column_text][vc_column_text]As the most popular content management system currently, WordPress is powering the majority of the Internet. One of the reasons for its great success lies in its constant improvement, both in functionalities and any security vulnerabilities that are discovered in the meantime. As such, one of the best general pieces of advice for improving the overall security of your WordPress website is to update it regularly. Otherwise, hackers might decide to exploit some of the known security vulnerabilities that you haven\u2019t patched against. To prevent this, you should keep all aspects of your website up to date by updating <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-update\/\">the WordPress core files<\/a>, <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-update-plugins\/\">plugins<\/a>, and <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-update-a-wordpress-theme-without-losing-customization\/\">themes<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\"><a id=\"using-a-firewall\"><\/a>Using a firewall<\/h3>\n<p>[\/vc_column_text][vc_column_text]Another great piece of advice for improving your website\u2019s security involves using a firewall. Firewalls allow you to filter the traffic your website gets, and detect anyone malicious. With it, you can block any IPs that are deemed suspicious, as well as impose geoblocking, i.e. blocking all IPs from a given location. Usually, firewalls are bundled within every quality security plugin, as they are an integral part of decreasing malicious influences on your site overall. They can also be included within the hosting packages offered by certain hosting providers. As such, you should consult your hosting provider about implementing a firewall or finding a suitable <a href=\"https:\/\/qodeinteractive.com\/magazine\/best-firewall-plugins-for-wordpress\/\">WordPress security and firewall plugin<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\"><a id=\"regularly-making-backups-of-your-website-and-scanning-for-malware\"><\/a>Regularly making backups of your website and scanning for malware<\/h3>\n<p>[\/vc_column_text][vc_column_text]Regularly making backups is one of the key steps to keeping your website safe and intact. Having backups safely stored will give you peace of mind when you encounter any issues. Those could be issues with custom code compatibility, failed updates of plugins, themes, or WordPress core files, and even hacking threats. You can <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-backup-with-updraftplus-plugin\/\">make backups using a WordPress plugin<\/a> or <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-manually-backup-wordpress-website\/\">backup your site manually<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]If you haven\u2019t done so already, we advise you to find <a href=\"https:\/\/qodeinteractive.com\/magazine\/best-wordpress-backup-plugins\/\">a quality backup plugin<\/a> and use it regularly. Likewise, you should make it a habit to routinely <a href=\"https:\/\/qodeinteractive.com\/magazine\/scan-wordpress-for-malware\/\">scan your website for malware<\/a>. This will help you identify any known security vulnerabilities that your site has and which you should address.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]In the unfortunate case that you fall victim to a brute force hacking attack, you can use a backup to <a href=\"https:\/\/qodeinteractive.com\/magazine\/manually-restore-wordpress-website-backup\/\">restore your website<\/a>. Then, log out any other logged-in users and change the admin user password to block the hacker from further accessing your site.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\"><a id=\"blocking-ips\"><\/a>Blocking IPs<\/h3>\n<p>[\/vc_column_text][vc_column_text]As a final method against brute force attacks, you can block malicious IPs. If your website is undergoing repeated failed login attempts from specific IP addresses, you should consider blocking those addresses. But first, you should check that these attempts aren\u2019t coming from verified users who are simply misremembering their credentials. If that turns out to be the case, you can whitelist them.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Both IP address blacklisting and whitelisting can be done <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-block-ip-address\/\">using custom code<\/a> or with a suitable security or firewall plugin, as we mentioned before.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]While blacklisting IPs is, theoretically, less effective than the methods we mentioned previously (as a hacker can simply use a different IP address), it reduces further hacking attempts as it makes them more time-consuming. And if you experience numerous brute force attacks coming from a certain country or region, you should consider geoblocking instead of blocking singular IP addresses.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Before you opt for something more drastic like geoblocking, you should weigh the pros and cons of this decision. We suggest you implement it only if it won\u2019t cost you a great number of visitors from that country or region. If you decide to use it, you should investigate WordPress malware plugins to help you with the process.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\">Final Thoughts<\/h2>\n<p>[\/vc_column_text][vc_column_text]Brute force attacks are one of the simplest forms of hacking attacks. They target the login screen of your website by repeatedly trying to guess your credentials and gain access to the website\u2019s backend. Even if they are unsuccessful, these attacks can be harmful in other ways, such as crashing your server. This is why it\u2019s important to employ multiple layers of protection against them. And in this article, we covered the most important methods of guarding your site against WordPress brute force attacks.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Some of the suggestions we shared include using higher security credentials, changing the default WordPress login URL, limiting the amount of failed login attempts, and blocking any IPs that often break this limit, and more. We invite you to improve your site defenses as much as possible by using a combination of the methods we suggested to protect it against brute force attacks. Also, just in case, we recommend you bookmark this article for future use as well.<br \/>\n[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In this tutorial, we&#8217;ll explain what WordPress brute force attacks are, and what measures and protections you can use to safeguard your site from them.<\/p>\n","protected":false},"author":11229,"featured_media":27249,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[34,4,13],"class_list":["post-27247","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials","tag-security","tag-tips","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts\/27247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/users\/11229"}],"replies":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/comments?post=27247"}],"version-history":[{"count":0,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts\/27247\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/media\/27249"}],"wp:attachment":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/media?parent=27247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/categories?post=27247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/tags?post=27247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}