Ever heard of thieves trying to get into a locked house by trying out a bunch of different keys? That’s pretty much what a brute force attack on WordPress websites works like. Attackers aim to target users with weak admin passwords to brute force their way in. If you’re wondering how you got to this point, let’s break it down for you. Several versions ago, WordPress would use a default username called ‘admin’ for its users. Attackers prey on these accounts by trying different passwords to go with that same username and get into anything that gives them access.
How to prevent this?
The first step to take would be to change your username if you’re still using ‘admin’ and use something more unique instead. This eliminates the possibility of you being in the vulnerable category that attackers are trying to look at automatically. It is also the most potent step you can take to protect yourself from this attack.
Don’t use any weak passwords! Sure, ‘123456’ is easy to remember but it also resembles the idea of giving your house keys to a known thief. If you can’t think of something difficult, use password generators to come up with something strong that isn’t easy to guess. WordPress also makes it simpler to understand how strong your passwords are with a meter that shows up when you’re trying to create one.
Keep your WordPress and computer software versions updated and be sure to turn on ‘two-factor authentication’ if you’re using WP.com. This would signal you if an attempt is coming from a different device/region as yours.
Call your hosting provider if you feel like your admin pages have become difficult to log into and appear to be sluggish. They should be able to guide you in the right direction.
Use an extra tool or a plugin that limits the number of login attempts made. If your website does not require multiple people to log in, you can even add plugins that block any attempts (other than yours) to access wp-admin.
If you’ve been a victim of attacks like these in the past and have noticed a pattern of IP addresses or regions where the attacks originate from, you can add an extra layer of protection. This can be done by creating a ‘blocklist’ of IP addresses that are trying to access your website from those regions. Unfortunately, in doing so you would also block out some genuine users who want to access your website.