6 tips to avoid brute-force attacks on WordPress

6 tips to avoid brute-force attacks on WordPress

Many of the main sources that speak of WordPress confirm that most of the brute force attacks that occur are aimed at sites mounted on the WordPress and Joomla CMS. Hosting companies such as Hostgator and LiquidWeb among others continuously report these events to their clients. Botnet hackers contain over 90,000 different IP addresses, and take advantage of the most common mistakes that some WordPress beginners often make. Yes, the truth is that this can be a serious problem, so let’s show that we need to do to decrease the chances of being hacked.


1. Stop using the username that comes by default “admin”.

It is very common for novice users to use very common or default user names such as admin, administrator, test .. Recently the main hosting companies warn us that user names are being targeted right now. If you have a generic username (such as admin) on a WordPress site, then we must change it right now.

2. Use a secure password.

This is something we can not let pass, and is to use a fairly strong password. These brute-force attacks attempt to target all of the most common passwords that users use on their sites. A secure password contains uppercase and lowercase letters, numbers, and symbols. Do not use the same password in more than one location. It’s never too late to start using a password management solution like 1Password or LastPass .

3. Regularly back up your files and database.

The best security we can have for our website is to have a backup on a regular basis. We can make our copies manually from our hosting manager, there are also plugins as we will see later that can do this work automatically.

It is important to periodically make such copies, as hosting companies as a rule do not usually do them.

4. Use two-factor authentication.

Begin using two-factor authentication. This way, even if someone guesses your password, they will not be able to access your site because they do not have the security key. We recommend doing this as soon as possible where the Google Authentication plugin can be of help.

5. WP-Admin password protection and limits connection attempts.

It is always advisable to limit attempts to connect users, although this alone can not protect us from all attacks, since a botnet contains 90,000 IPs. Another thing you can do is password protect the wp-admin directory, where it is advisable to limit the wp-login.php file to a specific IP address.

6. Start using the WordPress Security plugin .

Most of the attacks that suffer from WordPress are due to vulnerabilities caused by plugins, weak passwords and obsolete software. One of the most popular plugins is WP Sucurity where among many functions hides sites that are more prone to these attacks, keeping the most sensitive places like login, admin, etc. out of danger.

If we do not take these precautions into account it is easier than it seems to leave our site exposed to malicious code injections and attacks of any kind, and this is something we can avoid using the tips above mentioned.