how to mitigate brute-force login attempts

July 8, 2021

written by
Rex Vokey

someone is trying to hack your site right now.

A recent check of our metrics showed that there are over 1,500 brute-force login attempts every day on our site.  So you know if our tiny little site is getting hit this hard, it’s the same for many other sites too.  There are many great reasons to having an open-source system for your website, but from those numbers clearly there are also some downsides. The primary one being that every single person on earth now knows the address for logging in to your site.  And if everyone knows the address for logging in, it’s not hard for them to come knocking on your door as often as they like.

so why not just hide the login?

There are many articles on this subject and why we don’t do it, it’s called security through obscurity.  Sure – you could go ahead and change the login URL, but that comes with its own set of problems, such as issues with updates, usability, etc.  But the key point here, is that we see obscurity as a weak layer of protection and not worth the other problems it creates.

6 steps to make your site a secure fortress.

So how do you make your site secure from all of these brute-force login attempts always happening?  Here are some steps we carry out.  Keep in mind these are specific to WordPress, but have similarities with other open-source CMSes, like Drupal.

1. don’t use the default “admin” user

There has to be an administrative super-user on the site. But it doesn’t have to be called “admin.”  Name it something else, perhaps specific to your use case or even your name.  This is bordering on the “security through obscurity” we mentioned above, but it’s a logical step.  And it allows an additional layer of security I’ll talk about in a later point.

2. use secure passwords!

We can’t stress this one enough.  If even one of your users has a weak password, and they have advanced privileges on the site, your site is extremely vulnerable.  Some people might not like using secure passwords, but there’s simply no wiggle room on this one.  Get them to use a password manager and lock it down!

3. stay on top of updates

Open-source projects are always releasing security and feature updates.  Those security updates are really important.  Not only for the WordPress core, but every single one of your plugins, as well.  If a security update comes out and you don’t update, you’re opening up your site to attack.  We check and update our sites monthly, and sometimes even more often if there are critical updates.

4. get good hosting

We use Pantheon for hosting our sites, because it provides lots of security and performance all in one package – not to mention a silky-smooth workflow that connects with our rhythm just right.  Having Pantheon makes it so that all we have to worry about is the site and the site’s code.  We don’t have to worry about whether servers are updated and whether they’ll be hacked.  And if the worst were to happen, they have automated backups that can be restored in minutes.

5. Cloudflare firewalls

Get Cloudflare and put it in front of your website. Even at the free level it has firewall features and other things that’ll keep bad actors from ever even having a chance to touch your site.  And the paid plans have web application firewalls (WAFs) that specifically target WordPress and other CMSes.  You can also set up page rules to specifically increase security for the WordPress administrative interface.

6. security plugins

We don’t think that a single plugin should be a one-stop-shop for solving all of your problems. In fact, sometimes plugins can create more trouble than they’re worth or provide functionality you don’t need, opening you up to potentially more issues.  However, there’s a time and a place to properly evaluate and employ a good plugin.  And if the developers are actively working on it and improving it, that’s even better.  There are a number of security plugins out there, but we chose to start using one called “iThemes Security Pro.”  It actually does have too many features to list, but they can all be enabled or disabled.  Here are a few we use:

  • Brute-force lockouts and banning: once a given IP address has tried to log in too many times, they’ll get locked out. If they try more, they’ll get permanently banned.  If they try to log in with the “admin” username (remember, we mentioned above not to use that!), they’ll get locked out immediately.
  • User logging.  This feature isn’t included in WordPress, so it’s handy to have – log user activity such as logins, content edits, etc. This way, you have a record of who did what, and when.
  • Security scans and reporting.  Good to get these and see what’s going on periodically.
  • Two-factor authentication.  Make your logins even more secure.
  • Strong password enforcement.  As mentioned earlier, if even one user has a weak password, your site is at major risk.

it just makes sense

Your website is your public face.  You can’t afford to let hackers get in there and mess it up.  If any of this doesn’t make sense, get someone to help you with it because it’s a lot easier to deal with this proactively rather than wait until your site is compromised.   We work with our clients with this on the regular and consider it absolutely basic to caring for your site.