• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

HANDS ON WORDPRESS

Making a Living with WordPress

  • Home
  • Blog
  • About
    • About Hands On WordPress
  • The Austin WordPress Community
  • Contact
  • Show Search
Hide Search
You are here: Home / WordPress / WordPress Security – How to Prevent Brute Force Attacks

WordPress Security – How to Prevent Brute Force Attacks

sandibatik · May 9, 2011 · Leave a Comment

Austin WordPress Meetup – 5/9/11 – Security FAQs

How can I protect against the ‘Brute Force’ attacks you mentioned in your demonstration?

Image of Nick Batik
Nick Batik

As Nick Batik explained during our live demonstration, mounting a simple “Brute-Force Attack” against a WordPress site that had not used WordPress Security Best Practices during the initial installation and setup is amazing easy.  Simply stated, bad WordPress security hygiene is an invitation to be hacked. In this series of Security FAQs Nick shared a review of the most common, and easiest, WordPress Security Best Practices for the install and setup of your site.

Change The Default “Admin” Username

As Nick have demonstrated, 
Brute force is one of the easiest ways to break a password. The method is simple: try as many different passwords as possible until the right one is found. Users of the brute force method use dictionaries, which give them a lot of password combinations.

Knowing your username makes it easier for them to guess the right combination. This is why you should always change the default “admin” username to something harder to guess.

Versions of WordPress starting with 3.0 let you choose your desired username by default, so there should be no excuse for not doing it right. If you have a site that was created with an older version, Admin renamer extended.

Pick Secure Password for Admin

Changing your admin username to something else is not a guarantee that people will not be able to guess it. For instance, if you use your username as the displayed meta data in every post, or you enable author specific page in multi-author blog, you will reveal your user name to the world.
With that assumption, you should pick secure password for your WordPress login. Combine upper and lowercase characters and numbers.

Remember: You can change your password after your site is installed. You may even want to to change it on a regular basis. I recommend the plugin WP Security Scan because it has a password generator.

Populate wp-config.php Properly

Go through each line in wp-config.php, not only the first block for database configuration.

Use WordPress secret key generation tool to generate random salts for WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user’s cookies.

There is an automatic generator for these at: https://api.wordpress.org/secret-key/1.1/salt/

You also want to modify the WordPress table prefix to something other than wp_. Adding random characters and numbers to the end of wp, such as wpRbX3i_ obfuscates it enough but still allows you to recognize the tables as those belong to WordPress.

Nick also shared his slides and notes on the Austin WordPress Meetup site: wpaustin.com.

To learn more about common entry points for hackers see Nick Batik’s answers to other WordPress Security FAQs

WordPress Security – The Mind of a Hacker

WordPress Security — How to Prevent Directory Browsing

WordPress Security – Locking Down Your Site

WordPress Security – Backing-Up Your Site

Filed Under: WordPress Tagged With: Austin WordPress Meetup, WordPress Security

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

About Sandi Batik

About Sandi Batik

Introverted Freelancer, WordPress trainer, consultant, curricula developer, author, unapologetic geek, unrepentant capitalist, lucky enough to do what I love … more about me about About Sandi Batik

  • Twitter

Search

Introverted Freelancer

Traits of Successful Introverted Freelancers

Traits of Successful Introverted Freelancers

2017 Business Check-up Workshop

2017 Business Check-up Workshop

Expanding Your Business With Automated Marketing Funnels

Expanding Your Business With Automated Marketing Funnels

How to Use Permission Marketing to Build Your WordPress Business

How to Use Permission Marketing to Build Your WordPress Business

How Much Should I Charge for Building or Designing a WordPress Website?

How Much Should I Charge for Building or Designing a WordPress Website?

Project Management

Keeping Scope Creep From Killing Your Schedule and Profit Margin

Keeping Scope Creep From Killing Your Schedule and Profit Margin

Project Management for WordPress Freelancers

Project Management for WordPress Freelancers

WordPress

Securing and Maintaining Your WordPress Site

Securing and Maintaining Your WordPress Site

How The WordPress Media Library Works — 2018

How The WordPress Media Library Works — 2018

How To Build an Information Structure for Your WordPress Site

How To Build an Information Structure for Your WordPress Site

How WordPress Themes Really Work

How WordPress Themes Really Work

How to Create and Manage eMail Newsletters from Your WordPress Site

How to Create and Manage eMail Newsletters from Your WordPress Site

How to Secure and Maintain Your WordPress Site

How to Secure and Maintain Your WordPress Site

Copyright © 2010-2023 Hands On WordPress · All Rights Reserved