Brute-Force Attacks

There’s been a recent spike in brute-force attacks using actual usernames. Here’s a few tips on how to stop the bots.

I just sent out the November reports for WP-Ensure.

There’s been a recent spike in brute-force attacks using actual usernames. Anyone logging in using a non-existing username can easily be blocked, but if there’s a real username or email behind it the bots know they are onto something and will keep trying to guess the password.

It’s a good thing we can limit the number of tries a bot gets before being blocked. Combined with Google ReCaptcha and enforced strong passwords, there will be enough for them to chew on for a while.

Sometimes the simplest way to throw bots off for a while is for site-owners to change their username (has to be updated straight in the database) and/or email address. This gives you a few months of peace usually, and any leaked usernames/emails are useless again.

If things get really bad, there’s always 2FA. It’s great that 2FA is becoming more mainstream but unfortunately for most regular users, it’s still too complicated. Tech-savvy users probably already have an authenticator app, but let’s face it. 2FA is a pain in the neck.

As a side-note, my phone took a dive into my aquarium a month and a half ago, and you can imagine the fun of trying to reset all my 2FA. If you’re accident-prone you might want to just keep an old phone on your computer desk just for logging in purposes 🙂

Author Info: Lisa Karvonen

Lissu is a full-stack developer who started working in WordPress in 2003. Since then she has coded plugins, themes and applications for companies and organizations in both WordPress and Multisite as well as other PHP/MySQL applications.

She started developing the WP-Ensure platform in 2017 as a response to customer site attacks and has been steadily improving and growing the company and platform since then.

She's originally from Scotland but lives in Finland with her husband, son, two dogs, two cats and a reef tank.

Services We Love