Securing Wordpress Installation against recent Brute force attacks

Securing Wordpress Installation against recent Brute force attacks


Now the Blogging or Content Management systems is having a hell time. They are been continuously attacked by hacking attempts through Brute force Login breaking Botnets or scripts.  Even the hackers are under cover now, experts found around 200,000 IPs which attacks wordpress websites with brute force scripts. IF they hacked our wordpress, what will happen. I think Everyone will know the answer.

WordPress is the main platform which is attacked other than Joomla, Drupal etc, due to its very large wide of usage. So it has become mandatory to protect our website which uses it.

How to protect WordPress from such attacks ?

Here are some simple tips we can fight with

1) Engage your hosting with a trusted web hosting company which provides you world class security standards running on the server like Hardware DDOS Protection and Firewall etc.. Well, all the companies now do have that standards. Anyway, be a customer of a reputed hosting company.

2) Make sure the computers you use are free of spyware, malware, and virus infections. No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.

Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.

3) always keep up to date with the latest version of WordPress

4) Always use Strong Passwords to protect your wordpress login. Your password should be hard enough for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords. Also, WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is very strong.

Some things to avoid when choosing a password:

  • Any permutation of your own real name, username, company name, or name of your website.
  • A word from a dictionary, in any language.
  • A short password.
  • Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content, but your entire server and fellow netizens or bloggers.

5) If you are using FTP to upload the files to server, you should use SFTP encryption if your web host provides it for securing wordpress and servers.

6) Permissions to the files hosted in server should be thoriughly checked. Enabling write access to outside world is like inviting hackers to “Please deface my Website, You are welcome”.

Use 644 as Permissions for file  and 755 for directories. Only the directories under wp-contents/ will vary as the 777 permissions may be required to uploads folder in some cases.

If you have shell access (SSH access) to your server, you can just change the permissions of files and directories of wordpress installation in a blink of any eye.

For Directories
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For Files
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

7) Database should be secured. If you own the database, remeber to turn off Remote access if not used. Also, choose a different name for database other than websitename or wordpress in it. Also, change the default table prefix “wp_” to something else, that may confuse the bots to find the tables.

8) Disable file editing feature which is built in in wordpress. As it allows code execution for those who gained access to admin, its a serious issue for wordpress security.

          To block this just add ” define(‘DISALLOW_FILE_EDIT’, true);” in wp-config.php

     Placing this line in wp-config.php will remove the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:

9) Use only trusted plugins. Dont just install all the plugin and try out. Read the details, reviews etc. and then if it suites you and rating is good, install. If you face any issue, Just deactivate it and dont forget to remove it from systems with all files associated with it.

10) Rename your “admin” user to some other username while creating or after installation by updating the database using either command line of MySQL or PHPMyAdmin which is available with you.

UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin';

11) Do regular backups of the database and files.

12) Verify logs of wordpress regularly to see if any unwanted things are going on.

13) Let cloudflare or other CDN do resolving the website for you. Enabling cloudflare like services filter your traffic and checks for the legimacy before they see your sites. They have set up much celebrated Firewall and DDoS protection services to ensure the safety. Also, there are many advantages using them though like faster website loading, less bandwidth usage etc. Checkout for more details on how to use it.

Some Helpful Plugins

Stealth Login Plugin

  This helps to change the url  to something like If you provide your question and answer correctly, then only it shows the wp-login page. Else it will redirect to the page which we enter  in the settings.


Wordpress Stealth login plugin - Teksupport

In this example, we cam login to wordpress using the url below in the screen. It provides some security against bruteforcers .

I just provided here is what I normally do as a basic part of wordpress hardening process. Lot more than that can be donn to ensure the safety of websites which uses wordpress. If you have any suggestions doing it or any additions needed to this, please drop your comments.