In the case of brute force attacks, attempts are made to find the user name or password using different login data. For websites based on WordPress, the standard user name admin and a list of the most frequently used passwords are usually processed. Since this is usually run by a program, there can be several login attempts per second.
Most readers will probably realize that passwords like password, 123456 or similar can be found very quickly.
But what can you do about it?
In addition to deleting or renaming the standard user admin, you should also use a password that contains both upper and lower case letters and numbers and, ideally, even special characters. The password should also contain more than 8 characters. The more the better!
You can check whether your password is really secure here: howsecureismypassword.net.
If you have followed the instructions above and are still concerned about the security of your blog, you can use the WordPress plugin Limit Login Attempts to limit the number of login attempts per IP address.
Limit Login Attempts
After installing the plugin, you can find the configuration under Settings -> Limit Login Attempts.
The default settings ensure that after four invalid login attempts, the IP address of the person trying to log in is blocked for 20 minutes.
After the 20 minutes, four more login attempts may be made.
This process is repeated until the fourth lock. After this, it is over for the first time for 24 hours.
However, the setting Hours until failed login attempts are reset is not entirely clear to me, since the settings above actually regulate everything. If anyone knows what this means, please share in the comments.
I think the rest of the settings are actually okay, except for the fact that I’m not even informed about an attempted attack.
Therefore, and since the standard settings are a bit too tolerant for me, I tightened my settings a bit.
With these settings, the user only has three attempts to guess the correct password or the correct user.
He then has to wait 30 minutes before trying to log in again from the same IP address. I am already being informed by e-mail about the three failed login attempts.
If the registration was then invalid again three times, the IP address will be blocked for 72 hours.
How to bypass the ban?
With a VPN or the Tor network, you can easily change or disguise your IP address. Since the WordPress plugin Limit Login Attempts blocks login attempts from an IP address, you can restart login attempts with multiple proxies.
If you have locked yourself out, you can either get multiple login attempts through the Tor network or simply FTP the folder
limit-login-attempts from the plugin directory of your WordPress installation.