A Brute Force attack uses a variety of different usernames and passwords to gain access to your WordPress admin area. These types of attack can impact heavily on the server's memory, causing significant performance problems. Worse still, if spammers do gain access to your site then they can cause all manner of damage.
Here, we've listed a few tips to help you avoid falling victim to Brute Force attacks:
1. Change your default admin username
Unfortunately, there is no way to change the WordPress username in the WordPress admin area, however, this can be changed in the database through phpMyAdmin. There's two different ways of accessing the phpMyAdmin section, depending on your hosting platform:
- Cloud users: log into your Control Panel and go to Manage Website > MySQL Databases > phpMyAdmin.
- cPanel users: log into your Control Panel and go to "Databases" > "phpMyAdmin".
Once you've gained access, follow these steps:
1. Enter your login details and go to the WordPress database in the left hand table.
2. Select the table "wp_users" and hit "edit".
3. Enter a new username into the "wp_user" row, and click "GO"
2. Change your default newinstall password
You can change the WordPress password in the WordPress admin area under Edit My Profile. It is always best to use a password generator to generate a secure password.
Limit login attempts
All WordPress sites come with the 'Limit Login Attempts' plugin installed by default, all you need to do is log into the WordPress admin area and activate the plugin by navigating to Plugins > Installed Plugins.
Limit access to wp-admin by IP
To limit access to the wp-admin directory by IP, log into your Control Panel and navigate to the .htaccess file, under the public_html directory and add the following code at the top of the .htaccess file:
deny from all
allow from xx.xxx.xx.xx
To password-protect your wp-login.php file you will need to create a .htpasswds file and add some code to the .htaccess file.
1. Log into the control panel and navigate to the File Manager.
2. Click on the public_html directory and then create a new file and call this .htpasswds.
3. Use the htpasswd generator to create a user name and password to access the wp-login.php file.
4. Copy and paste the code from the htpasswd generator into the .htpasswds file.
5. Then create the code for the .htaccess file here, and paste the code into the .htaccess file under the public_html directory.