Brute-force attack refers to a forcible way against encryption algorithm, which keeps trying all combinations of a password and won’t give up until dope out your website login information. It works with perseverance and has become a big threat to have a website under attacking. Since you have no idea working for such situation, follow this guide and protect your website from being hacked with another way.
Make Your Password as Strong as Possible
Brute-force attacker spends time guessing encrypted login information and that depends on the complexity of your username and password. As for a long password with an intricate combination of letters, symbols, numbers or something else, it would takes attackers a few years to crack. As thus, forcing a strong password is a great method in that case.
The password should be complicated and long enough to the extent that no one can guess it within a short time. However, it is not a smart move to hold a password in the long run. Change the password frequently and leave no room for the brute-force attack.
By the way, adding CAPTCHA to login form should be in consideration, which requires each login attempt to type the given CAPTCHA manually. That protects your website from attacking by bots in an effect way. Perhaps, if you consider the permission of unlimited login tries as an inducement of brute-force attack, go and limit login attempts for your site.
Prevent Attacking with a WordPress Plugin
No matter how your password hard to break, brute-force attackers stand a chance to figure it out. You might as well make use of a WordPress plugin for a dual protection against brute-force attacks. The selected one in this guide is Brute Force Login Protection, which protects your website from this great threat by means of .htaccess.
Search and install this plugin via WP-admin. Upon activation, a new item “Brute Force Login Protection” appears under Settings.
Go to Settings > Brute Force Login Protection and here you come to the plugin settings page. The Status mode explains whether your website is under protection. The green check marks before all criteria indicate that the brute force login protection is in progress.
This plugin allows you to limit login attempts by modifying settings via .htaccess file. Before everything, ensure that the .htaccess location shown in the bottom of this mode is correct. Make a decision how many login attempts are allowed at one time and how long it will take to reset the next login attempts count. The counts in minutes are available here.
And then, set a delay for each failed login attempt so as to put off the brute force attack. Type a message as an explanation for blocked users or leave the default one. If there is a need to receive the latest information of blocked IPs, enable the mailing function for that purpose.
You can simply type an IP address in the Blocked IPs box and manually block it in an easy manner. Block as many IPs as you want, especially for someone launching a brute-force attack. The included IPs can no longer log into your website.
The Whitelisted IPs box is where to enable priority for the credible IPs and allow them to log into your website unconditionally. Don’t abuse this function unless you have a grasp of the selected IPs. Finally, remember to whitelist your current IP.
Some other plugins can be taken into consideration for the same purpose, like Security-protection, BruteProtection, Anti-Malware & Brute-Force Security by ELI, Botnet Attack Blocker, and so on. Select a suitable one from those recommendations if the above-mentioned idea cannot make a difference.