How to Protect Your WordPress Sites from Brute Force Attacks (1 Simple Step)

Tom Ewer
Photo Credit: Davide Restivo

If you keep up to speed with the latest WordPress news you will already know that the world’s favorite content management system was recently hit with a botnet of “tens of thousands” of computers, according to ZDNet.

What is more concerning is that some experts are suggesting that the worst is yet to come. With that in mind, now would be as good a time as any to improve the security of your WordPress site.

We have spoken about security before here on the ManageWP blog, but in this post I want to show you how you can dramatically improve the security of your WordPress sites with ManageWP in seconds.

Keeping It Simple

In a recent post on his personal blog, Matt Mullenweg was quick to play down the sensationalistic aspect of the botnet story and remind people that two simple adjustments can result in a blog that is “99%” more secure than others: changing your username and password.

While we would definitely recommend you changing your username if it is still the default “admin,” setting a truly random password is likely to repel any brute force attempt at accessing your site. By truly random I mean a password that shares the following attributes:

  • 8+ characters
  • No recognizable words
  • Numbers and letters
  • Uppercase and lowercase
  • Symbols (e.g. !&@£*)

The simple fact is that if your password is “hS8D&@nnP2” rather than “password” or something similarly obvious, a brute force attempt at cracking your site is far more likely to result in failure.

How to Change Your WordPress Passwords with ManageWP

Knowing that you should change your passwords is one thing — changing them is another. If you have a large network of sites then the job could be more than just a simple chore. Fortunately, with a subscription to ManageWP’s Professional Package, the process can be simplified greatly.

First, log into your ManageWP account and select Manage > Users from the drop down menu:

Manage > Users drop down box.

On the following screen you can choose which user types and websites to be included in your filter:

Password change screen.

I would recommend that you select all user types apart from “Subscriber.”

ManageWP will now generate a list of users across all of your sites:

WordPress user profiles table.

Check all of the relevant users then select “Change password” from the drop down box at the bottom of the page. You can then choose a new, random and unique password:

WordPress password change option.

In just a few seconds the passwords will be changed.

That’s it! With this feature it is possible to change all of your passwords in just a few seconds. If you have any questions or comments please fire away in the comments section.

Tom Ewer Avatar

author

Tom Ewer
Tom Ewer is the founder of WordCandy.co. He has been a huge fan of WordPress since he first laid eyes on it, and has been writing educational and informative content for WordPress users since 2011. When he’s not working, you’re likely to find him outdoors somewhere – as far away from a screen as possible!

29 responses

  1. Clay Avatar
    Clay

    Another reason I love this solution. A quality of life improvement if you make your living with WordPress.

    Reply
  2. Dallas Bankruptcy Avatar
    Dallas Bankruptcy

    There are many good security-related WP plugins available. Some are pay versions but many are free. They deal with stuff like rewriting htaccess, randomized sql entries, etc.

    Of course, that’s for later …after you’ve taken this first basic (and mostly overlooked) step.

    Reply
  3. Dynasites Avatar
    Dynasites

    After one of my sites was hacked, I began using LastPass’s feature of “Generate Secure Passcode” but I would use it as my username and then run it again for a passcode. I also use Better WP Security Plugin and lock out users after the third unsuccessful login attempt. I am still amazed how many lockout email reports I get in a week. But each one is a hacker that must move on.
    I would be interested in anyones comments or ideas on security if your on a shared server. Am I still at risk if some other users WordPress site isn’t secure?

    Reply
  4. Taneya Avatar
    Taneya

    Your blog post fails to mention that this is a feature that is not available for those subscribed to your Standard plan. thx.

    Reply
  5. Mark Avatar
    Mark

    So you’re telling me I should use the same password for all my users accros al my websites?

    Reply
  6. Susan Avatar
    Susan

    I used this feature on Monday to change just my own user password across all of my sites. It worked on most, but two sites had to be re-added to managewp after because I kept getting a Failed message when the sites were reloaded in managewp. Is this common?

    Reply
  7. Harsh Agrawal Avatar
    Harsh Agrawal

    Another easy way is to change the default login “admin” to something custom. One can use plugin like better WP security to do so…

    Reply
  8. Reuben Avatar
    Reuben

    Me and my hosting company has been having a tough time during the last few days due to an apparent attack. This is a recurring issue since my sites have been hacked a few times before and they managed to resolve the issues.

    I guess we need a better security solution. I bought tons on security plugins but seems I wasted money because the attacks seem to pass through somehow.

    I made it a routine to change my password every month. I like Dynasites method and will try to implement it.

    Thanks for this post.

    Reply
  9. Mike Avatar
    Mike

    Thanks for the post ive updated all my passwords and added login lockdown plugin which is a free option that seems to get a good review and do the job!

    Reply
  10. Simmons Avatar
    Simmons

    A good username/password is only part of the solution. It seems to me the real issue is the amount of bandwidth that is taken up on some of these brute force attacks. I’ve had my site, which is on a VPS, go down because of that. It’s terribly frustrating. I’m using a couple plugins to help, and wish I would have started with the plugin (Better WP Security, or something) that moves the login page to begin with. Seems to me that’s the best way to stop these, on the line of thinking that the brute force attackers couldn’t find the login page to begin with. WordPress’s next major version needs to work on a dynamically generated login page to truly solve the problem.

    Reply
  11. Emagin Avatar
    Emagin

    This plugin makes it so easy:
    https://wordpress.org/extend/plugins/better-wp-security/

    Reply
  12. Jared Avatar
    Jared

    I just wanted to add that a great tool for checking password strength is http://www.howsecureismypassword.net.

    Reply
  13. Kelli Jae Baeli Avatar
    Kelli Jae Baeli

    Hate to be the bearer of bad news, but this did nothing to prevent these attacks on my site. it still happens about every 2 weeks. In fact I am doing an instant support chat RIGHT NOW with my host to try to get my blog back up. So it’s not as simple as the password.

    Reply
  14. boundlessdata Avatar
    boundlessdata

    I’m more concerned with how to stop the attempts than I am about them actually breaking in. The repeated attempts suck the resources out of our virtual server until none of our website will respond. Simply changing your password will not stop that and neither will the security plugins we have seen so far.

    Reply
  15. ScRiPtprompt1ScRiPt@gmail.com Avatar
    ScRiPtprompt1ScRiPt@gmail.com

    “>

    Reply
  16. terence.milbourn@gmail.com Avatar
    terence.milbourn@gmail.com

    One thing that seems to be regularly overlooked is the fact that many cheap hosting servers have very poor site isolation and often sites are attacked through somebody else ~ on a totally different site on the same server ~ not protecting ‘their’ site.

    I un-hack and move about 10 to 15 sites every month from vulnerable cheap shared hosting to secure VPS webservers where they NEVER get hacked again.

    If you pay $4.95 /mo for hosting, or bought a cheap annual hosting deal, why would you be surprised if your site gets hacked?

    Its beyond me.

    Terence.

    Reply
  17. Atinder Avatar
    Atinder

    Well, recently Brute force Attacks has immensely increased, becoming a dangerous factor for all WordPress users, but it is a thing, which is fight-able, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for newbies, who just got started with WordPress, but he/she can learn by reading posts online and then can implement security.
    In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *