2 Best WordPress Plugins To Protect Your Blog From Brute Force Hacking

Being a WordPress blogger, it is obvious that you are concerned about WordPress security. We all like to keep our blogs secure against hackers.

WordPress users are lucky enough that there are several security plugins and other template tweaks to safeguard the blog from hacking attempts.

One of them is changing the WordPress login URL. If you haven’t done this yet, I strongly recommend to do so.

Brute force is one of the oldest forms of hacking, where a hacker runs a script and attempts to log into your account by trying different combinations from dictionary words.

Depending upon the complexity of your password, it may take 1 hour to a few days to get access to your account. This is one reason, why I keep asking you to stop using “admin” username and change it to something else. Also, always use a complex password.

You should know that by default WordPress allows unlimited login attempts through the login page. It may encourage the potential hackers to guess your password by the method called brute force.

You need to ensure that your login page is protected from a brute force attack. Here, I’m sharing two plugins (#1 is highly recommended) to protect your login page from such attacks.

Use Jetpack Plugin Brute Force protection

I have updated this post to let you know about the newest feature addition in Jetpack WordPress plugin. Chances are you might already be using the Jetpack plugin. If yes, you don’t need to use Limit Login or any other plugin to protect you from a brute force attack. Jetpack has added a new module call Protect.

Jetpack Protect module
  • Save

If you have a Jetpack plugin installed, enable the Protect module, and your WordPress blog will be safe from brute force attacks. The dashboard will also show you the number of blocked malicious login attempts. You also get an option to whitelist specific I.P. from Jetpack > Settings > Protect > Configure.

Whitelist Login I.P.
  • Save

Limit Login to Limit the number of logins tries in WordPress:

Brute Force attack can also be prevented by using Cerber Limit Login Attempts plugin.  It helps the admin to limit the number of login attempts through standard login & it automatically locks out the IP trying to brute force your WordPress login page.

  • Limit the number of retry attempts when logging in (for each IP)
  • Informs user about remaining retries or lockout time on the login page
  • Optional logging, optional email notification
  • Handles server behind a reverse proxy

Screenshots

  • Plugin options page:

Cerber Brute force attack WordPress Plugin
  • Save

Even though the plugin is straightforward to use, you should configure the Hardening section. By default, the Cerber plugin blocks access to the XML-RPC server (including Pingbacks and Trackbacks) & WordPress rest API. If you are using anything which requires access to WordPress rest API (Example: Your blog android or iOS App), you should allow access to WP rest API & XML-RPC.

Block WordPress rest API
  • Save

One important thing:

Disable redirect dashboard requests (disable automatic redirecting to the login page when /wp-admin/ is requested by someone unauthorized) if you are unable to access the WordPress admin dashboard.

[Plugin download page]

What is a Botnet attack:

Here are few terms you should know:

  • Botmaster: Usually the hacker who operates all infected computer.
  • Zombies computer/Bot: System which is infected by the Botmaster, and helps in spamming. Usually, the owner of computers is unaware of the fact, that they are compromised. It could be anyone’s computer, including yours.

Usually a hacker, first hacks a large number of the system spread on different geographical locations, and then he uses this compromised system to run attacks like Denial of service attack, Brute-force attack, Email spam, and much more.

You could see this image to understand how the Botnet model works. If you wish to learn more about other hacking methods, you should check out how hackers hack passwords.

The major problem with the Botnet attack is, it’s hard to block access via the I.P. blocking method, as hackers have access to the different I.P range, and it will be virtually impossible to block all I.P.

Preventing WordPress brute force attack:

According to Matt, this recent botnet has access to 90,000+ I.P., and these systems are being used to run a brute force attack. A brute force attack is a method of trying all possible combinations of dictionary and non-dictionary words to login to a system.

Here I’m sharing few things which every WordPress users should immediately do to secure his WordPress blog against this brute force attack:

Change WordPress Login URL:

The best way to prevent hackers from brute-forcing your blog is by hiding your WordPress login URL. You can use WPS hide login plugin to rename your wp-admin URL to something like domain.com/wedfweig which is impossible for a hacker to guess.

Once you have installed & activated the plugin, go to Settings > General to configure your new WordPress login page

  • Save

Change WordPress Default username:

When you install WordPress, you have an option to select your username. By default, WordPress uses “admin” as a username, and I have already explained why you should not use default username. If you are still using WordPress username as “admin,” you should immediately change it to a custom username. Here you can find ways to change your WordPress default username (note: WP optimize plugin method doesn’t work anymore).

Do remember, the point here is: You should not have an “admin” username on your blog. This means, don’t just create a new user with admin privilege and leave the admin username as it is. You have to delete a user with username “admin.”

Use a Complex password:

This rule applies to every web property you have. Use a complex password using the alphabet, numeric, and special character (#&%^@). This makes it hard for a brute force attack to crack your password. Here are few guides to help you create a smart password for your WordPress blog:

If you are someone who keeps repeating your password on all sites, you should stop doing this right away. You can use password managers like Dashlane.

Enable two-step authentication:

If you are a WordPress.com blogger, you can use this guide to enable two-step authentication. Self-hosted WordPress blogger can use this guide to enable 2-step authentication on your blog.

Integrate Cloudflare:

Cloudflare which is a free CDN service has added a rule to detect the signal of such attack and prevent your website from attack. You can read about it here, and this feature is also available on the free version of Cloudflare.

HostGator hosting users can use this guide to safeguarding their WordPress blog from a brute force attack. There are many WordPress security plugins out there, and you can use either of them.

None the less, ensure that you are taking a timely backup of your WordPress blog. That means a complete backup of your database and wp-content folder, to ensure faster recovery once your blog is affected.

I hope you take the suggested measures to ensure the safety of your WordPress blog from brute force attacks.

If you are getting too many hacking attempts, you can use the WordPress Stealth Login plugin. It helps you to create custom URLs for logging in.

Do share other useful WordPress plugins which you use to keep your WordPress blog safe and secure.

Subscribe on YouTube

  • Save
Authored By
A Blogger, Author and a speaker! Harsh Agrawal is recognized as a leader in digital marketing and FinTech space. Fountainhead of ShoutMeLoud, and a Speaker at ASW, Hero Mindmine, Inorbit, IBM, India blockchain summit. Also, an award-winning blogger.

23 thoughts on “2 Best WordPress Plugins To Protect Your Blog From Brute Force Hacking”

  1. Helpful WordPress plugin for blog safety!! 🙂 No more Hacking of the blog “admin panel”… 🙂

    Thanks for sharing with us!! 🙂

  2. Great Plugin,
    I’m currently using login lock down plugin.
    Now going to try this plugin.
    Thanks for sharing !! Good Job.

    ~Dev

    1. ‘Login LockDown’ is a good alternative. If you are not satisfied with it, you can try ‘Limit Login Attempts’. 🙂
      Regards.

  3. Mani Viswanathan

    I’m using Login LockDown as well as Stealth login. This is an alternative..Also as Harsh had mentioned in his earlier post its important to change default username and to hide the wordpress version to avoid exploits.

  4. Those are very good plugins for blog security. In case of ‘Stealth login’, we just need to give the login URL to the authors if our blog is multi-authored.

  5. I have an article site of 13 subscribed author(including myself) and a little bit worried about my sites security as it is a quite new site of mine. Definitely this plug-in will give me a shy of relief.

    Thanks for the nice post.

  6. Thanks for the article. I have been using a free plugin called WordPress Simple Security Firewall that replaces Akismet, Limit Login Attempts and other security plugins. You can even set a master password that will not allow anyone to change the security settings if hacked. Check it out…this is a hidden gem.

  7. I am using Limit Login Attempts with captcha on login page and it is working good on for me. There are really attempts I can see that are there trying to get through my website. Thanks for letting us know more on security.

  8. What about using captcha on WP login page? There is a plugin called “Captcha on Login”. Anyone has any experience with this plugin?

  9. Please note that Limit Login Attempts hasn’t been updated in two years. Looking through the support section for the plugin you will see some problems with admins being locked out and at least one post about it being hacked.

  10. ‘Login LockDown’ is a good alternative. If you are not satisfied with it, you can try ‘Limit Login Attempts’. 🙂

  11. DigitalConnectMag.com

    Also try “Lockdown WP Admin” as a better alternative to “Stealth Login”, which didn’t work for me due to it being outdated for 2 years. Lockdown WP Admin does the same thing as Stealth Login, but with additional features and updated.

    1. That’s ridiculous. Security plugin with built-in vulnerability! Are you kidding me with those kindergarten stuff? The name of plugin was stolen from the name of famous Limit Login Attempts plugin to attract attention and to get more installations. That’s unfair play and shows that author can’t offer something valuable.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
[i]
[i]
[i]
[i]
Share via
Copy link