In our last blog post we talked about the importance of having a website to increase your businesses online presence, which you can read here. When you have a website you have to be aware of the possibility of being hacked and brute force attacks. The thought of your website being subject to a brute force attack is scary.

There are multiple ways that you can protect your website and make it more resilient to attacks. There are also ways to put your site on lockdown if it does get attacked. However, its always better to have security measures in place to reduce the chance of your site being hacked, rather than having to take measures when its already happened.

Brute Force Attacks… what exactly are they? 

Hacking into someones account can be done in multiple ways, finding a vulnerability in someones website, tricking someone to give up their password, installing a key logger on a targets computer and stealing it. All of these ways work, but more commonly an attacker will just take the easy route and guess. Many peoples usernames and passwords are very easy to guess.

An attacker will usually use a common username or password until they eventually make it in. Guessing usernames and passwords can take a while, so attackers use automated programs that can guess combinations. Weak passwords can take less than .30 milliseconds to get using these programs.

WordPress runs over one third of the web. This makes it the most accessible CMS out there, which makes it accessible to attackers.

WordPress comes with some flaws in security which are important to be aware of:

1. Anyone can attempt to login as many times as they want.
2. When there is a login attempt from someone with a new IP address, you are not notified.
3. The admin screen is located in the same place.
4. Multiple users with admin privileges means several potential ways to break into your back end.
5. WordPress doesn’t come with a firewall so all anyone needs to do is figure out that you’re using WordPress and you could be hacked.

If this seems overwhelming, don’t hesitate to get in touch by visiting the contact us page on our website. We can help with making your website more resilient to attacks.

How to Protect your Site from Brute Force Attacks: 

WordPress comes with security measures and by taking a few extra steps it can reduce the likelihood of being victim to these attacks.

1.Strong Username and Password 

An attacker will usually give up pretty easily when they can’t get into your account. If you have a strong password, an attacker may just move onto an easier target. A strong username and password is the simplest way to reduce the likelihood of being attacked.

Tips for a strong username and password:

• Have a minimum of 6 characters, the longer it is, the better.
• Use capitals, lowercase, numbers and symbols.
• Avoid common passwords.
• Don’t put personal information in your password.
• Don’t use the same password across multiple sites.
• Giberish passwords work really well.

2. Ensure Other Users Accounts are Secure

The admin password is the most important to have safe, however other users passwords are a way for hackers to get in also. Make sure that these are secure. You can change a password by going to  Users > All Users and find the account you want to edit. Scroll down to Generate Password to change it.

3.  Install a Firewall 

When there is no firewall, the site can be vulnerable to all sorts of attacks. Firewalls can detect harmful or dangerous traffic. It can give you tools to block IPs, enforce strong passwords, add CAPTCHA and geoblock countries commonly involved in hacking.

4. Introduce Two-Factor Authentication

This step can make you immune to losing your account. It adds an extra step when logging in, by sending a code to your email or your phone that allows you to log in.

5. Limit Login Attempts

If you have a server capacity it can reduce the ability for brute force attackers to test hundreds of usernames and passwords. Limit your login attempts and those who use the wrong password a couple of times in a row will be locked out.

6. Hide the Login Page

The login page on WordPress is very easy to find. Changing the location can stop a few attacks from happening or delay the progress of one.
WPS Hide Login allows you to change your login page URL. No one will be able to access the normal login pages.

7. Update WordPress Regularly 

Many hacks happen when running outdated software. Make sure that WordPress is up to date and backed up. If a hacker got in they may delete and modify pages. If you are backed up, you can restore everything with one click of a button.

Brute force attacks can happen so easily, but there are many steps that can be put in place to prevent them. If you want to learn more about preventing these attacks or need assistance in securing your website, please take a look at our website or book a complimentary 30 minute discovery call to see how we can help. Click here to book your call now!