I am still appalled from this Brute Force Attacks. I want to help my clients, friends, and readers how they can fight against this malicious people who tries to make you miserable.
I have put so much time and effort on this post because I want you to be SAFE and SECURE in your blog. If you are under attack and you are in WordPress, this is the post for you.
Or if you know someone who is a new blogger then go ahead and feel free to share this with them. They will benefit from this and will save a lot of headaches in the future!
3 important things you need to remember:
• Your WordPress
• Your WordFence
• Your CloudFlare
NOTE: Make sure you read my previous post How to Stop Brute Force Attacks (Part 1). In order to understand better what I’m talking about here, you better read my previous post. If you are a newbie, you need to know some of the things I talked about here.
How to hide your Admin section?
Recently, I installed Lockdown WP Admin. This allows me to hide my admin without having to deal with the coding on my HTML. With a regular HTML website, this is probably a lot easier to do right? But what about the WordPress section? Specially in Genesis.
Of course you can always do this Dashboard > Appearance > Editor. And on your right hand side it shows this (see image below). Make sure you are on your “child theme” and not the Genesis per se. Your functions is mainly on that Theme Functions (functions.php).
I have never touch the front-page.php neither the Landing Page Template.
I have the code on how to hide your admin area but I’m too scared to touch the cPanel or my dashboard. The last time I tried to do something on my PHP, I made a big booboo and wiped out my whole entire website. Thank God for hosting service who has all my data and backup.
My hosting service have restored my website without a problem. So if you’re not that savvy with the coding and stuff, I recommend you should use this plugin instead.
Also there is another plugin that allows you to hide your admin section and that is Rename wp-login.php but I had a problem with this one because I have WP Super Cache installed.
Here’s what it tells me:
“WP Super Cache is enabled on your website. To make sure Rename wp-login.php works correctly, you should add [your new login name] to Rejected URIs. This notice will disappear once you’ve done that correctly.”
It says there that I should include the “new login name” in “Rejected URLs” right? I have included it and it didn’t change anything and so forget that. I had to trash this plugin.
How to Stop Brute Force Attacks Tutorial Video
Install Wordfence Security in your WordPress. Go to: Dashboard > Plugins > Add New. Also since you are on the Plugins dashboard already, you might as well install CloudFlare too.
When you are under attack go to Wordfence Basic Options.
- Wordfence > Options > Basic Options
- Under Security Level put it on Level 4: Lockdown and then Save Changes.
With my experience HERE I have not even put my Security Level on 4 but I just bought the premium Wordfence and set my settings on Cellphone Sign-in and blocked a couple of countries!
It seems like it was the necessary thing for me to do at the time. Either way you will have to pay the premium plugin whether this is Wordfence or CloudFlare.
When you are under attack you can put your CloudFlare Under Attack Mode. Read more HERE.
I’m under DDoS attack what do I do now? From what I gathered HERE there are 6 Essential Steps that you must do when you are under attack.
Just for your information, DDoS means Distributed Denial of Service.
- Upgrade to CloudFlare Business or CloudFlare Enterprise
- Turn on I’m Under Attack Mode
- Turn on the WAF (Web Application Firewall)
- Set your DNS records for maximum security
- Do not rate-limit or throttle requests from CloudFlare IPs
- Block specific countries and visitors
Tim Bonner said, DDoS is “when someone deliberately sends a massive amount of traffic to a site so it falls down and no-one can access it. These attacks often come with a ransom note request for money to stop the traffic from coming!”
Anyway, I just want to thank Tim for explaining this to me. This is what he did during “under attack”. He used Wordfence and Cloudflare combined together.
While with me I didn’t have to bother with Cloudflare but only bought the premium Wordfence and stopped the Brute Force Attacks via Cellphone Sign-in.
Then I blocked a few countries who are malicious. So far I have ZERO intruders! I just hope and pray that they don’t come back to my site. Please SECURE your website now. If you haven’t please download these plugins. Take your pick. I wish you have a wonderful day. Happy Blogging!
[ Transcript ]
Hello everyone this is Angela from angelamccall.com. Today, I’d like to continue to talk about “How to Stop Brute Force Attacks.” I’ve written a special post for today, which is the continuation of my previous post, which is Part 1 and today is the Part 2.
So today I’m going to cover a little bit about “How to Hide Your Admin Section”. I will also talk about Wordfence and Cloudflare. And you can either install Wordfence or Cloudflare or both.
Anyway, during the Brute Force Attacks, I only have Wordfence. I don’t have Cloudflare because I already have the premium Wordfence…which allows me to block the whole country or I can sign thru Cellphone Sign-in.
Everytime I login my WordPress, Wordfence gives me a CODE thru my phone and I enter that and add that to my password. So every time I sign in, it’s always different. And so if you don’t know how to install Wordfence, all you do is just go to your Dashboard. Go to Plugins. Add New.
Type Wordfence. And as you can see I already installed it because it’s gray. And so if you have not installed it just click install and activate it. Then add Cloudflare. And click install then activate it.
On Wordfence premium it cost $3.90 a month or you can pay $39 dollars a year. Cloudflare…it’s more. The Cloudflare cost about $20 dollars a month. If you activate the “Under Attack Mode” you will have to pay Cloudflare.
So I just talk to Tim Bonner. All of you knows Tim and he actually shares his experience during the Brute Force Attacks. He had Wordfence and Cloudflare working together. And he said that he put his Wordfence on Level 4. And then he put the Cloudlfare “Under Attack Mode”.
I’ll show you how to do that in Wordfence.
So here we are. Go to Options. And under Options, go to your Basic Options. Underneath there it says Security Level. And as you can see I have mine on Level 2 because I’m not under attack. But if you’re under attack you would want to put this on Level 4 and Save Changes.
So after you have taken care of Wordfence, let’s go to Cloudflare.
As you can see I’ve installed Cloudflare on one of my Clients and how to go to the main settings, you have to Plugins and underneath it’s Cloudflare. And as you can see it needs an API number.
How to find out the API Key number is you have to go to the Cloudflare website and on your registered Cloudflare, you can see that you can add website. Or how many domains that you have.
And on your Account you can find out your API Key number down below. So all you have to do is just cut and paste that. And go back to your WordPress and just cut and paste the API number.
How to Stop Brute Force Attacks…the way I did it is I just use Wordfence premium. So let me show you how I did it.
I’m back to Wordfence and underneath here you can see Cellphone Sign-in. And or Country Blocking. You can see here I’ve blocked China. I also blocked Ukraine which is the most malicious countries that always get into my blog trying to intrude my home.
When you sign-in for a premium Wordfence, Wordfence does not want you to use the same email address that you used in your WordPress. So you will need to have a different email address and username.
I thought when it says it asked me for a username, I thought I would need to enter the one I entered in Wordfence but NO. This username that you will need here is the same username you used in your WordPress.
And then enter a phone number here. And then enable Cellphone Sign-in. And so after you enable the Cellphone Sign-in, you’re done. And that’s about it. You can blocked all of these intruders that comes into your home.
Before I forget I’d like to show you “How to Hide Your Admin Section” by using a plugin. So let’s go back to my dashboard and on the dashboard I have the “Lockdown WP” plugin and I’m on the dashboard on Lockdown.
And on this window you can enter your login name. And then Save Options. So now when I go to my Admin section, it’ll say enter your login name. And then you will go ahead and proceed and enter your password. So that’s how you hide your Admin section.
Anyways, I hope you learned something from this. So make sure you protect your blog and fight back. And if you have any questions just leave me a comment. Okay. So I’ll talk to you later. Bye-bye now.