Secure Your Site From Brute Force Attack – Part 1

by Sahil Kotak on December 11, 2009

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

We all know that every blog is unsafe, because of some spammers well known as Hackers. But the thing is to remember that they are not the ethical hackers who can hack any website and get it’s data. But they are the one who can get your password and can login into your account, that can be any account like your blog’s admin panel, your mail ID, anything else. The same thing happened before few months, many famous Twitter users account were been Hacked by some one including Barack Obama. They get those password by a trick that is usually called Brute Force Attack. It does not do anything with your accounts but it generates some random numbers and letters which matches with your account’s password and your account is called Hacked. You can find more info on Brute Force Attacks here. So, in this post I am going to give you some tricks to save your blog from being hacked with such Brute Force Attacks.

Brute Force

Strong Passwords Are Really Strong

Yes, it is a truth. If your strong password is really strong then it can stop Brute Force attacks. But while choosing a password see that your password isn’t listed in any dictionary of world nor in any other book of world. You can put your girlfriend’s name with your name as a password, or anything else. But be sure to use Alpha Numeric password it helps a lot. Another thing is do not store your passwords any where online not on your PC also. Keep a hard copy of it like write them on a paper, they can be safe if your offline friend is not an online enemy of yours

Stop Showing Your Wordpress Version

Yeah, A large number of WordPress theme include the WordPress version info in the meta tag. A Hacker (I can also) easily know about it by just viewing your blog’s source. Now they can easily get hold of this information and plan specific attack targeting the security vulnerability for that version. For getting rid of it you just have to follow 2 simple steps:

Open your WordPress dashboard. Go to Design->Theme Editor. On the right, click on the Header file. Then find a line something like this :-

Simply Delete the full line, or just edit it.

Set Security Keys in config.php file

In your cofing.php file of wordpress blog (In Wordpress Installation Directory) find for such lines :-

define(’AUTH_KEY’, ‘put your unique phrase here’);
define(’SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(’LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(’NONCE_KEY’, ‘put your unique phrase here’);

Change those lines with some secure information, like enter long random numbers and letters with Upper case and lower case included in it. If you want to make it fully secure then go to https://api.wordpress.org/secret-key/1.1/ to generate some secure strings and enter them in your config.php.

You can also add one more security layer in it that is add SECRET_KEY in it under the above code. It would be like this :-

define(’SECRET_KEY’, ‘0000000000000000000000000′);
Replace those zeros with some strong numbers and letters with some upper case and some lower case in it. You can go to http://api.wordpress.org/secret-key/1.0/ to have random strings generated.

Secure wp-admin directory

We all know that the main and important files of wordpress are located in wp-admin directory so why don’t we protect that directory? For doing so just follow this steps :-

Create a file called .htaccess in such directory and place this code:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# allowed IP’s
allow from xxx.xxx.xxx.xxx
allow from yyy.yyy.yyy.yyy
…
…
allow from zzz.zzz.zzz.zzz

Change xxx, yyy, zzz with your IPs you login always. And keep this file updated when your IP changes, if you have static IP then no need to change this information again and again.
Note: If you are allowing Guest Post on your blog by allowing client to login to interface then this settings are not recommended.

This is were some of the tricks which can help a lot in securing your site from brute force attacks as well as in other ways. In the second part of this post I will list many plugins helping to secure blog.

Don’t forget to follow RSS Feed or via E-Mail to get latest feed and also don’t forget to follow on Twitter for latest updates.

Tagged as: Security, Wordpress

Article by Sahil Kotak

Sahil Kotak, a Young Blogger from India, writes about How to easily make money online on his blog Sahil Kotak dot Com. You can follow him on Twitter @SahilKotak.

Sahil has written 78 awesome articles.

Subscribe to Sahil Kotak dot Com feed via RSS or EMAIL to receive instant updates.

Powered by Thesis

An amazing WordPress Theme, nothing beats the versatility and SEO friendliness of the Thesis framework.

From beginners, to the most advanced WordPress developers, Thesis makes it easy for anyone to customize it.

Get Started With Thesis Now

11 Tweets

{ 1 trackback }

Tweets that mention Secure Your Site From Bute Force Attack - Part 1 | Sahil Kotak dot Com -- Topsy.com: December 11, 2009 at 10:29 pm

{ 22 comments… read them below or add one }

1 blinkky December 12, 2009 at 5:04 am

I never face into something like this before. Maybe this info good for me. Thanks =)

2 Dana from Online Knowledge Twitter: danalingga December 12, 2009 at 1:26 pm

We also can use some wordpress plugin that will block the IP Address when do 5 or more failed access try.
Dana @ Online Knowledge´s last blog ..Five Software that Must be Installed for New Laptop

3 Pubudu Kodikara Twitter: TechHamlet December 12, 2009 at 9:02 pm: like the login lock down isn’t it?
Pubudu Kodikara´s last blog ..Instant Article Templates – 3 Reasons Why MOST Article Templates Do Not Help You Write Articles Fast

Reply

4 Tinh Twitter: eblogtip December 12, 2009 at 2:57 pm

Currently I use plugins as Dana mentioned above but using more plugins would cause time loading and I am still wondering to find the possible solutions. I will try this tips as it is new to me and seems a bit complicated too. Thanks
Tinh´s last blog ..Top SEO Ready WordPress Themes To Maximize Adsense Earnings

5 Basant Singh December 12, 2009 at 4:18 pm

Setting security keys in config.php will definitely help. Good idea.
Basant Singh´s last blog ..World in ‘Word Clouds’: The Story of a Decade

6 Ricky Twitter: geniusgeeks December 12, 2009 at 5:48 pm

I use wordpress plugin called logic lockdown for this.

7 Rian December 13, 2009 at 4:11 pm

I use passwords that are combinations of capital letters, small letters and numbers. But these combinations do not have any specif word.

8 Sahil Kotak Twitter: sahilkotak December 14, 2009 at 1:22 pm: That is good Rian.

Reply

9 George Serradinho Twitter: gfserradinho December 14, 2009 at 11:50 am

One must ensure that they take steps to protect their site/blog. It’s not a nice fealing when it is comprimized. Rather be safe than sorry I say.
George Serradinho´s last blog ..Serious Monday Roundup #21

10 Sahil Kotak Twitter: sahilkotak December 14, 2009 at 1:21 pm: yeah, it’s good to be early then never.

Reply

11 Vaibhav - Programming Kid December 18, 2009 at 2:50 pm

This is insightful, I am sure WP can be made more secure with these tips of yours. Will just try them out.

Thanks for the wonderful post
Vaibhav – Programming Kid´s last blog ..Get ready for WordPress 2.9

12 SahilKotak December 11, 2009 at 10:27 pm

RT @SahilKotak Secure Your Site From Bute Force Attack – Part 1 | Sahil Kotak dot Com http://bit.ly/76rlDS