the creative internet technology co.

Added Wordpress Security - Protecting Our Servers Against Brute Force Attacks

Tuesday, 21 July 2015

Protecting Our Servers Against Wordpress Brute Force Attacks 

No matter how secure your password, you're still not safe from a brute force attacker.


In common with a lot of web hosts, we've been finding recently that Wordpress login pages are often falling victim to so-called "brute force attacks" where the site is bombarded with log-on attempts, often many times per second, in the hope of gaining access to the site through sheer fluke by using a combination of commonly-used letters and numbers.

Wordpress is of course a victim of its own success in the sense that there are so very many Wordpress installations around the world, making it an obvious target for hackers.

We always encourage customers to use complex passwords that would be near impossible to guess. However, this in itself does not negate the effects of a brute force attack, because while the attacks go on, the performance of the site - and in turn the whole server - can be affected. If it goes on long enough, the server will almost certainly grind to a halt eventually and will need to be reset.

With this in mind, we're installing and testing plugins on our customers' Wordpress websites free of charge to help tighten up security.

The only difference you will probably notice is that you'll now be asked to complete a "captcha" form when you log on. Thanks to the new plugin, if more than three unsuccessful logon attempts are made in the space of five minutes, the originating IP address will be blacklisted.

It goes without saying that whenever you log on to your own Wordpress website, you ought to check your records to ensure you're using the right password if you're not 100% sure of it, otherwise you may find yourself a victim of your own website security protocol. But don't worry - if that ever does happen you can just let us know and we will of course remove your IP address from the blacklist.

We can only apologise for this small added inconvenience, but hopefully you can understand that the right course of action is to try to protect everyone sharing our servers from these potentially catastrophic attacks. We've downloaded and played around with a variety of different security plugins and we hope we've identified the best balance of protection and user-friendliness, but of course we welcome your feedback.