Last Updated on August 14, 2019 by Fabrizio Van Marciano
In this post, you're going to learn how to secure your WordPress website and blog from any potential brute force attacks.
Dealing with brute force attacks on your WordPress website is something you don't really want to worry yourself too much about, right?
Of course, and especially when all you want to do is focus on creating content, and growing your online business.
But unfortunately, this is something you have to think about as an online business owner using WordPress.
Thousands of WordPress websites get hacked into every day, and yours could be next, so don't wait for that day to come, take some action now.
Luckily, there are plenty of things you can be doing.
Below I've compiled a list of 20 pro tips, including some tools you can use to help you protect your WordPress site!
Take a look, and if there's something that you can do or tool you think you could use, take action now rather than when it is too late.
During my time with using WordPress, I've only ever experienced being hacked once.
This was back in 2011, and it was really waiting to happen to me because I didn't know how to protect my site or even knew how vulnerable WordPress was until much later on.
At the start of 2019, one of my niche sites got infected with Malware, and luckily I was able to deal with it by quickly restoring to a backed-up version of my site.
OK, here's what you can do to protect your WordPress site from brute force attacks and hackers.
Yes, you read that first tip correctly.
Security starts right at home, so, make sure you are using reliable internet security on your computer.
In addition, make sure that your passwords to various online accounts, including your WordPress sites are not written down and stored on your hard drive without protection.
One final tip, storing your usernames and passwords in email accounts or in applications like Evernote is not such a good idea.
I've always used and recommend Norton Security to scan my files from time to time. I also use the app to scan images and files before uploading them to my WordPress sites.
Using the default wp-login.php can also cause problems. For one, it's where a lot of brute force attacks take place, to begin with.
Spammy bots brute login attempts can be easily reduced, if not eliminated 99 percent of the time, simply by changing the URL structure of your login page.
You can use the WPS Hide Login plugin to help you change the login page destination. Check out my tutorial here.
If you're not accepting guest posts or don't need people to register to your site to use it, simply make sure that you disable this by changing the General Settings in WordPress dashboard.
Go to Settings > General. (When you create a new WordPress installation this feature is automatically turned off in most cases, but it never hurts to double-check.)
This is a big one. Many bloggers love to save money by using a cheap and cheerful free WordPress theme.
Sure, one of these themes might cost a little bit of money, but they're called premium themes for a very good reason.
Premium themes are coded with security in mind, they also come with support and frequent updates. You can learn more about premium themes here.
Limit the number of plugins you install on your WordPress website or blog.
Additionally, make sure that any plugins you do have installed are kept up to date at all times.
Myself, I prefer to use premium plugins whenever possible. Of course, I also use some free 'quality plugins' that are maintained properly by reputable developers, such as Yoast SEO, Blubrry PowerPress, etc.
Plugins that are not updated frequently can often contain expired code and backdoors that hackers can exploit to inject Malware into your site.
WordFence Free or Premium, I don't care, as long as you use it.
WordFence is a powerful solution for running a secure WordPress website, seriously, you'll sleep better at night with the knowledge that your site is automatically being scanned for Malware and protected from attacks.
I use WordFence Premium on this site as it is my primary business. So, if you value the security of your online business I would recommend you check out WordFence too.
Perhaps this should be at the top of my list, really.
In any case, you should always, always, always have a backup plan, just in case the worst should ever happen.
I use BlogVault to back up this blog on a daily basis. No, it's not a free service but should the worst ever to happen, I can get my site up and running again in no time at all.
In fact, earlier this year, I had to rely on a backup from BlogVault to restore one of my sites after a Malware infection.
If you're using a free backup solution, then it's not a real solution. The problem with a lot of these free backup plugins and services is that you can back up your site, of course, in the form of downloading your website files onto your desktop. But what do you do with those backups files should you need them in the future?
BlogVault allows you to backup and restore your site quickly and painlessly if you need to.
Self-explanatory stuff really, isn't it?
If you don't think that updating to the latest version of WordPress when new updates are made available is important, then just read this post. It might make you change your mind.
For persistent login attempts and failures, consider blocking those culprits IP's in your web host Cpanel.
You can do this easily by going to your Cpanel and accessing security > IP deny manager folder.
You can also track and block IP's in WordFence if you're using it.
Again, perhaps this should have been placed close to the top of my list.
When I say, "use a reliable host", I don't mean one that is "cheaper than cheap chips". I mean a web host that has a track record for being reliable, safe, and secure. Yes, something like SiteGround Webhosting or Bluehost.
If you're going to use any type of custom code or scripts in your WordPress site, keep them to a minimum, and always ensure they're from credible sources like Google or Facebook.
It might be a good idea to use Google Tag Manager to add your scripts.
Knowledge is power, so instead of waiting for something drastic to happen and then have a panic attack, educate yourself and learn what you can do in advance to prevent any types of brute force attacks to your site in the future.
The fact that you're reading this post is a sign that you are serious about preventing brute force attacks on your WordPress site, so Good for you.
WordFence and Sucuri publish useful content including the latest news and happenings around WordPress security, so be sure to read those blogs frequently.
When manually adding new admins to your site (should you ever need to), avoid using the generic username "admin". That's a real amateur thing to do anyway.
If you're currently using the name "admin" for your WordPress website then consider changing it immediately.
To change it is very simple:
Simply create a new admin account with a different username and email. Make a note of the username and password carefully.
Next, transfer all the posts and pages over to the new admin account from your old admin account (this is done when you are deleting your old admin name to transfer posts).
You'll need to delete the old admin account, using the new admin username account you created for yourself.
If you make a mistake doing this, you could lose all your posts, so make sure you know what you're doing. I will not be held responsible. Oh, and remember to backup.
The password generator inside your WordPress profile is a must-use feature.
In addition to using stronger passwords, make it a habit to change your passwords every few months. I change mine every 30 days.
Now, this is something that not a lot of bloggers will probably not want to do, but it's a lot more secure than having hundreds of contributor accounts on your site.
Creating a single contributor account for all guest posts will not only save you time having to keep track of multiple accounts but can also save some space on your database and decrease the chance of having an account hacked into.
Whenever I publish a guest post on any of my blogs, I always use one single guest post account and add the user bio of the guest author to the bottom of the blog post.
So there you go, follow just a few of these tips and suggestions, or use some of the tools I mentioned above and you'll have a safe and secure WordPress website.
What are you doing to keep your WordPress website safe?
I'd love to hear your thoughts.
How much do you value your business?
How safe is your WordPress site?
Are you using any of the tips or tools I've mentioned in this post?
Leave me a comment below as always or get in touch with me here.
Happy blogging and stay safe.