Time
30 minutes
Difficulty
2/10
Impact
7/10
Stop bot traffic and brute force attacks in WordPress
Stopping bad actors and bot traffic from getting to your website is difficult. In most cases, bad bots are easily stopped but not all bots are bad (Googlebot for example is a bot that most sites want to have access their site).
Ezoic Cloud integrated websites have access to Intelliprotect from Ezoic Cloud, but that still may not stop someone from trying their shot at a bruteforce login attack on your WordPress login page.
Don’t use plugins or expensive security features
Most firewalls and security features available in plugins don’t prevent anything other than a failure to implement security best practices and don’t do anything to protect against click bots and other forms of invalid traffic.
Using the best practices below, sites can stop most forms of brute force attacks that simply aim at common vulnerabilities. If a site uses these basic, easy-to-implement practices, attackers will likely not even bother trying further.
What to do instead to prevent common WP attacks
Stop User Enumeration
User enumeration is a technique used to discover a site’s user login name. This is done prior to a brute-force attack to know which user login to try password attempts with. Limiting login attempts one best practice to use but you can also log and prevent multiple ips from tricking your site with a few lines of code. Stop User Enumeration is a simple plugin that adds this automatically, or you can view the source and add it to your theme.
Change Login URL
If you have a WordPress website, I bet I can guess your admin login URL… is it /wp-admin/ or /wp-login/… if it’s not either of those, congrats. That means attackers will likely move on simply because it’s that much harder than most WP sites. You can password protect access to the page, but the best thing to do is change the URL. This can be done in your htaccess file, but there’s also a plugin that can do it too (but, I’d go against a plugin if you can).
Create a Better/Longer Password
The number one way just about everything from email, to Facebook accounts, and even websites are hacked comes back to re-using passwords or using simple, easy-to-guess passwords. Bots can rifle through common ones quickly, so simply make your admin login password for ALL USERS (even those writers who may be accessing your site) use passwords that are 13-15 characters in length and include varied characters and capitalizations.
Use Username, Not Email
This is simple but a common failure. If you currently use a basic email associated with your website that could be found on a database online or a contact email for the site anywhere on your site, you just made it 10x easier for someone to attack your site. By simply changing all usernames so that they are not an email address, and so that usernames are not the same as the preface to the @email.com extension, you’ll do yourself a major favor by being a more difficult target.
