Are you worried about the security of your WordPress site? Do you receive spam mail every day about unauthorized attempts of login? Every day the number of WordPress users is increasing. While almost 40% of websites around the world are developed on WordPress it is normal for many newbies to join the trend on daily basis. Most of the new WordPress users do not give much importance to the security of their WordPress login page. But with cutting-edge brute-force attack tools, again and again, it is possible to bypass the password-protected WordPress login page.
WordPress sites are one of the most lucrative targets for digital thieves and hackers for various reasons. Every month hundreds of new cases come forth where someone lost their WordPress sites to these brute-force attackers. If some hackers are continuously sending access requests using your login page, the accessibility of your website gets limited automatically due to the huge load on the server end. In the end, you might end up losing your precious website to the attackers.
There are some tested & proven methods in practice that can help one to secure his/her WordPress site. Also, there are many WordPress plugins available that can help you to secure your WordPress site even more. Using such precautionary measures and WordPress plugins you can keep your site safe from any unauthorized access and brute-force attacks.
A strong password can be a nightmare for a brute-force hacker. Actually, the tools which these pesky hackers use are also nothing but computer programs. They also work on some pre-specified logic. If you use a long-tail password that also has numbers and symbols in it, such passwords become complicated enough to break through the algorithm of the brute-force attacking apps. Passwords like “admin”, “root”, email id, “1234”, etc are never to be used under any circumstances for WordPress login.
You can use the Password Manager to create secure, complex passwords, which are created with a random letter, number, and symbols. But experts recommend creating passwords from within your mind, as the human mind is way more complex than any machine. Try to keep your password/passphrase very random, meaningless and make them very-very hard to remember using random symbols and multiple numbers. You can also use various password generator plugins from the WordPress store.
This is one of the best weapons against brute-force attackers. By default, the number of login attempts at WordPress is unlimited, which is a serious concern. You can deal with this security risk simply by using the “Limit Login Attempts” plug-in. The plugin allows you to limit the login attempts per IP address, and let you put IP addresses on time out for a specified time. For example, you can set for 3 attempts, after which entering the wrong password would put a time out on the IP address for 12 hours.
Using such a plug-in you do not need to implement any complex coding or implementation process. It is easy, fast, and secure. If you are looking for a Login Attempts Limiter Plug-in, there are many other options to use such as – Limit Login Attempts Reloaded, WP Limit Login Attempts, Wordfence Security, All in One WP Security, WP Login Attempts, Login LockDown, etc. Using such a “Limit Login Attempts” plug-in you simply make the brute force attacks obsolete, as it can not run more than the number of login attempts allowed by the plugin.
This process is also known as two-factor authentication, and it is considered one of the most secure login methods. You need to have the Google Authentication App and the Google Authenticator WordPress plug-in, to set up the two-factor authentication. The whole thing works in such a way where you have to enter your username and password every time, along with an additional code generated by the Google Authenticator app. This additional code is generated each time you try to log in, so the code is unique every time.
To use this method you have to carry your smartphone with you at the time you are logging in to your WordPress admin. The process may seem to be a bit complex at first, but it offers a very secure additional protection against login attackers.
Though the process looks complex the configuration process is very easy. First, download the WordPress plugin “Google Authenticator” and install it. After installing the plugin, download and install the “Google Authenticator app” on (Android app, iOS app) your smartphone. Here you can simply use the barcode in the WordPress plugin settings to link the WordPress plugin to your smartphone app.
Now whenever you open the Google Authenticator app, the login code for your WordPress site will be generated again and again at regular intervals. You can check and enter the code in your WordPress login screen whenever you are trying to log in to your WordPress admin panel. You can also use the same “Google Authenticator app” with multiple websites and services for two-factor authentication.
As the owner and admin of your WordPress site, you have access to the .htaccess file. With the access of the .htaccess file, you also have the option of setting up an additional password. If you do that, you can have a distinctive advantage over brute hackers as the actual WordPress login cannot even be called up by a third-party user. So brute force attacks can be blocked before the actual attack attempt happens.
This way you can massively spare the calls to your WordPress site and the accessibility of the website is always guaranteed in any case. Setting up a .htaccess login is also not that complicated as it sounds. You must have access to your .htaccess file via your FTP access, but the problem is, it depends on the hosting offers from your hosting service provider. If available, then you will have a code editor to edit the .htaccess file and a new .htpasswd file (this file contains your password) to create.
1. First, you have to create a new, empty file with the name .htpasswd in the main directory of your website (i.e. where the .htaccess file should already be) via your FTP access. Remember, it is only possible if your service provider grants you such access via your hosting package offer.
2. If your hosting provider offers Cpanel then you can easily use File manager to edit and create files. And if not then you have to download the new, still empty .htpasswd file locally on your computer and open and edit it using Notepad or code editor.
3. In the file add the username and password that you want to use to secure your website in the following format:
Note: Replace the username and password with the one you want to set.
For example– I want to add four users and their corresponding those can access the website:
4. Save the file and upload it to your hosting server.
In this way, we can add single or multiple users that can access the website.
5. Now, edit the existing .htaccess file. Add the following given code but remember to determine the AuthUserFile path to your .htpasswd file and replace it in the code.
After you are done with inserting the code in the .htaccess file and also done with uploading the new .htpasswd file with your code to the main directory of your website, the password query should now appear in the browser and thus add an extra layer of protection.
This step is usually overlooked by most users, but remember that a unique username can also work as a deterrent from unauthorized login attempts. While doing brute force attack, the attackers not only have to crack the password, but he also needs to crack the username for that password also. If you are using your email or name your user id, it is easier to guess. Using a brute force attacking tool, within a minute any attacker can determine the admin id if you are using such a simple user id. This way you are helping the attacker by setting up a week user-id deliberately.
So never use your email id, name, or name123, [email protected], anyword123 as your user id. Just like creating a long tail password, create a long tail, hard to detect user id using a combination of letters, symbols, and numbers.
The duty of a website application firewall (WAF) plugin is to monitor website traffic. It also blocks any suspicious requests or admin login attempts from the remote server and IPs. You can use any WAF plugin like Wordfence Security, MalCare Security, Cloudflare, Sucuri Security, Shield Security, etc.
Using such an application firewall plugin makes sure any incoming traffic goes through their cloud proxy first, where it can be scanned and analyzed. It boosts the security of the websites, safeguard your site from phishing attacks, hacking attempts, malware infection, etc. Also with such plugins frequently block most of the unwanted and suspicious incoming traffic from accessing the site data.
Along with the WordPress Admin panel, you also should protect the WordPress Admin Directory using a strong password. Most people do not use any password to safeguard their Admin Directory, which is not a good practice, especially if you are concerned about your WordPress Site’s security.
1. First, log in to your cPanel dashboard of the WordPress hosting;
2. Now click on the ‘Password Protect Directories’ or ‘Directory Privacy’ icon;
3. Now select your wp-admin folder, (normally located in – /public_html/directory);
4. Then click on the checkbox of the “Password protect this directory” option, and put a name for the admin directory.
5. Now, you have to click on the “Save” button and the permission will be set.
6. Then go to the previous page and create a new user. Put a “username & password” when prompted and “save” once you are done.
7. From now on, to visit the WordPress admin directory of your website the username and password will be asked.
This Feature is not needed at all, and it somehow weakens the security features of your site. So, make sure you remove the Login Hints feature from the WordPress login page. Most WordPress themes do have this feature automatically inbuilt and enabled all the time. To hide the Login hints you can copy and paste the following code to your theme’s functions.php file (paste at end of it and save the same).
Keeping your WordPress plugins and WordPress version is very important for both security and performance. With time to time updates, you keep your site compatible with the new plugins and also enhance the capability of the installed plugins, which ensures better performance and better security.
If you are using an old version of WordPress you might never know what security threats and loopholes it got. Hackers can exploit such vulnerabilities to take down your obsolete security system. The same logic stands for the plugins also. You must keep all your plugins updated always, especially the security plugins. The updates fix bugs, improves security, and often adds new features and options, so don’t miss the updates.
If you are an advanced-level developer, or if you have a budget to spare, then you should consider developing a custom and dedicated Login page and registration page. Many websites have such a system, but normally WordPress site owners, bloggers, and small-scale e-commerce site owners do not use this as a thumb rule.
However, using custom login pages and custom registration pages, makes it almost impossible for brute force attackers and conventional login attackers from unauthorized login.
As you can see, there are really lots of methods available to protect your WordPress login from unauthorized access. If there are any other tips, tricks, or methods you know to protect the WordPress login, which I may have missed out on, comment about it below. I am very happy about your feedback and your tips!
SEO, Technology, WordPress tutorial
A useful post for people buying WordPress themes (as eg. from Templatemonster.com)
document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );
This site uses Akismet to reduce spam. Learn how your comment data is processed.