Limit Loggings To Stop Brute Force Attacks

Due to its popularity and old vulnerability to “admin” username hacks, WordPress is constantly in the sights of hackers and hacker bot networks.

Usually it’s not a personal attack on you or what your website does, but rather a grab for resources to use in some other nefarious plan.

There are many ways to hack a website, old code vulnerabilities, social engineering and brute force are usually the top three methods.

Old Code Vulnerabilities

Software patches are released for plugins and themes every week.

As a WordPress administrator you should be updating your site’s themes and plugins regularly otherwise, hackers can gain access to the backend of your site by exploiting these known vulnerabilities.

Most of the hacks that we see at WP Wingman are caused because site administrators don’t update their WordPress core, themes and plugins regularly.

If you don’t have time to update plugins and themes every few days, we are happy to take care if it in one of our WordPress Site Care plans.

Social Engineering

Attacking a website using social engineering is usually a long-game plan and quite ingenious.

This is where a hacker will look into your personal life to try and guess or get you to reveal access to your computer logins.

There is a great book on this called “The Art of Deception” by Kevin Mitnick who was on the FBI’s most wanted list for hacking into US government systems using these techniques.

Brute Force Attacks

This type of attack is usually performed by huge illegal bot-nets.

They look for WordPress websites and start to blast username and password combinations art the websites login form trying to guess the correct combination.

Old WordPress installations used a script which set the default username to “admin”.

If you have a website firewall already installed you’ll probably see thousands of brute force loggin attmepts using the “admin” password.

As well as trying to login to your backend admin area, brute force attacks also dramatically slow down you website as your web server tries to keep up with all the requests for authentication.

No Website Firewall?

If you don’t have a firewall plugin installed or don’t want all that complexity, you should at the very least run a plugin that recognises and prevents brute force attacks.

Not only will this add a layer of security to your site it will also improve performance.

I would recommend the “Limit Login Attepts Reloaded” plugin.

It is lightweight and performs only the single task or detecting brute force attacks, banning the offending IP address for however long you want.

There are a few settings where you can whitelist or blacklist IP address automatically and controls for blocking time etc.

If you don’t have time to spend on WordPress site care and WordPress site maintenance, we are happy to take care if it in one of our WordPress Site Care plans.

Posted in


Wil is a dad, consultant, developer, conference organiser, speaker and business mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.
Scroll to Top