Can you offer a definitive answer and approach to making our sites safe from brute force attacks? Is having a different wp-admin name and user name (along with an excellent password) enough? Or do we need to take further steps? What is sufficient due diligence?
With security the idea is to have several layers of defence. The layers vary in ease of implementation, effectiveness and cost. The more important the asset you have, the better you should protect it.
Passwords of at least 16 characters in length involving upper and lower case letters, numbers and some symbols are pretty much unbreakable. However they also difficult to remember, so use a tool such as LastPass or RoboForm to remember your passwords.
Strong and Private Usernames
In my case I always choose a strong username such as
A security plugin will detect multiple failed login attempts and block the IP address. So the hacker has to have an large network of infected sites from which to make a focused attack as each site only gets 3 “goes” before being blocked and it might take millions of attempts to hack the password. Most hack attempts are based on password dictionaries with variations in any case.
Use HTTPS For Your Admin Site
With HTTP, your data is not encrypted so usernames and passwords can be sniffed by network routers that pass the data along between your browser and the web server. This is difficult to do in practice as they are millions of data packets, and it is normally only governments, corporate entities and large scale crime syndicates that look to breach security by this method.
The way to address this threat is by running your WordPress admin site over HTTPS which means everything is encrypted. Your can do this using a real SSL certificate or using a free self-signed certificate. With a self-signed certificate you are the signing authority and you will need to accept the certificate as an exception in your browser. Some hosts will place limitations on the use of self-signed certificates so even though the certificate is free they will charge you to install it.
The Siteground GoGeek package comes with one free SSL certificate so you should install this on your most important site.
Other Brute Force Attack Considerations
However, the obvious point to make here is that any site that is continuously attacked by brute force login scripts may be crippled even if the login scripts fail in their mission to break into your site. Imagine if an orchestrated attack happens, where simultaneously, thousands of brute force login attacks occur. Just dealing with these large numbers of coincident login attempts will slow your server or deplete its memory to the point it is effectively disabled. Why? because your brute forces plugin uses resources on your server every time it protects you from a malicious login attempt.
This commutes the digital violence from a brute force login attack into a denial of service (DOS) attack. Given that brute force login attacks do not actually want or need to bring your server down, you could argue that a well-written brute force script would move on once it realised it couldn’t get past your highly secure passwords and usernames. But a badly written kiddie script? Some are so crude they will continuously hammer your server essentially by mistake.
With shared hosting you will not have to worry as such, assuming your usernames and passwords are secure. You are not responsible for the whole server in this case. But beware – if you’re running a dedicated server or a VPS – problems like this are your problem. There are ways to mitigate against this type of attack on your own servers – we know because we’ve had to do it. We point this out so that you know that running a VPS comes with much responsibility.