WordPress, for all its worth, is a pretty secure content management system/ application framework. But with the amount of control you can exercise over your WordPress site, it should be no surprise that website security is also dependent on you.
Now, WordPress login screen is one of the easiest access points to exploit and gain unauthorized access to your website. It’s also pretty easy to get to, considering that wp-login.php can be added after your site domain to see it (unless you go an extra mile to obfuscate login URLs). Beyond that, it’s a matter of time while the brute force algorithm is set cracking your login credentials (Username and password), and then you can say wave goodbye to your clean, spam-free, reasonably nice website.
In this post, I have listed some of the simplest tips to protect your WordPress login area from such attacks.
I don’t mean to harp on about this. I really don’t. I am sure you all know how important strong usernames and passwords are for login security (mainly because everywhere you are required to make one tells you so). So if you choose not to heed this basic advice, on your head be it.
While I understand that managing to remember long complicated strings of characters in the name of security is downright painful, you have to understand that a strong password and username can actually protect your website for a long, long time.
This is because the brute force attack (yup, the ‘try everything until you succeed’ algorithm) is going to have a tough long stretch while trying to find out the correct letters and their case and sequence if there are more of them. Every character (letter (in both cases), number, special characters) you add to your password can increase the time estimate of a brute force attack exponentially. And considering that brute force attacks also need server resources, you can secure your WordPress login so that the time could stretch on forever.
Here are some helpful login credential tips for WordPress security:
• Do NOT publish under your admin username, as this can be shown in the Byline and give one of the two login credentials required away to potential hackers. Use a separate ‘editor’ role account instead.
• Enforce login security and strong password rules for every user on your WordPress website.
• Use a password generator (LastPass, Norton Pass Generator, etc.) for a truly secure password.
• Manage your login information with tools like LastPass, KeePass, etc.
Games of Cat and Mouse…
This is one of the tactics you can use to delay an attacker from accessing your login page (which, as I mentioned in the intro, is stupidly easy to find by default). All you have to do is use Stealth Login to obfuscate your login URL from something like domain.com/login.php to something that’s not as easy to find in a widespread, automated attack.
Stealth Login and other login URL obfuscation features are also available in some of the more comprehensive WordPress security solutions like Sucuri or BulletProof Security. Acunetix Secure WordPress plugin will even remove the ‘error’ message upon receiving wrong credentials (the one that tells you exactly what you did wrong, which may cut down a hacker’s time in half in case they do crack either password or username). I don’t recommend hiding error feedback (bad for user experience) but it’s an extra arrow in your quiver against hackers, so it’s your choice.
As I mentioned earlier, it’s a matter of time for a brute force algorithm to crack your login. Time and an endless supply of login attempts, that is.
Limit Login Attempts is a WordPress plugin that does as advertised, similar to Login Lockdown. The plugin will let you specify a number of allowed incorrect trials (from a single IP) and if they are all used up, the plugin will implement a lockdown for a specified amount of time (for that IP). Similar features are found in complete WordPress website security plugins, so take a careful gander at the feature list.
Such plugins will also note the IP addresses that are persistently trying to brute force your login, so you can blacklist or block them permanently from accessing your domain.
The developers of core contributor team for WordPress core are working on integrating 2FA (Two Factor Authentication) to all WordPress websites. This was earlier accomplished with plugins.
Two Factor Authentication is so far one of the more foolproof ways to prevent unauthorized access through login page on your website. The website has a mechanism that generates a one-time password and sends it to registered user’s phone/ secondary device: So unless the attacker has physical access to your mobile phone it’s a popular method, used by almost all online payment gateways, online banking portals, eCommerce websites like Amazon, Google, etc.
If your WordPress website doesn’t have 2FA login protection, make sure to head to Google Authenticator plugin to implement it.
Sometimes, attackers’ purpose for gaining access to your website is to mine the database, spam injections, create redirects to shady phishing portals, and other similarly devious activities. These may not be easily detected by login security plugins. And that’s why WordPress site security goes way beyond login screen protection.
All of your security efforts are hardened by maintaining your WordPress website and keeping everything running in top form with regular updates to core, themes, and all plugins. Sucuri SiteCheck scanner and similar tools will run malware scanning to detect hidden strings of malicious code or injections and help you remove them. Staying on latest versions of WordPress core, plugins, and themes will keep your site safe from vulnerabilities in the older versions.
So maintain and upgrade: regularly.
Endnote
Being casual about WordPress login and site security puts your content, data, and all your registered users at great risk. Always work towards protecting your WordPress website; the developers will make sure you have all the tools necessary. All you need to do is stay aware and alert.