You may be aware of a change we made to our servers this week in order to globally protect from WordPress Brute Force Attacks. This change means that just before accessing your WordPress login page, you are greeted with a popup asking you for a username and password. You can read our knowledge base entry for more information on the change.
On a technical level this change worked brilliantly and we have seen a very large number of brute force attacks being prevented every day on each server since then. We also found that the number of attacks was far more than we expected. The login form we implemented was able to thwart what would have been a debilitating number of connections to our servers and we are pleased that we were able to keep our servers up and running without trouble.
Unfortunately, and perhaps understandably, some of you expressed your disappointment with this change. For one, we did not communicate the change in a proactive manner. And two, this solution is inconvenient since it requires you to login twice in order to manage WordPress. Please know that we are committed to doing a better job of informing you of changes going forward and that we are looking for a longer-term solution to the problem of widespread WordPress Brute Force attacks.
However, there are not many options available to us to secure all WordPress installations across all servers. The ultimate solution we all need to work towards is for each WordPress installation to use plugins or other methods that will secure each WordPress installation individually.
How do I secure my WordPress site against brute force attacks?
WordPress have done a fantastic job of creating an article about brute force attacks, but for convenience we shall review our favourite options that work on our servers.
Step 1. Change your administrator username.
Using the default username of “admin” may be convenient and easy to remember, but it’s also the most obvious one for attackers to guess. We strongly recommend that you change your username to something else, such as your first name. An easy way to change the username from ‘admin’ to something else is to use the following plugin.
Step 2. Use a strong and unique password.
This one is perhaps common sense, but you’d be surprised at how many users sacrifice security for convenience. Using the same password you use everywhere else may be convenient for you, but if one of these other sites is compromised, it makes it even easier to compromise your blog. We recommend using a new, random and unique password.
If the password is hard to remember, then it is probably a good password!
Step 3. Rename your wp-login.php file and wp-admin folder.
This is a solution we recommend over Step 4 below, because it addresses the very source of the problem by preventing the attack from getting through to WordPress to begin with.
Brute force attacks are made against the wp-login.php file directly. If this file does not exist or has been renamed, and the attacker does not know the name of the file, then the attack will simply fail without being processed. Fortunately there’s a plugin available to make it very easy to rename this file and folder: http://wordpress.org/plugins/rename-wp-login/
Step 4. Install plugins to prevent brute force attacks.
There are many plugins available that can be used to protect your blog against brute force attacks. Our favourite of these is BruteProtect as it uses a centralised database to share IP addresses from detected attackers worldwide. This means that when a new attacker is detected, the IP address is shared with all other users of BruteProtect, preventing other blogs from being hit by the same attacker.
There are other plugins available (listed in the WordPress article at the start of this post) that can also provide quick and easy methods of blocking repeated attackers.
Important note: If you use a plugin that alerts you via e-mail when it blocks an attack, please be sure to disable these e-mails. The plugin may generate too many e-mails and cause our systems to block your website from sending out any further e-mails, which could cause problems for you.
Step 5. Enable WordPress automatic updates.
Wordpress is constantly being updated. New bugs and issues are being found and fixed all of the time. Some of these bugs are security vulnerabilities which could lead to your blog being compromised or hacked. It’s therefore critically important to keep your blog up to date and running the latest version at all times. Fortunately, with the later versions of WordPress, there is now an automatic background updater which will apply these fixes for you. To check and ensure this option is enabled, please see the following WordPress article.
If you have installed WordPress via Softaculous on our servers, you can also update it from within the control panel. You can find out how to upgrade your scripts in Softaculous by reading the following article.
If you are upgrading from a very old version of WordPress to the latest version, please be sure to check with your theme or theme developer that it will continue to work fine. Your theme may need to be updated to work correctly on the latest version.
Conclusion
Securing WordPress has become much easier over the last few years. Many plugins are now available to make the process as quick and as simple as possible, even for those with less technical knowledge than advanced WordPress users. This is, unfortunately, partly in response to the huge number of increased attacks being made against users of the software. Over time these plugins and systems will improve and this will likely become less of a problem.
It’s important to note that these attacks are, in almost every case, not directed at you and your blog personally. Your blog has simply been found in an automated search, and bots or other automated tools will indiscriminately attempt to guess your username and password. This is why the steps above will make this virtually impossible for them and significantly improve the security of your blog.
Performing the steps above are, of course, completely optional. That said, we very strongly recommend that you follow them, as increasing numbers of blogs are being compromised on a daily basis. It can take significantly longer to clean up and restore a compromised WordPress blog than it does to perform all of the steps above, so the time investment is certainly worth it.
In the meantime, we will continue to evaluate the options available to us that would allow us to implement a server-wide solution that is more convenient for you.