If you’ve ever read any books or watched any movies that involve a medieval or high fantasy style army besieging a castle, then you’re familiar with how a battering ram works. The Siege of Gondor from Lord of the Rings is a great example. It’s a pretty effective technique for breaking down castle gates.
Time and technology have moved on, but the principle has carried over into the digital age. Battering rams have been replaced with malicious software, and the castle gates are your wp-admin login screen. In modern terms, these types of attacks are called “brute force” attacks. As WordPress grows, these type of attacks are becoming more common. We’ll talk below about both the threat itself, and how you can impose login limits on your WordPress website to decrease your risk.
Brute Force Attacks
When I was young, my best friend ran a small server out of his home that hosted a website he’d built which my friends and I would play games on. It was great fun to try and guess his admin password so that I could get in and change things around to mess with him. I would proceed by thinking of lots of likely choices he would make and trying them one at a time until I got in.
That’s the essence of what a brute force attack is, just on a much more sophisticated level. Brute force attackers will use software to repeat possible passwords instead of manually guessing. Such software is capable of making thousands of guesses per minute, and can run through the entire dictionary trying different possibilities. Those guesses include frequently used usernames and passwords such as “admin” and “password”, and some may also skim your website for personal info like your name and those of family members to use.
Brute force attacks against WordPress websites are on the rise. In 2015, the prevalence of these attacks has increased from around 5 million per day in January to the neighborhood of 30 million per day in November.[1] You need to take measures to protect yourself if you’re not already.
Login Limits as a Preventative
There are a variety of measures you can take to increase your website’s overall security, and some of them will work to prevent brute force attacks as well. Never use default usernames or passwords and choose strong passwords, for example. Having good locks on the door alone is not quite as comforting (or effective) as having a good defense protecting you, though. Lets look at some good defensive options.
Specialty Plugins
There are plugins whose entire purpose for being is to limit the number of login attempts to your website. These plugins log the number of attempts from a given IP, and block that IP after the limit has been met. You can typically set manually both the number of login attempts and the lockout timer after that number has been reached to suit your preference. Here’s a couple of the most popular examples:
- Login LockDown. Easy to use and configure, Login lockdown has over 200k active users.
- Limit Login Attempts. Also easy to use and configure, Limit Login Attempts is used on over a million WordPress websites.
The only reservation about either of these plugins is their lack of regular updates. Login Lockdown hasn’t been updated inside a year now, and Limit Login Attempts going on two. That’s not necessarily a problem for folks running single websites without a whole lot of modification because WordPress’ wp-admin login hasn’t changed significantly in that time. It is a headache for larger hosts like WP Engine, however, who recently dropped Limit Login Attempts in favor of in-house security for that very reason.[2]
Comprehensive Security Plugins
If you use a smaller host that does not provide comprehensive security of their own, this is the recommended option for you. These type of plugins offer a suite of security features that includes limiting logins. WordFence Security is one of the best and most widely used with over a million active installs. You can check it out in the repo, but here’s some of it’s best features:
- Hivemind blocking means if one of WordFence’s users is attacked, the attacker is blocked across all users.
- Features login security including login limits, two-factor authentication, password strength checks, and more.
- Also includes security scanning to keep your website threat-free.
More options exist for limiting logins and general security, and it sure wouldn’t hurt to go scan the repo for solutions yourself. Using the plugins you’ve read about here as something of a benchmark, you can make an informed decision for yourself on the best fit for your site. The one decision that ought to be clear though is that you do need some form of protection moving forward. As WordPress grows, these types of attacks will only become more common. Go take a look and shore up your own castle gates today!
Duncan Betts says
I launched a new blog using SiteGround a few days ago, their WordPress security guide recommended a solution called called Clef (www.getclef.com). It replaces the WordPress Admin login screen with a barcode, which you can scan with an app downloaded to your phone in order to login (so, 2FA passwordless login). I had already installed a login attempt limiter and maybe something like this is overkill for a blog but thought I’d mention it :).