Hacker seated in server room launching cyberattack on laptop

5 Options to Reduce Brute Force Attack on Your WordPress Website

Brute force attack is quite common in the web world. Indeed, if you have a website, you have certainly experienced attempts to connect to your website or application. This article explains how to better secure your website to avoid brute force attacks. We will focus on the WordPress application. If you had third-party software, it would be a pleasure to redo this article for your tool in a later article. Simply leave us a message. In this article, we will talk about protecting WordPress login options. We will also see some measures you can apply to better strengthen the security of your website.

The different login approaches on a WordPress website

It is important to know what approaches users use to connect to websites. Indeed, to access your website, you necessarily need a login form or a link offered by the application. Before asking the question of how to better protect your site against the brute force attack, let’s explore the connection options.

1- Connection via the default link wp-admin

Even a beginner using WordPress knows that all they need to do is add wp-admin to the domain name to connect to a website. You can access it through the domain name/wp-admin link when you install a WordPress website. Generally, this page allows you to connect, change your password or create an account.

2- Connection from a personalized form on its website

You can create a custom form on your website to allow your users to log in. This will allow users to use the link you provide to access the website. Generally, this approach has several advantages:

  1. Users may not know that you are using any technology. Hence more changes to manage security.
  2. You can compensate for the limitations of the default login link.

3 – Using the WordPress xmlrpc.php file

With a little knowledge of web programming, it is possible to use the WordPress Xmlrpc.php file to connect to a website. This is the preferred approach of cybercriminals simply because many site owners are unaware. The approach will consist entirely of making a POST (computing term) request. Many do this automatically from PHP code.

4 – Connection using APIs

You can use a connection to your website through APIs to access the website. It would also require a minimum of knowledge in web development.

There are of course several other approaches. However, the ones we listed above are the main ones. Below we will talk about what you can do to better protect your website.

4 Steps to Reduce Brute Force Attack

If you receive connection attempt notifications; or if you have sometimes seen unwanted users registered on your website, you must first take the time to validate your configuration. Indeed, WordPress by default offers the possibility of protecting a website. Validate, for example, that you have disabled the account creation option (if you do not allow account creation). You can make this adjustment in your admin panel. Look in the option Configuration ⇒ User account. If you authorize account creation, validate that the administrator email works to be able to receive notifications in the event of account creation. This will allow you to better control who has access to your website.

Option 1 – Protect your website login forms with captchas

The vast majority of the time, the people who will try to access your website are not physically present there. They use scripts that make chain connection attempts. This allows them to easily achieve their goals.

With captchas, you can curb the possibility of using scripts to access your website. The captcha could, for example, use artificial intelligence to validate if a user is real. Alternatively, there would be a question to validate to continue with the connection. We offer you this extension that we have developed. It uses versions 2 and 3 of Google that you can activate on the login or account creation form.

Option 2 – Completely change the wp-admin name to any name.

As we mentioned above, many know that you have to add wp-admin to the domain name to have access to the connection. To protect your website, you can change wp-admin to any name. To achieve this, you can use a WordPress plugin. It is also possible to modify manually if you know web programming. Via this link, you will find a set of links that WordPress offers.

To read the whole article please visit our blog.

more insights

Dangerous hacker hiding his identity wearing a white mask

How to Check if Someone is Using Your Identity

A good time to check if someone is using your identity is before it even happens.  One of identity theft’s several downsides is how people discover they’ve…
The post How to Check if Someone is Using Your Identity appeared first on McAfee Blog.

Read more >