How do you mitigate a brute force attack?
Well, there are 2 answers to this question.
If your website is not hosting with SiteGround
If you are not hosted with SiteGround then you need to start researching security plugins and configuring firewalls. We’ve talked about some of this before in previous blog posts. You will need to:
Install an application firewall and properly configure it.
There are several good plugins in the WordPress plugin repository that will secure your site against brute force attacks and other types of attacks. The top 3-5 are well respected and while I won’t recommend one here, you can probably find one that comes highly recommended and get it implemented. All of the good ones have a monthly fee associated with them but that’s what it takes to protect your site.
Require strong passwords for all users
We’ve talked about passwords before but it bears repeating. Strong passwords are your first line of defense. Your users might not like it but it will keep your site and their data secure.
Require Two-Factor Authentication (2FA) for all logins
2FA mitigates brute force attacks 100% because the login and password are only 2/3 of the login procedure. For the final 1/3, you have to have the person’s phone. That’s a game-ender for brute force attacks.
As with strong passwords though, users usually hate 2FA. You can limit 2FA to admin accounts but if an attacker gets into your site, you are compromised. So you have to decide which is more important and that’s a bad choice to have to make.
Implement a password rotation policy that forces new passwords at least every 90 days
Another one that users hate but is effective in helping prevent brute force attacks is requiring users to reset their passwords. This is another thing that users hate and if you do enough things in the name of security that users hate, you start to lose users. So it’s a tightrope you have to walk.
Bonus tip: Fail2Ban
In addition to all of those, my personal favorite tool is Fail2ban and WP-fail2Ban. Properly configured (and it takes a developer or network admin to properly configure) this combination can be a very powerful tool to prevent a brute force attack. It’s not easy to configure but it is very powerful. Fail2ban is open source and free, the plugin WP Fail2Ban has a pro version that seems to be worth the money.
I don’t usually recommend specific plugins but this one is unique. I have the free version installed on all my blogs that are not hosted on SiteGround and it works wonderfully. I am strongly considering upgrading to the pro version.
WARNING: This plugin requires Fail2ban to be properly installed, configured, and working on your server. Fail2ban itself has a couple of requirements as well. This is not a trivial plugin to get working. If you are not a developer or very familiar with Linux, get help.
If your website is hosted with SiteGround
If your site is hosted with SiteGround, go back to sipping your coffee. SiteGround has a full suite of tools already implemented including AI to detect brute force attacks from bot networks. This doesn’t mean your site is 100% absolutely secure, nobody can get to 100% safe. It does however mean that this is one less thing you have to worry about.
Brute force attacks are well known and well understood. There are tools that you can install that will mitigate the risks of them compromising your site. That having been said, your best bet is a hosting partner like SiteGround that deals with it for you to that you can spend your time making your site more awesome.