Security is one of the major concern online, especially for sites. WordPress is not an exception. As a blogger, we have to protect our blog from the hands of hackers and intruders. When gained access, the effects or the damages are unimaginable – in fact, you may lose control of your domain and may also lose all your hard work or it may fully down your business.
What is Brute Force Attack?
Brute force attack is the method of attempting to log in with multiple passwords and guesses the right password.
Generally, brute force attack is done by automated scripts which attempts to crack the login page. The scripts also use a brute force dictionary of most commonly used passwords and even highly intelligent attacks may generate passwords using a combination of characters, numbers, symbols.
At the same time, a brute force attack may flood your server with too many login requests and it can even shut down your server’s performance too.
In this article, I will take yours through the steps on how do you stop multiple login attempts on your WordPress blog and thereby avoiding brute force attacks.
The easiest way to stop WordPress login attempts is by installing the limit login attempts reloaded plugin. Once installed, just go to Settings – Limit Login Attempts, check the settings of the plugin and click Save Options. Now your WordPress blog stops any login attempts on multiple failures.
Let’s see the detailed steps to stop login attempts:
- Login to your WordPress blog’s dashboard.
- Go to Plugins – Add New.
- Search for “login attempts”, you can see the plugin Limit Login Attempts Reloaded.
- Click on Install Now and then Activate.
- Now go to Settings – Limit Login Attempts as follows:
- You can see a lot of options with this plugin, let’s understand all of them:
- Allowed Retries – this is the number of failure retries allowed. For example, if there are 4 login failures then it will lock the user after 4th login failure.
- Minutes Lockout – the duration of lockout period, once the allocated retries are done how long the login has to be lockout.
- Lockout increase – in case, when the lockout happens again and again. For example, 4 times then the plugin locks the login for next 24 hours.
- Hours until reset – this is the duration in which the retry count will be reset. For example, any consecutive login failures within 12 hours will be counted as Allowed retires.
- The plugins have an option to automatically alert the admin email (so that you will be immediately aware if someone attempts multiple failure logins to your blog).
- Next comes the IP address based login limitations:
- Whitelist – this the list of IP addresses which are allowed or exempted from the login limits. For example, you can add your own Laptop/PC’s IP addresses, in order to, not getting lockout yourself.
- Blacklist – this is the list of IP address which is found to be vulnerable and you don’t want those source of connection to attempt a login into your blog.
- Apart from IP addresses, you can also create a whitelist or blacklist of username’s (the usernames of your WordPress blog used by different users for login).
- Once you setup all the configurations, don’t forget to Save the options.
This is one of the simplest plugin available to secure your WordPress blog.
However, if you use SiteGround web hosting for your WordPress blog they have a unique technology to stop different kinds of brute force attacks. Their AI based anti bot feature protects your WordPress blog from suspicious IP addresses and also, by learning the data access pattern from different sources in order to intelligently identify malicious data access on their servers. Apart from WordPress level protections, this also ensures server-level protection is done.
The following screenshot shows, how the login attempts warning appears:
Finally, you can see how the brute force attack or the failed login attempts are avoided and lockout for 20 minutes as configured earlier:
I hope this article helps to protect your WordPress blog against brute force attacks and prevents multiple failed login attempts by malicious bots or users.
Let me know, how else you protect your WordPress blog, it may help other people too.