How to Protect Your WordPress Site from Brute Force Attacks (Step by Step)

Do you want to protect your WordPress site from brute force attacks? These attacks can slow down your website, make it inaccessible, and even crack your passwords to install malware on your website. In this article, we will show you how to protect your WordPress… Read More »

The post How to Protect Your WordPress Site from Brute Force Attacks (Step by Step) appeared first on WPBeginner.

Do you want to protect your WordPress site from brute force attacks? These attacks can slow down your website, make it inaccessible, and even crack your passwords to install malware on your website. In this article, we will show you how to protect your WordPress site from brute force attacks.

protecting WordPress from brute force attacks

What is a Brute Force Attack?

Brute Force Attack is a hacking method which utilizes trial and error techniques to break into a website, a network or a computer system.

Hackers use automated software to send a large number of requests to the target system. With each request, these software attempt to guess the information needed to gain access, like passwords or pin codes.

These tools can also disguise themselves by using different IP addresses and locations, which makes it harder for the targeted system to identify and block these suspicious activities.

A successful brute force attack can give hackers access to your website’s admin area. They can install backdoor, malware, steal user information, and delete everything on your site.

Even unsuccessful brute force attacks can wreak havoc by sending too many requests which slows down your WordPress hosting servers and even crash them.

That being said, let’s take a look at how to protect your WordPress site from brute force attacks.

Step 1. Install a WordPress Firewall Plugin

Brute force attacks put a lot of load on your servers. Even the unsuccessful ones can slow down your website or completely crash the server. This is why it’s important to block them before they get to your server.

To do that, you’ll need a website firewall solution. A firewall filters out bad traffic and blocks it from accessing your site.

How website firewall works

There are two types of website firewalls that you can use.

Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient because a brute force attack can still affect your server load.

DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your main web hosting server while giving a boost to your WordPress speed and performance.

We recommend using Sucuri. It is the industry leader in website security and the best WordPress firewall in the market. Since it’s a DNS level website firewall, it means all your website traffic goes through their proxy where bad traffic is filtered out.

We use Sucuri on our website, and you can read our complete Sucuri review to learn more.

Step 2. Install WordPress Updates

Some common brute force attacks actively target known vulnerabilities in older versions of WordPress, popular WordPress plugins, or themes.

WordPress core and most popular WordPress plugins are open source and vulnerabilities are often fixed very quickly with an update. However if you fail to install updates, then you leave your website vulnerable to those old threats.

Simply go to Dashboard » Updates page in WordPress admin area to check for available updates. This page will show all updates for your WordPress core, plugins, and themes.

Updates page in WordPress admin area

For more details, see our guide on how to properly update WordPress plugins.

Step 3. Protect WordPress Admin Directory

Most brute force attacks on a WordPress site are trying to get access to the WordPress admin area. You can add password protection on your WordPress admin directory on a server level. This would block unauthorized access to your WordPress admin area.

Simply login to your WordPress hosting control panel (cPanel) and click on the ‘Directory Privacy’ icon under Files section.

Note: We’re using Bluehost in our screenshot but similar settings are available on other top hosting companies as well like SiteGround, HostGator, etc.

Directory privacy in cPanel

Next, you need to locate the wp-admin folder and click on the folder name.

Browse and locate the wp-admin folder

cPanel will now ask you to provide a name for the restricted folder, username, and password. After entering this information click on the save button to store your settings.

Password protect WordPress admin directory

Your WordPress admin directory is now password protected. You will see a new login prompt when you visit your WordPress admin area.

Login prompt

If you run into a 404 error or error too many redirects message, then you need to add the following line to your WordPress .htaccess file.

ErrorDocument 401 default

For more details, see our article on how to password protect WordPress admin directory.

Step 4. Add Two-Factor Authentication in WordPress

Two-Factor authentication adds an additional security layer to your WordPress login screen. Basically, users will need their phones to generate a one-time passcode along with their login credentials to access the WordPress admin area.

Enter two-step authentication code

Adding two-factor authentication will make it harder for hackers to gain access even if they are able to crack your WordPress password.

For detailed step by step instructions, see our guide on how to how to add two-factor authentication in WordPress

Step 5. Use Unique Strong Passwords

Passwords are the keys to gain access to your WordPress site. You need to use unique strong passwords for all your accounts. A strong password is a combination of numbers, letters, and special characters.

It’s important that you use strong passwords for not just your WordPress user accounts but also for FTP, web hosting control panel, and your WordPress database.

Most beginners ask us how to remember all these unique passwords? Well, you don’t need to. There are excellent password manager apps available that will securely store your passwords and automatically fill them in for you.

To learn more, see our beginner’s guide on best way to manage passwords for WordPress.

Step 6. Disable Directory Browsing

By default, when your web server does not find an index file (i.e. a file like index.php or index.html), it automatically displays an index page showing the contents of the directory.

Directory index

During a brute force attack, hackers can use directory browsing to look for vulnerable files. To fix this, you need to add the following line at the bottom of your WordPress .htaccess file.

Options -Indexes

For more details, see our article on how to disable directory browsing in WordPress.

Step 7. Disable PHP File Execution in Specific WordPress Folders

Hackers may want to install and execute a PHP script in your WordPress folders. WordPress is written mainly in PHP, which means you cannot disable that in all WordPress folders.

However, there are some folders that don’t need any PHP scripts. For example, your WordPress uploads folder located at /wp-content/uploads.

You can safely disable PHP execution in the uploads folder which is a common place hackers use to hide backdoor files.

First, you need to open a text editor like Notepad on your computer and paste the following code:

<Files *.php>
deny from all
</Files>

Now, save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

Step 8. Install and Setup a WordPress Backup Plugin

WordPress backup plugins

Backups are the most important tool in your WordPress security arsenal. If all else fails, then backups will allow you to easily restore your website.

Most WordPress hosting companies offer limited backup options. However, these backups are not guaranteed, and you are solely responsible for making your own backups.

There are several great WordPress backup plugins, which allow you to schedule automatic backups.

We recommend using UpdraftPlus. It is beginner friendly and allows you to quickly setup automatic backups and store them on remote locations like Google Drive, Dropbox, Amazon S3, and more.

For step by step instructions, see our guide on how to how to backup and restore your WordPress site with UpdraftPlus

All above-mentioned tips will help you protect your WordPress site against brute force attacks. For a more comprehensive security setup, you should follow the instructions in our ultimate WordPress security guide for beginners.

We hope this article helped you learn how to protect your WordPress site from brute force attacks. You may also want to look out for the signs that your WordPress is hacked and how to fix a hacked WordPress site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Protect Your WordPress Site from Brute Force Attacks (Step by Step) appeared first on WPBeginner.

12 Signs That Your WordPress Site is Hacked

We are often asked what are some signs that indicate a WordPress site is hacked? There are some common telltale signs that may help you figure out if your WordPress site is hacked or compromised. In this article, we will share 12 common signs that… Read More »

The post 12 Signs That Your WordPress Site is Hacked appeared first on WPBeginner.

We are often asked what are some signs that indicate a WordPress site is hacked? There are some common telltale signs that may help you figure out if your WordPress site is hacked or compromised. In this article, we will share 12 common signs that your WordPress site is hacked.

Signs that your WordPress site is hacked

1. Sudden Drop in Website Traffic

Drop in website traffic

If you look at your Google Analytics reports and see a sudden drop in traffic, then this could be a sign that your WordPress site is hacked.

There are many malware and trojans out there that hijack your website’s traffic and redirect it to spammy websites. Some of them don’t redirect logged in users which allows them to go unnoticed for a while.

Another reason for the sudden drop in traffic is Google’s safe browsing tool, which might be showing warnings to users regarding your website.
Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. That’s why every blogger and business owner needs to pay serious attention to their WordPress security.

You can check your website using the Google’s safe browsing tool to see your safety report.

Spam and malware injection

One of the most common signs among hacked WordPress sites is data injection. Hackers create a backdoor on your WordPress site which gives them access to modify your WordPress files and database.

Some of these hacks add links to spammy websites. Usually these links are added to the footer of your website, but they really could be any where. Deleting the links will not guarantee that they will not come back.

You will need to find and fix the backdoor used to inject this data into your website. See our guide on how to find and fix a backdoor in a hacked WordPress site.

3. Your Site’s Homepage is Defaced

website homepage defaced after hacking

This is probably the most obvious one as it is clearly visible on the homepage of your website. Most hacking attempts do not deface your site’s home page because they want to remain unnoticed for as long as possible.

However, some hackers may deface your website to announce that it has been hacked. Such hackers usually replace your homepage with their own message. Some hackers may even try to extort money from site owners.

4. You are Unable to Login to WordPress

Failure to login in WordPress

If you are unable to login to your WordPress site, then there is a chance that hackers may have deleted your admin account from WordPress.

Since the account doesn’t exist, you would not be able to reset your password from the login page. There are other ways to add an admin account using phpMyAdmin or via FTP. However, your site will remain unsafe until you figure out how a hacker got into your website.

5. Suspicious User Accounts in WordPress

Suspicious user accounts in WordPress

If your site is open to user registration, and you are not using any spam registration protection, then spam user accounts are just common spam that you can simply delete.

However, if you don’t remember allowing user registration and notice new user accounts in WordPress, then your site is probably hacked.

Usually the suspicious account will have administrator user role, and in some cases you may not be able to delete it from your WordPress admin area.

6. Unknown Files and Scripts on Your Server

Unknown files and scripts in WordPress folders

If you’re using a site scanner plugin like Sucuri, then it will alert you when it finds an unknown file or script on your server.

You need to connect to your WordPress site using a FTP client. The most common place where you will find malicious files and scripts is the /wp-content/ folder.

Usually, these files are named like WordPress files to hide in plain sight. Deleting these files immediately will not guarantee that these files will not return. You will need to audit the security of your website specially file and directory structure.

7. Your Website is Often Slow or Unresponsive

Slow or unresponsive website

All websites on internet can become victims of random denial of service attacks. These attacks use several hacked computers and servers from all over the world using fake ips. Sometimes they are just sending too many requests to your server, other times they are actively trying to break into your website.

Any such activity will make your website slow, unresponsive, and unavailable. You will need to check your server logs to see which ips are making too many requests and block them.

It is also possible that your WordPress site is just slow and not hacked. In that case, you need to follow our guide to boost WordPress speed and performance.

8. Unusual Activity in Server Logs

Server logs

Server logs are plain text files stored on your web server. These files keep record of all errors occurring on your server as well as all your internet traffic.

You can access them from your WordPress hosting account’s cPanel dashboard under statistics.

serverlogscpanel

These server logs can help you understand what’s going on when your WordPress site is under attack. They also contain all the ip addresses used to access your website which allows you to block suspicious ip addresses.

9. Failure to Send or Receive WordPress Emails

Email errors in WordPress

Hacked servers are commonly used for spam. Most WordPress hosting companies offer free email accounts with your hosting. Many WordPress site owners use their host’s mail servers to send WordPress emails.

If you are unable to send or recieve WordPress emails, then there is a chance that your mail server is hacked to send spam emails.

10. Suspicious Scheduled Tasks

Suspicious scheduled tasks

Web servers allow users to set up cron jobs. These are scheduled tasks that you can add to your server. WordPress itself uses cron to setup scheduled tasks like publishing scheduled posts, deleting old comments from trash, and so on.

A hacker can exploit cron to run scheduled tasks on your server without you knowing it.

11. Hijacked Search Results

If the search results from your website show incorrect title or meta description, then this is a sign that your WordPress site is hacked.

Looking at your WordPress site, you will still see the correct title and description. The hacker has again exploited a backdoor to inject malicious code which modifies your site data in a way that it is visible only to search engines.

12. Popups or Pop Under Ads on Your Website

Spam popup ads

These types of hacks are trying to make money by hijacking your website’s traffic and showing them their own spam ads for illegal websites. These popups do not appear for logged in visitors or visitors accessing a website directly.

They only appear to the users visiting from search engines. Pop under ads open in new window and remain unnoticeable by users.

Securing and Fixing Your Hacked WordPress Site

Cleaning up a hacked WordPress site can be incredibly painful and difficult. This is why we recommend you to let experts clean up your website.

We use Sucuri to protect all our websites. See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

It comes with 24/7 website monitoring and a powerful website application firewall, which blocks attacks before they even reach your website. Most importantly, they clean up your website if it ever gets hacked.

If you want to clean up your site on your own, then take a look at our beginner’s guide on fixing a hacked WordPress site.

You should also check out our ultimate WordPress security guide to follow the best practices and protect your site.

We hope this article helped you look for signs that your WordPress site is hacked. You may also want to see our list of 24 must have WordPress plugins for business websites.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 12 Signs That Your WordPress Site is Hacked appeared first on WPBeginner.

12 Signs That Your WordPress Site is Hacked

We are often asked what are some signs that indicate a WordPress site is hacked? There are some common telltale signs that may help you figure out if your WordPress site is hacked or compromised. In this article, we will share 12 common signs that… Read More »

The post 12 Signs That Your WordPress Site is Hacked appeared first on WPBeginner.

We are often asked what are some signs that indicate a WordPress site is hacked? There are some common telltale signs that may help you figure out if your WordPress site is hacked or compromised. In this article, we will share 12 common signs that your WordPress site is hacked.

Signs that your WordPress site is hacked

1. Sudden Drop in Website Traffic

Drop in website traffic

If you look at your Google Analytics reports and see a sudden drop in traffic, then this could be a sign that your WordPress site is hacked.

There are many malware and trojans out there that hijack your website’s traffic and redirect it to spammy websites. Some of them don’t redirect logged in users which allows them to go unnoticed for a while.

Another reason for the sudden drop in traffic is Google’s safe browsing tool, which might be showing warnings to users regarding your website.
Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. That’s why every blogger and business owner needs to pay serious attention to their WordPress security.

You can check your website using the Google’s safe browsing tool to see your safety report.

Spam and malware injection

One of the most common signs among hacked WordPress sites is data injection. Hackers create a backdoor on your WordPress site which gives them access to modify your WordPress files and database.

Some of these hacks add links to spammy websites. Usually these links are added to the footer of your website, but they really could be any where. Deleting the links will not guarantee that they will not come back.

You will need to find and fix the backdoor used to inject this data into your website. See our guide on how to find and fix a backdoor in a hacked WordPress site.

3. Your Site’s Homepage is Defaced

website homepage defaced after hacking

This is probably the most obvious one as it is clearly visible on the homepage of your website. Most hacking attempts do not deface your site’s home page because they want to remain unnoticed for as long as possible.

However, some hackers may deface your website to announce that it has been hacked. Such hackers usually replace your homepage with their own message. Some hackers may even try to extort money from site owners.

4. You are Unable to Login to WordPress

Failure to login in WordPress

If you are unable to login to your WordPress site, then there is a chance that hackers may have deleted your admin account from WordPress.

Since the account doesn’t exist, you would not be able to reset your password from the login page. There are other ways to add an admin account using phpMyAdmin or via FTP. However, your site will remain unsafe until you figure out how a hacker got into your website.

5. Suspicious User Accounts in WordPress

Suspicious user accounts in WordPress

If your site is open to user registration, and you are not using any spam registration protection, then spam user accounts are just common spam that you can simply delete.

However, if you don’t remember allowing user registration and notice new user accounts in WordPress, then your site is probably hacked.

Usually the suspicious account will have administrator user role, and in some cases you may not be able to delete it from your WordPress admin area.

6. Unknown Files and Scripts on Your Server

Unknown files and scripts in WordPress folders

If you’re using a site scanner plugin like Sucuri, then it will alert you when it finds an unknown file or script on your server.

You need to connect to your WordPress site using a FTP client. The most common place where you will find malicious files and scripts is the /wp-content/ folder.

Usually, these files are named like WordPress files to hide in plain sight. Deleting these files immediately will not guarantee that these files will not return. You will need to audit the security of your website specially file and directory structure.

7. Your Website is Often Slow or Unresponsive

Slow or unresponsive website

All websites on internet can become victims of random denial of service attacks. These attacks use several hacked computers and servers from all over the world using fake ips. Sometimes they are just sending too many requests to your server, other times they are actively trying to break into your website.

Any such activity will make your website slow, unresponsive, and unavailable. You will need to check your server logs to see which ips are making too many requests and block them.

It is also possible that your WordPress site is just slow and not hacked. In that case, you need to follow our guide to boost WordPress speed and performance.

8. Unusual Activity in Server Logs

Server logs

Server logs are plain text files stored on your web server. These files keep record of all errors occurring on your server as well as all your internet traffic.

You can access them from your WordPress hosting account’s cPanel dashboard under statistics.

serverlogscpanel

These server logs can help you understand what’s going on when your WordPress site is under attack. They also contain all the ip addresses used to access your website which allows you to block suspicious ip addresses.

9. Failure to Send or Receive WordPress Emails

Email errors in WordPress

Hacked servers are commonly used for spam. Most WordPress hosting companies offer free email accounts with your hosting. Many WordPress site owners use their host’s mail servers to send WordPress emails.

If you are unable to send or recieve WordPress emails, then there is a chance that your mail server is hacked to send spam emails.

10. Suspicious Scheduled Tasks

Suspicious scheduled tasks

Web servers allow users to set up cron jobs. These are scheduled tasks that you can add to your server. WordPress itself uses cron to setup scheduled tasks like publishing scheduled posts, deleting old comments from trash, and so on.

A hacker can exploit cron to run scheduled tasks on your server without you knowing it.

11. Hijacked Search Results

If the search results from your website show incorrect title or meta description, then this is a sign that your WordPress site is hacked.

Looking at your WordPress site, you will still see the correct title and description. The hacker has again exploited a backdoor to inject malicious code which modifies your site data in a way that it is visible only to search engines.

12. Popups or Pop Under Ads on Your Website

Spam popup ads

These types of hacks are trying to make money by hijacking your website’s traffic and showing them their own spam ads for illegal websites. These popups do not appear for logged in visitors or visitors accessing a website directly.

They only appear to the users visiting from search engines. Pop under ads open in new window and remain unnoticeable by users.

Securing and Fixing Your Hacked WordPress Site

Cleaning up a hacked WordPress site can be incredibly painful and difficult. This is why we recommend you to let experts clean up your website.

We use Sucuri to protect all our websites. See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

It comes with 24/7 website monitoring and a powerful website application firewall, which blocks attacks before they even reach your website. Most importantly, they clean up your website if it ever gets hacked.

If you want to clean up your site on your own, then take a look at our beginner’s guide on fixing a hacked WordPress site.

You should also check out our ultimate WordPress security guide to follow the best practices and protect your site.

We hope this article helped you look for signs that your WordPress site is hacked. You may also want to see our list of 24 must have WordPress plugins for business websites.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 12 Signs That Your WordPress Site is Hacked appeared first on WPBeginner.