WordPress is widely used open source CMS and hence vulnerable to Hackers. These days, we come across words such as ‘DDoS’ and ‘Brute Force’ attack which are the most common types of attacks Websites owners face. WordPress website owners should be concerned about these attacks and should take site and server security very seriously. However, it has been found that many WordPress site owners do not even take basic level of site security seriously.
What is a Brute Force Attack?
A ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again. Other kinds of hacks rely on website vulnerabilities whereas a brute force attack is a simple hit and miss method and can be tried on any site.
How is a Brute Force Attack Launched Against a WordPress Site?
Launching a brute force attack on WordPress Site is relatively easy than any other attack. In most cases, Hackers simply send the login form POST requests with the guessed username and password. For WordPress, POST request is sent with the guessed Username and Password to wp-login.php file.
Ways to Prevent Brute Force Attack
Verifying You Are Human
Mostly, Brute force attack is carried out by bots. By integrating Google’s No CAPTCHA reCAPTCHA system with WP login.
Here are the following problems using this method:
- WordPress processes the request anyway, therefore if the brute force attack is made on large scale by bots then resources are still consumed that can kill the site.
- This method prevents access to bots but not humans.
Password Protecting wp-login.php
You can protect access to your wp-login.php file using HTTP Basic Authentication. This simply adds a extra security layer. Although a brute force attack can be launched against HTTP basic authentication, its difficult and time intensive to crack down both the layers.
Here are the following problems using this method:
- If your WordPress site has multiple authors then you may not want to share the username and password of basic authentication.
- It’s possible that a bot or human can successfully guess both passwords.
- Although WordPress is not loaded during basic authentication, a web server initiates a process to verify the credentials therefore consuming memory and CPU which can kill a site if requests are made in large scale.
Brute Force Login Protection Plugin
Brute Force Login Protection is a WordPress plugin which protects brute force login attempts by taking several factors into account.
- Limits the number of allowed login attempts for an IP Address.
- It allows you to manually block an IP address from logging into WordPress
- It delays execution after a failed login attempt to slow down the brute force attack. This can prevent the site being killed.
- It also informs the users about the number of login attempts remaining before getting blocked.
Secure WordPress with Single Sign On
WordPress Single Sign On offers an even more secure option for protecting your WordPress website from brute force attacks as you ‘outsource’ the authentication part to WordPress.com. Once enabled, the login screen on your WordPress website is disabled and you are required to sign in to your WordPress.com account in order to access the admin dashboard of your own self-hosted WordPress website
Advantages using this method:
- Since WordPress.com accounts support 2-factor authentication, the the same level of security is now enabled for your blog as well without requiring another plugin.
- All login requests on your site, including the malicious login attempts, are now automatically redirected to WordPress.com and thus it reduces the load on your server and database.
- If you manage multiple sites, you can log into them all with a single WordPress.com account and no longer have to remember multiple usernames and passwords.
How to Implement WordPress Single Sign On with Jetpack
Here is a step-by-step guide that explains how you can enable Single Sign On for your WordPress website:
- Simply signup for free WordPress.com account and enable 2 factor authentication for the same.
- Install and activate (if required) JetPack plugin in your self-hosted WordPress website.
- Connect your site to WordPress.com using jetpack plugin and signup for the free account.
- Ensure that you have enabled ‘Prevent Brute Force Attack’ and ‘Single Sign On’ from the settings of JetPack plugin.
- Edit functions.php file and copy-paste the following code after the first line:
add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );
- Ensure that the email address of Admin account of your Self-Hosted WordPress website and your WordPress.com account is one and the same.
Note: If you are using FrameWorks such as Genesis where concept of Parent and Child theme exists, ensure that you edit functions.php of your child theme.
Enabling WordPress Single Sign On using JetPack plugin and outsourcing login of your WordPress website to WordPress.com is the best possible way to secure your website from hackers and prevent Brute Force Attack. This also helps eliminate Server loads such as CPU, Mem etc due to multiple attempts carried out by either Bots or humans.