![\"brute\"](\"https:\/\/i0.wp.com\/www.gossdhosting.com\/blog\/wp-content\/uploads\/2016\/09\/brute.png?resize=300%2C202&ssl=1\")
<\/p>\nWordPress\u2019 popularity not only attracts bloggers but also hackers.\u00a0 Hackers try to compromise WordPress installations to send spam, setup phishing exploits or launch other attacks.<\/p>\n
While there are many sophisticated attacks against WordPress, hackers often use a simple brute force password attack.\u00a0 In these attacks, botnets try to guess your admin password.<\/p>\n
You may think that such attacks would fail, but they exploit one of the weakest links in the security chain: You.<\/p>\n
People don\u2019t like complex passwords.\u00a0 As a result, low security passwords get put into production.\u00a0\u00a0\u00a0 Even if you have good password policies and use password management tools (I use LastPass), simple passwords slip through.\u00a0\u00a0\u00a0 This is why I like security in-depth.<\/p>\n
By adding an extra layer of security to your systems, you can stop WordPress brute force attacks.<\/p>\n
<\/p>\n
WordPress actually has a great list of WordPress hardening tips.\u00a0 Some of these are complex and require server level or code level changes.\u00a0\u00a0 However, in my experience brute-force and XSS attacks against WordPress are common exploit tactics.\u00a0\u00a0 Simply by blocking access to the login and admin areas using HTTP Authentication, you can add an additional layer of security.<\/p>\n
You are probably already familiar with HTTP AUTH.\u00a0 Many people refer to it simply as password protecting a directory or site with .htaccess.\u00a0 Technically, when you add these directives to .htacess you are enabling the HTTP authentication tools built into the Apache web server.
\nBy setting up a htaccess to limit access to WordPress login functions, you can stop most brute force attacks.<\/p>\n
I recommend limiting access to the wp-login.php to stop WordPress\u00a0 brute force attacks.<\/p>\n
You can do this easily by setting up htaccess password protection.<\/p>\n
There are plenty of tutorials online about how to set up htaccess files and generate the password files.\u00a0\u00a0 Plesk, cPanel and other systems often have this built into their control panels.\u00a0\u00a0 So I am going to assume you know how to set up htaccess and setup a htpasswd file (if not Google is your friend).<\/p>\n
Also, I recommend you use different usernames and passwords for the htaccess and your blog.<\/p>\n
Once you have your password file setup, you need to add the following to your htaccess file:<\/p>\n
\n# Protect wp-login<\/code><\/div>\n<Files wp-login.php><\/code><\/div>\nAuthUserFile ~\/.htpasswd<\/code><\/div>\nAuthName \u201cPrivate access\u201d<\/code><\/div>\nAuthType Basic<\/code><\/div>\nrequire user mysecretuser<\/code><\/div>\n<<\/code>\/Files<\/code>><\/code><\/div>\n<\/blockquote>\n\nThese settings\u00a0 will cause an additional HTTP pop-up before you login to WordPress.<\/p>\n
You will need to enter the username and password you setup in your htpasswd file to get passed this box.\u00a0 Once you login to here, you will then see the normal WordPress login screen.<\/p>\n
Note that the username and passwords used in your htaccess files have nothing to do with those used in WordPress.\u00a0\u00a0 If you have multiple bloggers, you could use a single username and password for the HTTP Authentication phase and then have the bloggers use their own access details to log into WordPress.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
WordPress Brute Force Attacks WordPress’ popularity not only attracts bloggers but also hackers. Hackers try to compromise WordPress installations to send spam, setup phishing exploits or launch other attacks. While there are many sophisticated attacks against WordPress, hackers often use a simple brute force password attack. In these attacks, botnets try to guess your admin […]<\/p>\n","protected":false},"author":1,"featured_media":4519,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3],"tags":[151,152,153,154,46],"class_list":["post-1997","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-attack","tag-brute","tag-bruteforce","tag-protection","tag-wordpress"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[],"version":6}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.gossdhosting.com\/blog\/wp-content\/uploads\/2024\/01\/social-image.jpg?fit=1200%2C630&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.gossdhosting.com\/blog\/wp-json\/wp\/v2\/posts\/1997","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gossdhosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gossdhosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gossdhosting.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gossdhosting.com\/blog\/wp-json\/wp\/v2\/comments?post=1997"}],"version-history":[{"count":0,"href":"https:\/\/www.gossdhosting.com\/blog\/wp-json\/wp\/v2\/posts\/1997\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.gossdhosting.com\/blog\/wp-json\/wp\/v2\/media\/4519"}],"wp:attachment":[{"href":"https:\/\/www.gossdhosting.com\/blog\/wp-json\/wp\/v2\/media?parent=1997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gossdhosting.com\/blog\/wp-json\/wp\/v2\/categories?post=1997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gossdhosting.com\/blog\/wp-json\/wp\/v2\/tags?post=1997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}