Update: Brute Protect is now built into Automattic’s Jetpack plugin.
However, as of 2018 – I would recommend using Wordfence. and I have updated all my sites to use it.
If you have a standalone WordPress installation, I recommend adding the Brute Protect plugin. Brute Protect is designed to reduce the chance of your WordPress site falling victim of a ‘Brute Force Attack‘. This is where a nefarious computer system (a malicious bot) continually tries to break into your WordPress account. If you have a weak password, there is a risk that they’ll succeed in gaining access. The bot‘s continual attempts to log on to your site slows down your server and your site’s response times increase too.
Brute Protect works by tracking failed login attempts across all its users. If any particular IP address is responsible for multiple failed logins on several sites the address is blocked from logging in on any WordPress system with Brute Protect installed.
As more people install BruteProtect, the better the protection will become for everyone.
Does it work? In its first month installed on my sites, BruteProtect reports that it has blocked over 2,500 break-in attempts. That’s not a huge number, but each break-in attempt affects the performance of your server and website. BruteProtect stops the drain on the system caused by WordPress processing the invalid log-on attempts, which in turn helps keep your website responsive. If you are on a shared hosting system, it has also has the benefit of preventing a brute force attack impacting the performance of the other co-hosted sites. So installing BruteProtect is also a good and neighborly thing to do for your hosting community in general.
BruteProtect is installed just like any other WordPress plugin. From the dashboard select
Plugins ->Add New
Search Plugins for ‘bruteprotect’ and install and activate it.
Before Brute Protect starts to work you’ll need an activation key, You get that by clicking on the plugin’s settings option, and requesting an activation key – which will be emailed to you. Simply Cut & paste the activation key into the ‘Enter your key’ field and press Save API Key. That’s it.
On your dashboard you’ll see a new display which will tell you how many attempted break-ins have been blocked. As you can see from a screen grab of the BruteProtect display at the top of this post – one of our sites has been protected against 2532 attacks within a few days of BruteProtect being installed.
Apart for updating the plugin if required, it’s simply a case of setting it up and leaving it.
What other simple steps can I take to protect my WordPress site?
Here are four simple things you can do:
- Install the Bad Behavior Plugin
- Use strong passwords
- Remove the default Admin WordPress User. After all if you remove Admin, the bots also have to guess the user name too
- Install and use anti-virus and anti-malware software on your computer to prevent your machine being hacked and passwords obtained either from within its files (you don’t keep a list of your passwords in your computer do you?) or by keyboard loggers.
Also, I’d suggest using a password manager. I highly recommend Keepass which not only generates strong passwords for you, but also remembers them in a highly secure encrypted database. Keepass can even type your usernames and passwords in for you, and even better it inputs them in a random order to fool keyboard loggers.
I use Keepass and strong passwords, so I’m not too concerned about bots being able to crack my accounts.
You can check the strength of your passwords here: Passfault (mine clock in at around a whopping 3.6 Billion years to crack). But I don’t want the bots’ attempts to do so to slow my sites down, which is why I’m using BruteProtect.
A couple of points.
If you are using strong passwords, there is nothing to be gained in changing your password. Ever. Unless of course, you publicly reveal it, or it is cracked. Which brings me to my second point.
Don’t be complacent. Just because your password is strong, don’t assume it won’t be cracked. I work under the assumption that it’s not a matter of if my password gets hacked but when. Which is why I use tools such as Keepass and BruteProtect to decrease the opportunities for it to happen.