Blog Blackout – How To Secure Your WordPress Blog Against Brute Force Attacks
This is not a technical blog. But today it was down for quite some time because hackers started a brute force attack.
So here’s, in light of today’s events, a series of tips how to secure your WordPress blog.
What is a brute force attack?
Hackers try to login to your blog by submitting the login form thousands of times with random passwords.
Depending on how fast they do this, and on how many sites, your server simply may go down due to server overload. This is why all my sites were offline today.
Worst case would be that they accidentally find the correct login and take over your WordPress.
Three tips to prevent hackers from finding your login info:
- Use strong passwords.
- Don’t use ‘admin’ as login name. Set a different name when installing your blog.
- Don’t have your login name show up in the URL for your author page. [Here’s how.]
Two alternative ways to stop brute force attackers dead in their tracks:
- Use the .htaccess file to only allow logins from specified IP addresses. That would be your IP address, of course. Your host can help you set it up.This is a good solution when your Internet Service Provider is using the same IP for your internet access all the time.For me this solution isn’t working, because my IP changes daily. In that case do this:
- Use a WordPress plugin to hide the login page. When the hackers can’t find the login page, they obviously can’t start a brute force attack.