In this post, you’re going to learn how to secure your WordPress blog or website from potential brute force attacks.
Brute force attacks on your WordPress website is something you don’t really need to experience or even worry yourself about, right?
But unfortunately, it happens every day with WordPress users.
Thousands of websites get hacked into every single day, so don’t wait for the day to come when yours could potentially get hacked too, take action now.
What you can do to prevent brute force attacks on your website
Below I’ve compiled a list of 20 tips, including tools you can use to help you protect your WordPress site!
Scroll down and check them out, and if there’s something that you can do, consider implementing a few of them on your WordPress site to enjoy peace of mind security of your website always.
Let’s get to it.
#1. Secure your computer!
Yes, you read that first tip correctly.
Security starts right at home, so, make sure you have some kind of internet security on your computer.
Also make sure that your passwords to various online accounts, including your WordPress sites are not written down and stored on your hard drive without protection.
Additionally, saving usernames and passwords in email accounts or in Evernote is not such a good idea.
#2. Change the wp-login URL of your WordPress site
Using the default wp-login.php can also cause problems, for one, it’s where a lot of brute force attacks take place.
Spammy, bots brute login attempts can be easily reduced, if not eliminated, by simply changing the URL structure of your login page.
Use the Rename wp-login.php plugin to achieve this.
Check out my tutorial on how to change the login name in your WordPress site here.
#3. Disable new user registration on your WordPress site
If you’re not accepting guest posts or don’t want anyone to register to your WordPress site, simply make sure that they cannot register.
You can do this by going to Settings > General. When you create a new WordPress installation this feature is automatically turned off in any case, but it never hurts to double check.
#4. Use a well-coded WordPress theme
Sure they cost a little bit of money initially, but they’re called premium themes for a good reason.
#5. Avoid using too many plugins
Limit the number of plugins you install on your WordPress site.
Additionally, make sure that any plugins you do have installed are kept up to date.
I personally prefer to use premium plugins when ever possible. Of course, I also use free ‘quality plugins’ that are maintained properly by reputable developers, such as Yoast SEO, Blubrry PowerPress, and Disqus.
#6. Install WordFence
WordFence is a complete and affordable solution (if you decide to go premium) to WordPress website security.
I currently use this very plugin on all of my WP sites (the free version). If you click here you can view real-time attacks taking place on WordPress sites right now, and how WordFence is working to block those attacks. It’s actually fun to watch.
#7. Have a backup plan!
Perhaps this should be at the top of my list, right?
In any case, you should always have a backup plan, just in case the worst should ever happen.
I use BlogVault to backup this blog daily, it’s not a free service but should the worst ever to happen, I can get my site up and running again in no time at all.
If you’re using a free backup solution, the problem with a lot of these free backup plugins and services is that you can backup your site, of course, but what do you do with those backups should you need them?
Using a premium all-in-one backup service can help you restore your site quickly. You can learn more about BlogVault here.
#8. Always update to the latest version of WordPress when possible
Self-explanatory stuff really, isn’t it? If you don’t think that updating to the latest version of WordPress is important, then just read this post. It might make you change your mind.
#9. Block IP’s
For persistent login attempts and failures, consider blocking those culprits IP’s in your web host Cpanel.
You can do this easily by going to your Cpanel and accessing security > IP deny manager folder.
You can also track IP’s in WordFence or another plugin called Limit Login Attempts.
#10. Use a reliable web host
When I say reliable I don’t mean one that is “cheap as chips”. I mean a web host that has a track record for being reliable, safe, and secure, like SiteGround.
#11. Avoid installing too many scripts or codes on your site (or on your web server)
Often WordPress users will install many scripts and custom codes to avoid having to use too many plugins or to add extra functionality to their sites. And not just on their actual website but also their server as well.
If you’re going to add codes and scripts to your WordPress site, keep them to a minimum, and always ensure they’re from a credible source.
#12. Keep yourself informed and updated
Knowledge is power people, so instead of waiting for something to happen and then have a panic attack, educate yourself and learn what you can do in advance to prevent any types of brute force attacks in the future.
The fact that you’re reading this post is a sign that you are serious about preventing brute force attacks on your WordPress site. Good for you.
#13. Avoid using username “admin”
When manually adding new admins to your site (should you ever need to), avoid using the username “admin”. That’s a real amateur thing to do anyway.
If you’re currently using the name “admin” for your website then consider changing it immediately.
To change it is very simple. Simply create a new admin account with a different username and email. Then transfer all the posts and pages over to the new admin account from your old admin account (this is done when you are deleting your old admin name to transfer posts).
You’ll need to delete the old admin account, using the new admin username account you created for yourself.
If you make a mistake doing this, you could lose all your posts, so make sure you know what you’re doing. I won’t be held responsible. Oh, and remember to backup.
#14. Create stronger passwords
The password generator inside your WordPress profile is a must-use feature.
In addition to using stronger passwords, make it a habit to change your passwords every few months.
#15. Use one contributor account for all guest posts
Now, this is something that not a lot of bloggers will want to do.
However, creating a single contributor account for all guest posts will not only save you time having to keep track of multiple accounts but can also save some space on your database and decrease the chance of having an account hacked into.
When ever I publish a guest post on any of my blogs, I always use one single guest post account and add the user bio of the guest author to the bottom of the blog post.
So there you go, follow just a few of these tips and suggestions, or use some of the tools I mentioned above and you’ll have a safe and secure WordPress website.
What are you doing to keep your WordPress website safe?
I’d love to hear your thoughts.
How much do you value your business?
How safe is your WordPress site?
Happy blogging and stay safe.