15 Tips And Tools To Lock Down Your WordPress Site, And Prevent Brute Force Attacks

In this post, you're going to learn how to secure your WordPress website and blog from any potential brute force attacks.

Dealing with brute force attacks on your WordPress website is something you don't really want to worry yourself too much about, right?

Of course, and especially when all you want to do is focus on creating content, and growing your online business.

But unfortunately, this is something you have to think about as an online business owner using WordPress.

Thousands of WordPress websites get hacked into every day, and yours could be next, so don't wait for that day to come, take some action now.

What you can do to prevent brute force attacks on your website

Luckily, there are plenty of things you can be doing.

Below I've compiled a list of 20 pro tips, including some tools you can use to help you protect your WordPress site!

Take a look, and if there's something that you can do or tool you think you could use, take action now rather than when it is too late.

My experience with hacked websites

During my time with using WordPress, I've only ever experienced being hacked once.

This was back in 2011, and it was really waiting to happen to me because I didn't know how to protect my site or even knew how vulnerable WordPress was until much later on.

At the start of 2019, one of my niche sites got infected with Malware, and luckily I was able to deal with it by quickly restoring to a backed-up version of my site.

OK, here's what you can do to protect your WordPress site from brute force attacks and hackers.

#1. Secure your computer!

Yes, you read that first tip correctly.

Security starts right at home, so, make sure you are using reliable internet security on your computer.

In addition, make sure that your passwords to various online accounts, including your WordPress sites are not written down and stored on your hard drive without protection.

One final tip, storing your usernames and passwords in email accounts or in applications like Evernote is not such a good idea.

I've always used and recommend Norton Security to scan my files from time to time. I also use the app to scan images and files before uploading them to my WordPress sites.

#2. Change the wp-login URL of your WordPress site

Using the default wp-login.php can also cause problems. For one, it's where a lot of brute force attacks take place, to begin with.

Spammy bots brute login attempts can be easily reduced, if not eliminated 99 percent of the time, simply by changing the URL structure of your login page.

You can use the WPS Hide Login plugin to help you change the login page destination. Check out my tutorial here.

#3. Disable new user registration on your WordPress site

If you're not accepting guest posts or don't need people to register to your site to use it, simply make sure that you disable this by changing the General Settings in WordPress dashboard.

Go to Settings > General. (When you create a new WordPress installation this feature is automatically turned off in most cases, but it never hurts to double-check.)

#4. Use a well-coded WordPress theme

This is a big one. Many bloggers love to save money by using a cheap and cheerful free WordPress theme.

Free WordPress themes are OK to use when you're just starting out or experimenting with your site, but in time you might want to upgrade to a premium quality theme like Genesis or Thrive.

Sure, one of these themes might cost a little bit of money, but they're called premium themes for a very good reason.

Premium themes are coded with security in mind, they also come with support and frequent updates. You can learn more about premium themes here.

#5. Avoid clogging your site with too many plugins

Limit the number of plugins you install on your WordPress website or blog.

Additionally, make sure that any plugins you do have installed are kept up to date at all times.

Myself, I prefer to use premium plugins whenever possible. Of course, I also use some free 'quality plugins' that are maintained properly by reputable developers, such as Yoast SEO, Blubrry PowerPress, etc.

Plugins that are not updated frequently can often contain expired code and backdoors that hackers can exploit to inject Malware into your site.

#6. Install WordFence

WordFence Free or Premium, I don't care, as long as you use it.

WordFence is a powerful solution for running a secure WordPress website, seriously, you'll sleep better at night with the knowledge that your site is automatically being scanned for Malware and protected from attacks.

I use WordFence Premium on this site as it is my primary business. So, if you value the security of your online business I would recommend you check out WordFence too.

#7. Have a backup plan!

Perhaps this should be at the top of my list, really.

In any case, you should always, always, always have a backup plan, just in case the worst should ever happen.

I use BlogVault to back up this blog on a daily basis. No, it's not a free service but should the worst ever to happen, I can get my site up and running again in no time at all.

In fact, earlier this year, I had to rely on a backup from BlogVault to restore one of my sites after a Malware infection.

If you're using a free backup solution, then it's not a real solution. The problem with a lot of these free backup plugins and services is that you can back up your site, of course, in the form of downloading your website files onto your desktop. But what do you do with those backups files should you need them in the future?

BlogVault allows you to backup and restore your site quickly and painlessly if you need to.

#8. Always update WordPress, when new versions are available

Self-explanatory stuff really, isn't it?

If you don't think that updating to the latest version of WordPress when new updates are made available is important, then just read this post. It might make you change your mind.

#9. Block IP's

For persistent login attempts and failures, consider blocking those culprits IP's in your web host Cpanel.

You can do this easily by going to your Cpanel and accessing security > IP deny manager folder.

You can also track and block IP's in WordFence if you're using it.

#10. Use a reliable web host

Again, perhaps this should have been placed close to the top of my list.

When I say, "use a reliable host", I don't mean one that is "cheaper than cheap chips". I mean a web host that has a track record for being reliable, safe, and secure. Yes, something like SiteGround Webhosting or Bluehost.

#11. Avoid loading extra JS scripts into your site (or on your web server)...

It's useful to use JavaScripts on your site that will serve a good purpose. I use various JS scripts for doing conversions, tracking purchases, and doing analytical stuff, but adding too many can cause some problems, not just security-wise but user wise as well.

If you're going to use any type of custom code or scripts in your WordPress site, keep them to a minimum, and always ensure they're from credible sources like Google or Facebook.

It might be a good idea to use Google Tag Manager to add your scripts.

#12. Keep yourself informed and updated

Knowledge is power, so instead of waiting for something drastic to happen and then have a panic attack, educate yourself and learn what you can do in advance to prevent any types of brute force attacks to your site in the future.

The fact that you're reading this post is a sign that you are serious about preventing brute force attacks on your WordPress site, so Good for you.

WordFence and Sucuri publish useful content including the latest news and happenings around WordPress security, so be sure to read those blogs frequently.

#13. Avoid using username "admin"

When manually adding new admins to your site (should you ever need to), avoid using the generic username "admin". That's a real amateur thing to do anyway.

If you're currently using the name "admin" for your WordPress website then consider changing it immediately.

To change it is very simple:

Simply create a new admin account with a different username and email. Make a note of the username and password carefully.

Next, transfer all the posts and pages over to the new admin account from your old admin account (this is done when you are deleting your old admin name to transfer posts).

You'll need to delete the old admin account, using the new admin username account you created for yourself.

If you make a mistake doing this, you could lose all your posts, so make sure you know what you're doing. I will not be held responsible. Oh, and remember to backup.

#14. Create stronger passwords

The password generator inside your WordPress profile is a must-use feature.

In addition to using stronger passwords, make it a habit to change your passwords every few months. I change mine every 30 days.

#15. Use one contributor account for all guest posts

Now, this is something that not a lot of bloggers will probably not want to do, but it's a lot more secure than having hundreds of contributor accounts on your site.

Creating a single contributor account for all guest posts will not only save you time having to keep track of multiple accounts but can also save some space on your database and decrease the chance of having an account hacked into.

Whenever I publish a guest post on any of my blogs, I always use one single guest post account and add the user bio of the guest author to the bottom of the blog post.

It's a wrap!

So there you go, follow just a few of these tips and suggestions, or use some of the tools I mentioned above and you'll have a safe and secure WordPress website.

What are you doing to keep your WordPress website safe?

I'd love to hear your thoughts.

How much do you value your business?

How safe is your WordPress site?

Are you using any of the tips or tools I've mentioned in this post?

Leave me a comment below as always or get in touch with me here.

Happy blogging and stay safe.

Enjoyed reading this post?

Hey! Thanks a bunch for reading this post, I hope it was of value to you. I publish new posts every week, so be sure to check back soon, or hit the button below to subscribe.
subscribe to updates

7 comments on “15 Tips And Tools To Lock Down Your WordPress Site, And Prevent Brute Force Attacks”

  1. Hey Fabrizio!

    This is a great list of tips here, several of which I had to learn the hard way. I will never forget the day I logged on only to see my site had been defaced due to an exploit in a plugin (I had way too many installed at the time!)

    I will also never forget the time my web host threatened to shut me down because too many emails were being sent from my web server. Turns out, I never disabled registration and tons of spam accounts were being made. That was lovely.

    Hopefully people take the advice here to heart and don't put it off until something bad happens to them!

  2. Heyyyyy there Fabz! Gosh this is an awesome post. A few years ago, one the blogs that I had created was hacked and ugh...what a PITA it was to get it back up and going.

    I am currently using the All In One WP Security & Firewall plugin to secure my sites. It does a little bit of everything. 🙂

    Again, great tips for newbies and seasoned bloggers alike 🙂

    1. Hey Kimbo, wow that must have been some headache. I use BlogVault at present to backup the site, but thinking about moving over to VaultPress or BackupBuddy. I've a lot of great things about both. As I mentioned in the post I use WordFence for security, the premium service is great and affordable for a yearly subscription.

      These days we have to protect our blogs and business websites, especially when it's our livelihood.

      Have a great rest of the week Kim 🙂

    2. Hey Kimbo, wow that must have been some headache. I use BlogVault at present to backup the site, but thinking about moving over to VaultPress or BackupBuddy. I've a lot of great things about both. As I mentioned in the post I use WordFence for security, the premium service is great and affordable for a yearly subscription.

      These days we have to protect our blogs and business websites, especially when it's our livelihood.

      Have a great rest of the week Kim 🙂

Read Commenting Policy
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link