One of the way many hackers attempt to get into WordPress sites is by launching a brute force attack. These attacks, as with any hacking attempt, are done in order to gain entry to the system so that hackers can delete content, add their own content, or do other sinister things. A brute force attack is one of the most uncomplicated ways of gaining access to a system.
The basic idea behind this type of hack is simple: the attacker (usually an automated system) tries as many passwords as possible until it finds the one that works. While this might sound as if it could take some time, it is actually effective because many people do not use strong passwords. In addition to possibly compromising your system, these attacks also slow down the site’s loading time or can completely crash it because the attacker is often trying as many as ten passwords every few seconds.
How can you protect your WordPress system from these types of attacks? There are several ways. One of the most common methods is to rename the wp-login.php file. This is the default login page, and it is where hackers will attack. A plugin can be used to do this. This plugin, Rename wp-login.php, is available from the WordPress site.
Once this plugin is installed and activated, it will take users to the Permalinks section of the Settings page on the Admin dashboard. It will give users the chance to enter a new login URL. There are other options here, too. Most WordPress experts suggest you also change the Common Settings from Default to Post Name.
For the login URL, you can leave it as login, but you may want to change it to something that is not as common. Then the full login URL will be your site/your login page name. Remember that you will want to bookmark or make some other note of what you have named the login page so you do not forget it! You will also need to share this new URL with anyone who needs to log in to your WordPress site.
Hackers will now see a 404 page not found error when they go to wp-login.php. However, WordPress is still devoting resources to load this page. One other trick is to edit the .htaccess file. Add the following code to the end of the file:
deny from all
This will return a 403 error rather than a 404 error. This is the Forbidden error – anyone trying to access wp-login.php will see a message saying that they do not have permission to access /wp-login.php. When a 403 error is given, WordPress does not load up any resources, so there is no slow down at all.
There are some other methods to protect WordPress from brute force attacks, but this is one of the easiest and quickest to implement. The fact that it can completely block hackers from your login page, which may also protect against other types of hacks, is another nice result.