How to Secure WordPress from Brute-Force Attacks


I’m going to make this really easy on everyone. Your password sucks! I know what you’re thinking.

“…but I have like, letters and numbers, and I even used an @ instead of an a”.

Well, sorry but your password still isn’t good enough.

The good news (for many reasons) is that you’re not alone. Why is this good news? Well it helps your ego, for one thing. The other, is that as long as we aren’t ubiquitously raising the bar for password creation you’ll remain safe, for now (assuming you read the rest of this article). You see there are hundreds of millions of websites and billions of passwords to crack. Hackers are only going to try as hard as they need to, to penetrate a certain percentage of the online community.

So What Do You Do

Step one, get a new password. I used to recommend this L33T speak password creation article I wrote for SEJ a while back, but it’s outdated now and I don’t recommend it anymore. Instead you should read this article by Dropbox.

Then you should go to this password testing app that Dropbox built. Once there, go ahead and type in your current passwords. Seriously, go ahead, I’m not looking. Pay attention to the “crack time (display)”. I’m gonna bet your password would have been cracked in minutes.

Change your password to a series of words and spaces. Not all online software allows you to do this. As ironic as it sounds banks are notorious for preventing you from writing good passwords. Try typing into the demo “the cow jumped over the moon”. That password would take over a million centuries to crack and its easy to remember.

Don’t use that phrase and do NOT use famous quotes, passages from books etc… Remember to stay unpredictable. Try something like “horses jumping over fax machines”.

Choose something new and change your WordPress passwords immediately.

Ok, now I have a password that will take centuries to crack, what next?

Don’t publish under the Administrator Role. This takes a little getting used to but it’s highly effective. You don’t have to login in under two roles, just make sure anytime you publish anything, you set the author to a user who’s at the Author Role level.

Make the Administrator Role username as hard as your old password. Did you know that WordPress usernames are public, or at least discoverable? It shouldn’t be all that shocking, your twitter handle is your username, no ones upset. You login to gmail with your email address, etc… The latter tip allows you to create complex and private usernames, so go for it.

Activate BruteProtect. BruteProtect is the best solution for protecting yourself from botnets and bruteforce attacks.

Activate one of many security plugins. There are a lot out there. I recently came across Better WP Security and have been using it pretty heavily. Its quite nice and covers a lot of bases.

BACKUP and SECURE everything. Do this at least as often as you post. An automatic schedule is key but if you’re posting articles, 3 times a week make sure you’re backing things up nightly. There are a ton of plugins that offer different solutions to backing up and restoring your setup. I prefer to use WP Engine.

Host on WP Engine *. If you can afford it, you NEED to go with WP Engine *. They are the best WordPress hosting solution on the planet. There are so many advantages to going with them, but in regards to security and backups, they make it super easy. They have staging servers, nightly backups, manual backups, and you can even have everything backup nightly to Amazon S3 so you get an extra layer of redundancy.

* WP Engine Affiliate Link – I never recommend anything I don’t use myself


4 responses to “How to Secure WordPress from Brute-Force Attacks”

Leave a Reply

Your email address will not be published. Required fields are marked *