One of the most frequent attacks your WordPress site will suffer is the brute force attack. Automated software will try and access your site by guessing your login credentials. If you let them, these programs will repeatedly try to login to your site and gain administrator access. If that happens, then your are in trouble – admin access will allow a malicious individual to do more or less whatever they want on your site. It’s not a small problem, every day there are millions of brute force attacks on WordPress sites.
Here are nine steps to harden your login page and protect your WordPress site.
Choose the right username
Don’t use admin! It’s the first user name that brute force attacks will use. It is the most common administrator username on WordPress site, and still the default for many install scripts. Knowing which username is going to give full rights to your site is a big advantage for brute force attacks, so don’t make it easy. Just create a new administrator user with another username that would be hard to predict and delete the admin user from your site.
Don’t publish posts from your admin account
Do not post any content by the administrator account. Every post may contain information about the author and Wordpress creates an author sitemap. It might make your administrator username available publicly. Use another account with lower privileges (author) to publish posts on your site.
Use strong passwords
Short passwords or weak ones compromises your WordPress security. If there are no other measures to stop brute force attacks you can protect your website just by using a secure password. A weak password is one that is short or has predictable words, number series, etc. A Strong password has a combination of lowercase and capital letters, symbols, and numbers. Recent versions of WordPress will tell you if your password is secure or not. Avoid using your name, username or any name relating to your website in your password.
Change the link to your login form
The default link for your login form on WordPress websites ends with “/wplogin”. It makes it easy for an attacker to access the form and start trying username/password combinations. By changing the default link, you’ll hide the login page from the simpler attackers and bots designed to search for login pages and forms. There are several plugins available that will allow you to make this change without any additional coding.
Using secure SSL connection
A “man in the middle” type attack, is where a malicious third party ‘listens in’ to the dialog between your site and the user. It allows eavesdropping and collection of username and password. By default, connections from users to the server are not encrypted and can be exploited by this type of attack.
Using a secure connection with SSL (Secure Socket Layer protocol) encrypts all data transmitted between the user browser and your WordPress website. It is almost impossible to intercept such secure connections and read login information sent from user to the server.
Typically SSL certificates cost money, but you can choose Let’s Encrypt Service which provides SSL certificates for free.
Limit the number of login attempts
A top technique to protect your WordPress website login page against brute force attacks is to limit the number of login attempts. Several free WordPress plugins do the job quickly and efficiently. The primary function of these plugins to identify and count unsuccessful attempts to login from individual IP addresses, and then either ban logins from that IP address or suspend them for a period, generally a few hours. It’s a quick and easy deterrent to brute force attacks.
Enable Two-Factor Authentication
Two-Factor authentication (also known as 2FA) will protect your WordPress website against an attacker even if your username and password are known to them. The technique involves the third piece of information only available to the legitimate user. Nowadays, that is usually a code sent to your mobile phone, or generated by a third party application on your phone or computer.
This type of login page protection highly recommended. There are several plugins out there that will enable your to add this functionality to your site.
Limit access to login page by IP
Restrict access to the login page by IP is one of the most ultimate methods to protect your login page. You can add a .htaccess file with specific code to your WordPress “wp-admin” directory and limit access to this directory to one or more selected IP addresses. This method is very useful, but it is not suitable for websites where users can register or login to access specific features. Also, it is not practical if you have dynamic rather than a static IP address.
Add Ask Apache Password protection
The most reliable and strict method to protect your login page is to add a password on whole “wp-admin” directory. You can only use this approach if you have access to your Apache server (using cPanel or similar). In this way, anyone can access the directory from any IP address, but they need to know another one password just to access login page itself.
Putting it together for the sake of your WordPress site security
You need to choose the login page protection strategy that suits your needs.
- Limiting the number of login attempts and a judicious use of admin usernames should be standard for all your sites.
- If you have a site with many registered users, then consider using a plugin to force strong passwords, or add Two-Factor authentication to your site.
- If there are a limited number of registered site users or your site is public but still under development. Then Apache Password protection or limiting access by IP address could be a good solution for you.
- Using secure SSL connection is becoming more and more the standard. Google will rank sites using SSL higher, than sites that do not. So aside from security, for better SEO this is also a great feature to add.
- There are millions of brute force attacks daily on WordPress sites, and hundreds are lucky. Implementing a few simple procedures for your login page will ensure the safety of your site and your user’s data.