A sharp increase of bots wanting to break your WordPress login has been reported for Dec 2016. Here’s what you can do to protect your site.
On Dec 15 in a BlogAid Today vlog, I reported on the massive goofiness I was seeing all over the web for the last week.
On Dec 16 WordFence announced a marked increase of brute force attacks that started on Nov 24 and has spiked in the last two weeks.
Where Are the Attacks Coming From?
The top 3 originating countries WordFence reports are:
I can confirm those are the same high hits I’m seeing in AWStats during client site audits.
You can see your AWStats from cPanel, if your host supports that (most of the good hosts do).
How to Protect Your Site
Brute force means that bad bots are trying to break the login to your site.
In other words, they want to bust right through the front door.
They run a high-speed algorithm to go through all characters of your username and login until they get a match and then run it again on the next character.
Your WordPress username is easy for a bot to find, so it all comes down to your password.
Use a Super Strong Password
Here’s what makes a password strong:
- Long – at least 12 characters – so it takes bots forever to run that algorithm
- Numbers, caps, and special characters – especially special characters, more on that below
- Randomized – don’t spell out words that have easy pattern recognition
The Role of Special Characters
Those password breaking algorithms run in this order:
- Lower case letters
- Capitals letters
- Special characters
So, a password like:
is long, but is not very strong compared to:
Stronger still would be:
Nearly impossible to break would be:
Passwords Generator is my favorite site to create strong passwords.
Kick ‘em Before They Get That Far
A strong password is actually your very last line of defense.
You want to deter bad bots before they ever get to your front door.
Outside Firewall Protection
A firewall is a fence outside of your site and hosting account that acts as a gatekeeper to what can come into the yard.
CloudFlare is the only free CDN that also offers a modicum of bad bot protection. They also have a super firewall in the paid version that will stop a bot attack butt cold. I’m on the free version of CloudFlare and it does a pretty good job of stopping the attacks.
Sucuri also has a firewall in their paid service, along with their own CDN, and it will also stop bad bots butt cold.
The big benefit of an outside firewall service is that none of your hosting account resources get chewed up kicking the bad bots to the curb.
The huge drawback of using firewall plugins is that your hosting resources, like CPU and Memory, get chewed to pieces when an attack hits your site.
The bot has to hit your site and open an instance of the plugin for it to work.
It can further chew up resources with having to log all those errors and sending you notifications.
Manually Blocking IPs
You can manually block IP addresses on your hosting account via cPanel.
It’s a whack-a-mole game you can’t win.
But, if your site comes under a temporary attack, it can stop it butt cold.
You just have to keep updating the IPs because those botnets jump from one to another regularly.
If you are on VPS hosting, you can likely block by country.
If you’re on shared hosting, you can’t do it at the hosting level.
You can do country blocking with some of the paid firewalls mentioned above.
Brute Force Plugins
Whether you have an outside firewall or not, you need a brute force protection plugin.
After just a few rapid fire attempts by the bad bot’s algorithm, it will lock their IP out of any more attempts for a specified amount of time.
I use Login Lockdown. It’s a super lightweight plugin and brute force lockout is all it does.
After 3 failed attempts, the bot’s IP is locked out.
If you are using one of those big, multi-faceted security plugins, it likely includes this function. So be sure you don’t cause a plugin conflict by installing two plugins to do the same thing.
Move Your Login Page
You can do it, but it will have limited success, and only for a while. Bad bots will eventually find it.
HINT: Have you noticed that if you use wp-admin to log in, it redirects you to wp-login.php?
You can just use wp-login.php directly.
And you need to hide both of those if you use this method.
A Security Plugin is Not Enough
I secure sites from the hosting account up.
That takes care of all kinds of bad bots, not just the ones trying to brute force attack.
I don’t use any of the behemoth security plugins.
It’s not about the plugin. It’s about the whole security combo.
I’m not saying that these plugins don’t work. Many do a pretty good job.
I just use a different security combo that I think works better, and chews up less system resources.
Every webmaster on the planet worth their salt has their own security combo. Some choose to use the big security plugins, especially those who caretake multiple client sites.
Check the Settings
If you use a plugin, make sure you configure it properly.
Make sure it’s protecting everything and that it’s not chewing up even more resources doing it.
I see this all the time in site audits. Folks install all manner of plugins and never check the settings.
Sometimes the plugin is never even turned on!!!!!!!!!!!!!
Need More Help?
My full site audits will show everything that is slowing down your site and all the bad bot hits, not just the brute force ones.
You get a full 30 page report. And in our no geek-speak live chat, you’ll understand exactly what is going on and can make solid, educated decisions about your site with confidence.