Secure Your WordPress Login Page by Limiting Login Attempts
WordPress is the most popular blogging platform, but with its popularity increases the risk of your WordPress Website being cracked. There are more things that you can do to help protect your WordPress Website as I discussed in details in my previous security tutorial.
One aspect of hardening WordPress security is your Login page as shown in the image below. Your Login page is like the main door to your house, you need to make sure that your door is securely locked by having your Username and Password extremely difficult to guess.
It is known that anyone can easily guess the Web address of your WordPress login page. I will not mention it here because I don´t want to give the wannabe crackers any free security tips. Once you are on your WordPress Login screen, all what you have to do is to Login to your WordPress dashboard using your Username and Password.
You need to be especially aware of brute force and dictionary attacks. Brute force login attempts are the most common and potentially dangerous. Brute force is when a cracker repeatedly attempts to guess the username and password to gain access to your WordPress Website. By default WordPress allows unlimited login attempts. Since there is nothing to stop them, it encourages crackers to try for hours by entering a combination of words in the hope of just finding the correct one.
WordPress Username
As for the Username, I hope that you did not keep the default WordPress admin as the main administrator username for your Login screen. If you haven´t change the default WordPress Username, I strongly recommend to change it by referring to Tip9 of my previous tutorial. The problem with keeping the default admin Username, is that crackers will start with the default Username, and this reduce their work in half. An administrator account brings a lot of privileges, the intruder can gather sensitive information about users and perform numerous malicious attacks.
A Solution for WordPress
There is a plugin that limits unauthorized login attempts to your WordPress Administration panel.
By default WordPress allows unlimited login attempts to your WordPress Administration Panels. If you don´t have this plugin installed, then crackers will try thousands of times until they are successful and you don´t even know about it. A secure username and password that are hard to guess are essential for your blog´s security. A password with random characters can be accurately guessed if enough time is spent. This is where the Limit Login Attempts plugin comes in handy.
The plugin limits the number of login attempts a user can do. Once the limit is reached, the IP address of the potential intruder is blocked. It keeps a log of the login attempts, you can also get email notifications. This is usually enough to discourage potential intruders and make them move on to a different target.
The following 2 pictures shows the plugin´s, once downloaded and activated, settings options in the WordPress dashboard and also the error message that a user gets if the wrong username and/or password are typed.
The Threat is Real. It is happening to this Blog.
For the past 3 weeks I have been getting constant attempts to break-in into the dashboard of this Blog. The next picture shows the number of unauthorized Login attempts registered by the plugin for the past 3 weeks. Notice that all login attempts are made for the “admin” default username.
The following picture shows the email I receive after a specified number of Lockouts:
The next picture shows the IP address Tool that gives you an approximate location from where the IP address originated from:
How to Choose a Strong Password
To make it harder for anyone trying to guess your password, you not only should choose a long password, but also avoid words from a dictionary, have at least one capital letter, one special character, and one number. Create unlikely letter and number combinations. The more obscure your password, the tougher it will be to crack. More from wikiHow.
To see how easy (or hard) to crack your password, try the password calculator. It will theoretically show you how fast your password can be cracked.
BackUp Your WordPress Website on a regular Basis
As a common sense security measure, It is also important to backup your WordPress Website on a regular basis, in case an intruder is successful in entering to your Administration panels. For more details, read my previous Complete Backup of Your WordPress Website in 2 Simple Steps tutorial.
References
Conclusion
Cracking into your WordPress Website is not a fun matter and it can happen to you. After a successful break in, your Website can be defaced, crackers can install dormant trojans, malwares and spywares, and if this persists Google will warn about your Website with the message: This site may harm your computer. Take securing your WordPress Website seriously. Do you have anything to say? If so, please share it in the comments section.
[...] For this blog, I do use the Limit Login Attempts Plugin, as I discussed in a previous tutorial: Secure Your WordPress Login Page by Limiting Login Attempts. [...]