TV with static representing hacked wordpress site.

Blog Black­out - How To Se­cure Your Word­Press Blog Against Brute Force Attacks

This is not a tech­ni­cal blog. But to­day it was down for quite some time be­cause hack­ers started a brute force at­tack.

So here’s, in light of today’s events, a se­ries of tips how to se­cure your Word­Press blog.

What is a brute force attack?

Hack­ers try to lo­gin to your blog by sub­mit­ting the lo­gin form thou­sands of times with ran­dom passwords.

De­pend­ing on how fast they do this, and on how many sites, your server sim­ply may go down due to server over­load. This is why all my sites were of­fline today.

Worst case would be that they ac­ci­den­tally find the cor­rect lo­gin and take over your WordPress.

Three tips to pre­vent hack­ers from find­ing your lo­gin info:

  • Use strong passwords.
  • Don’t use ‘ad­min’ as lo­gin name. Set a dif­fer­ent name when in­stalling your blog.
  • Don’t have your lo­gin name show up in the URL for your au­thor page. 

Two al­ter­na­tive ways to stop brute force at­tack­ers dead in their tracks:

  1. Use the .htac­cess file to only al­low lo­gins from spec­i­fied IP ad­dresses. That would be your IP ad­dress, of course. Your host can help you set it up.This is a good so­lu­tion when your In­ter­net Ser­vice Provider is us­ing the same IP for your in­ter­net ac­cess all the time.For me this so­lu­tion isn’t work­ing, be­cause my IP changes daily. In that case do this:
  2. Use a Word­Press plu­gin to hide the lo­gin page. When the hack­ers can’t find the lo­gin page, they ob­vi­ously can’t start a brute force attack.

Happy blog­ging!