How to Protect Your WordPress Site from Brute Force Attacks (Step by Step)

Do you want to protect your WordPress site from brute force attacks? These attacks can slow down your website, make it inaccessible, and even crack your passwords to install malware on your website. In this article, we will show you how to protect your WordPress site from brute force attacks.

protecting WordPress from brute force attacks

What is a Brute Force Attack?

Brute Force Attack is a hacking method which utilizes trial and error techniques to break into a website, a network or a computer system.

Hackers use automated software to send a large number of requests to the target system. With each request, these software attempt to guess the information needed to gain access, like passwords or pin codes.

These tools can also disguise themselves by using different IP addresses and locations, which makes it harder for the targeted system to identify and block these suspicious activities.

A successful brute force attack can give hackers access to your website’s admin area. They can install backdoor, malware, steal user information, and delete everything on your site.

Even unsuccessful brute force attacks can wreak havoc by sending too many requests which slows down your WordPress hosting servers and even crash them.

That being said, let’s take a look at how to protect your WordPress site from brute force attacks.

Step 1. Install a WordPress Firewall Plugin

Brute force attacks put a lot of load on your servers. Even the unsuccessful ones can slow down your website or completely crash the server. This is why it’s important to block them before they get to your server.

To do that, you’ll need a website firewall solution. A firewall filters out bad traffic and blocks it from accessing your site.

How website firewall works

There are two types of website firewalls that you can use.

Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient because a brute force attack can still affect your server load.

DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your main web hosting server while giving a boost to your WordPress speed and performance.

We recommend using Sucuri. It is the industry leader in website security and the best WordPress firewall in the market. Since it’s a DNS level website firewall, it means all your website traffic goes through their proxy where bad traffic is filtered out.

We use Sucuri on our website, and you can read our complete Sucuri review to learn more.

Step 2. Install WordPress Updates

Some common brute force attacks actively target known vulnerabilities in older versions of WordPress, popular WordPress plugins, or themes.

WordPress core and most popular WordPress plugins are open source and vulnerabilities are often fixed very quickly with an update. However if you fail to install updates, then you leave your website vulnerable to those old threats.

Simply go to Dashboard » Updates page in WordPress admin area to check for available updates. This page will show all updates for your WordPress core, plugins, and themes.

Updates page in WordPress admin area

For more details, see our guide on how to properly update WordPress plugins.

Step 3. Protect WordPress Admin Directory

Most brute force attacks on a WordPress site are trying to get access to the WordPress admin area. You can add password protection on your WordPress admin directory on a server level. This would block unauthorized access to your WordPress admin area.

Simply login to your WordPress hosting control panel (cPanel) and click on the ‘Directory Privacy’ icon under Files section.

Note: We’re using Bluehost in our screenshot but similar settings are available on other top hosting companies as well like SiteGround, HostGator, etc.

Directory privacy in cPanel

Next, you need to locate the wp-admin folder and click on the folder name.

Browse and locate the wp-admin folder

cPanel will now ask you to provide a name for the restricted folder, username, and password. After entering this information click on the save button to store your settings.

Password protect WordPress admin directory

Your WordPress admin directory is now password protected. You will see a new login prompt when you visit your WordPress admin area.

Login prompt

If you run into a 404 error or error too many redirects message, then you need to add the following line to your WordPress .htaccess file.

ErrorDocument 401 default

For more details, see our article on how to password protect WordPress admin directory.

Step 4. Add Two-Factor Authentication in WordPress

Two-Factor authentication adds an additional security layer to your WordPress login screen. Basically, users will need their phones to generate a one-time passcode along with their login credentials to access the WordPress admin area.

Enter two-step authentication code

Adding two-factor authentication will make it harder for hackers to gain access even if they are able to crack your WordPress password.

For detailed step by step instructions, see our guide on how to how to add two-factor authentication in WordPress

Step 5. Use Unique Strong Passwords

Passwords are the keys to gain access to your WordPress site. You need to use unique strong passwords for all your accounts. A strong password is a combination of numbers, letters, and special characters.

It’s important that you use strong passwords for not just your WordPress user accounts but also for FTP, web hosting control panel, and your WordPress database.

Most beginners ask us how to remember all these unique passwords? Well, you don’t need to. There are excellent password manager apps available that will securely store your passwords and automatically fill them in for you.

To learn more, see our beginner’s guide on best way to manage passwords for WordPress.

Step 6. Disable Directory Browsing

By default, when your web server does not find an index file (i.e. a file like index.php or index.html), it automatically displays an index page showing the contents of the directory.

Directory index

During a brute force attack, hackers can use directory browsing to look for vulnerable files. To fix this, you need to add the following line at the bottom of your WordPress .htaccess file.

Options -Indexes

For more details, see our article on how to disable directory browsing in WordPress.

Step 7. Disable PHP File Execution in Specific WordPress Folders

Hackers may want to install and execute a PHP script in your WordPress folders. WordPress is written mainly in PHP, which means you cannot disable that in all WordPress folders.

However, there are some folders that don’t need any PHP scripts. For example, your WordPress uploads folder located at /wp-content/uploads.

You can safely disable PHP execution in the uploads folder which is a common place hackers use to hide backdoor files.

First, you need to open a text editor like Notepad on your computer and paste the following code:

<Files *.php>
deny from all
</Files>

Now, save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

Step 8. Install and Setup a WordPress Backup Plugin

WordPress backup plugins

Backups are the most important tool in your WordPress security arsenal. If all else fails, then backups will allow you to easily restore your website.

Most WordPress hosting companies offer limited backup options. However, these backups are not guaranteed, and you are solely responsible for making your own backups.

There are several great WordPress backup plugins, which allow you to schedule automatic backups.

We recommend using UpdraftPlus. It is beginner friendly and allows you to quickly setup automatic backups and store them on remote locations like Google Drive, Dropbox, Amazon S3, and more.

For step by step instructions, see our guide on how to how to backup and restore your WordPress site with UpdraftPlus

All above-mentioned tips will help you protect your WordPress site against brute force attacks. For a more comprehensive security setup, you should follow the instructions in our ultimate WordPress security guide for beginners.

We hope this article helped you learn how to protect your WordPress site from brute force attacks. You may also want to look out for the signs that your WordPress is hacked and how to fix a hacked WordPress site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Protect Your WordPress Site from Brute Force Attacks (Step by Step) appeared first on WPBeginner.

Source: Wordpres

The post How to Protect Your WordPress Site from Brute Force Attacks (Step by Step) appeared first on TuneMaster.ml.

How Do I Get My WordPress Site Listed on Google? (Beginner’s Guide)

Recently, one of our users asked us how to get their WordPress site listed on Google? Being the largest search engine in the world, Google is quite good at automatically detecting and listing new websites. However, sometimes it may not automatically list your website right away. Since Google is the biggest traffic source for most websites, it’s important that you get your website listed in Google immediately. In this article, we will share how to easily get your WordPress site listed on Google.

Get your WordPress site listed on Google

Why You Should Get Your Website Listed on Google?

Google is the top source of traffic and visitors for most websites. If you are serious about starting a blog or launching your small business website, then you need to get your website listed on Google as soon as possible.

If you are following the WordPress SEO best practices, then search engines like Google can automatically find your website. However this could take some time, and you will miss out potential customers.

But you can easily expedite this process. Let’s take a look at how to get your WordPress site listed on Google.

Listing Your WordPress Site on Google

Before we start, you would need to create a Google Webmasters Tool account (also known as Search Console). You can easily set it up by following our step by step instructions on how to add your WordPress site to Google Webmaster Tools.

Step 1: Check WordPress Settings for Search Engine Visibility

After you have setup your Webmaster Tools account, you need to make sure that your WordPress site is visible to search engines. You can check this by going to Settings » Reading page and scrolling down to the Search Engine Visibility option.

Search engine visibility

Make sure to remove the check mark from this option, so search engines can crawl your website.

Don’t forget to click on the ‘Save changes’ button to store your settings.

Step 2: Installing Yoast SEO Plugin

Next thing you need to do is install and activate the Yoast SEO plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you will see a new item in your WordPress admin menu labeled SEO. Go ahead and click on it to see the plugin’s settings page.

Yoast SEO menu

On the settings page, you will see the Webmaster Tools tab. We will use this to connect Google search console with your WordPress site.

Step 3: Connecting Google Search Console with WordPress

Now that you have installed Yoast SEO, you need to add your website to Google Search Console. You can do this by clicking on the Add Property button inside your Google search console account.

In the website field, you must add the full website URL. It is important that you use the same URL that you’re seeing in your browser’s URL bar including WWW or non-www as well as HTTPS.

Add website on Google search console

Once you add the website URL, it will take you to the verification page where you need to verify that you’re the owner of this website. There are multiple methods that you can use to verify ownership. The easiest way is listed under the Alternate methods tab called “HTML tag”. It will give you a meta code that you need to copy.

Webmaster verification code

Next, switch back to your WordPress admin area and visit SEO » General page. In the Webmaster Tools tab, you need to paste the code in Google Verification Code field.

Add Google verification code

Once you are done, click on the Save Changes button. Now go back to Google search console account and click on the Verify button. Your website ownership will be successfully verified.

If for some reason it doesn’t verify, then you need to make sure that you clear the cache in WordPress.

Step 4: Setting Up XML Sitemaps

Once your site is verified, you need to go to SEO » General page in WordPress admin area and click on the Features tab. Next, you need to scroll down to the XML sitemaps option and turn it on.

XML sitemaps option

After that, click on the Save Changes button to properly set up XML sitemaps in WordPress.

To view your sitemaps, you can click on the question mark icon next to XML sitemaps title. It will display the link that you can follow to see all your XML sitemaps.

View XML sitemaps

Next you need to submit your sitemap to Google webmaster tools. Sitemaps help Google search bots easily find and index your new content.

Step 5: Submitting XML Sitemaps to Google Search Console

Simply login to your Google search console account and select your website.

You need to go to Crawl » Sitemaps on left side of the screen.

Crawl sitemaps settings

Next, you need to click on the Add/Test Sitemap button on your screen and add your sitemap URL.

Submit sitemaps URL

Your main sitemap file is sitemap_index.xml, and it has links to all other sitemaps on your site. You need to simply submit this main sitemap link, and Google will automatically crawl all other sitemaps on your website.

Once you are done with these steps, you can visit your Google search console account to check your listings. Once Google has crawled and indexed your website, you will start seeing reports in search console.

Another important factor that affects search rankings is website speed. Slower websites are bad for user experience and are often ranked lower than faster websites. See our guide on how to improve your website performance

That’s all. We hope this article helped you get your WordPress site listed on Google. You may also want to check our expert pick of the best WordPress SEO plugins and tools that you should use to optimize your website.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How Do I Get My WordPress Site Listed on Google? (Beginner’s Guide) appeared first on WPBeginner.

Source: Wordpres

The post How Do I Get My WordPress Site Listed on Google? (Beginner’s Guide) appeared first on TuneMaster.ml.