When I trying to login our company blog site for news update, I get a message showing "WordPress Login Temporarily Disabled" and a support page link for problem fixing. After doing my research, it's because of "brute force attack" for wordpress site, our company blog is one of the victims and our hosting company blocked the login access for any user. After a bit research, we collected following solutions to deal with wordpress brute force attack.
Brief introduction of brute force attack
Brute force attack is the most basic hacking method to gain access to a site: it tries usernames and passwords over and over again until it gets in. Those victim sites using simple user name and password can be compromised easily by this hacking. At the meanwhile, because of the over and over again trying, the server memory/cpu usage goes up dramatically, if there's mass trying on lots of sites, the hosting server can be brought down quickly.
5 efficient steps to stop brute force attack
step1. Use strong username and password
Basic but crucial configuration to maintain a safe site. For wordpress, it's highly recommended to change the default user "admin" to something else you prefered. It can be done through phpmyadmin panel -> open your database -> click on "wp-users" -> click edit button beside the user name -> rename the "admin" to your prefered word -> click save at the buttom to make the change. We can also set a strong user password there directly.
It's crucial step after we have wordpress installed. No matter how the hacker is trying, they can not get in our site even the server is brought down. Our data is still safe.
step2. Hide the login page
It doesn't mean to remove the login link on website home page, it means to change the login URL to something else other than wp-login.php or wp-admin. We highly suggest to have plugin "stealth login page" or "HC Custom WP-Admin URL" installed. We can fully custom the login url as we liked thus hackers can not get it in any way.
step3. Install wordpress security plugins
We have provided a list of 6 leading wordpress security plugins. It's highly recommended to have them installed for high level protection. Free and easy to do, so why not use?
step4. Use CDN service
CDN is great to filter those spam traffic and reduce the hosting server loads. It's not only good for single site health but for entire hosting server. We highly suggest start with free CDN provider "Cloudflare", it's good enough for small to medium size. Pretty easy to configure.
step5. Use a decent hosting provider
A good provider not only prepares good hosting servers but good policies to keep our site alive. Normally, when there's such attack on customer site, many hosters will shut down customer site directly to save their server. But a good hoster like inmotion will try to fixe the problem on server end. For instance, our site is being attacked but they only blocked login access with fix solutions. This is what called customer caring.
Further resources of brute force attack: