Preventing Brute Force Attacks in WordPress
As part of BSC Solutions Group’s WordPress website hosting, we are always looking for ways to protect our clients’ hosted websites. WordPress does not have built in protection against brute force login attempts and uses a default login page for all sites. The page can be modified, but only by using a WordPress plugin so it is easy for the bad guys to identify most WordPress login pages and attempt to login.
In an effort to block the considerable number of unwanted login attempts to our sites, we have implemented a new protection tool across all of our client sites. We are now tracking failed login attempts over a specified time frame using a quota-based system for the following pages: xmlrpc.php and wp-login.php. In the event that a connection fails to login 10 times (across our entire network), we will begin to throttle that connection.
So, if WordPress brute force login attempts are taking place on any of our hosted sites, we block access for that user ip address to all of our websites.
Besides WordPress brute force login attempts, it is also common for WordPress sites to be compromised by taking advantage of known vulnerabilities within WordPress and WordPress plugins, where sites have not been patched and kept up to date. It is imperative that your site is kept up to date. This is typically a process performed by logging into your WordPress site and manually updating WordPress, WordPress plugins and Themes.
Keeping your site up to date by performing these updates at least once per month is a must. If you cannot do this yourself, ask your web designer, or reach out to BSC as we offer WordPress website maintenance plans and can do this on your behalf.