There’s a severe bot-net attack going on right now that is putting many WordPress sites at risk of being exploited. Some bots are SEO bots looking to drop links in your content, while others want to plant malware / MySQL database injections / backdoor Trojans on your site. Because these attacks are originating from home computers, there’s really no way to block the attacks at an IP level since they are from all over the world. With that in mind, let’s take a look at the many different ways to secure your WordPress login area from bots trying to guess your username and password.
Simple Steps for Securing Your WordPress Sites from Bots
- Make sure you’re running the latest version of WordPress. Outdated WordPress installations tend to have security holes that haven’t been patched over.
- Do not under any circumstance use “admin” as your username. Since this is the default username for WordPress, hackers will always use admin as their username of choice.
- Hackers could browse your author archives for your username, so make sure you “noarchive” your author archives using a plugin like WordPress SEO. This is still unlikely as the bots are mostly simple scripts without this kind of human prying for usernames.
Choosing a Strong Password for WordPress
Note that an extremely complicated admin username and password combination will make it difficult to crack your login, but it might also make it difficult to remember. So yes, a username and password like
would be great, you also have to make sure it’s memorable. The following comic dramatizes this conundrum about choosing difficult passwords:
Since it’s best to have unique passwords for each WordPress site, you might want help in remembering them all. Two of the most popular password managers are
- LastPass uses cloud storage to synchronize your passwords across multiple computers. If you’re worried about hackers gaining access to the LastPass servers, rest assured that their data is encrypted using your master password. So hackers would still have to crack your master password even if LastPass data is somehow leaked from their servers. LastPass is a free service.
- 1Password. At $50 a license, it’s a bit expensive for people with multiple computers. But it has nice desktop apps for Mac / Windows and iPad (note that their family license doesn’t cover the iPad version of their software).
WordPress Plugins for Protecting Your Login Page
There are numerous WordPress plugins to give bad bots the boot that are snooping your login page. Since you’re not using the “admin” username (hopefully) and most bots will be trying to suss your password using admin for the username, the best plugins will block anyone trying to use an invalid username.
Login Lockdown – wordpress.org/extend/plugins/login-lockdown
Login Lockdown has a useful setting called “Lockout Invalid Usernames”:
It’s also wise to not allow more than 5 login attempts from one IP.
Although Login Lockdown has not be updated in over 2 years, it is compatible with the newest versions of WordPress. The plugin code behind the plugin is very simple and most simple don’t need constant updating to stay functional.
This $15 plugin from WebFactory (I reviewed their Google Maps plugin earlier) will monitor login activity on your website and block IP addresses similar to Login Lockdown. It also creates a log of all login activity on your blog and has a really cool feature that can redirect either by username or user role after a successful login:
Email notifications are great, but combined with a limitation with this plugin turns into a real killer.
You are going to get multiple notifications for failed “admin” logins everyday when the plugin should be silently giving these bots the boot. Not only blocking the IPs of failed admin logins automatically, but this plugin needs a way to prevent admin logins the way Login Lockdown does.
Wordfence.com has many useful security options, one of them being to “Immediately lock out invalid usernames” under the “Login Security Options” settings.
If your site is under brute-force attack, try installing the SlimStat plugin (wordpress.org/extend/plugins/wp-slimstat) to try and identify who is attacking your sites.
Limit Login Attempts: wordpress.org/extend/plugins/limit-login-attemptsThis is another simple security plugin for WordPress that can block bad bots after x failed login attempts. You can set the amount of time the bot will be blocked for in the plugin’s settings.
Two Factor Authentication Plugins
Two factor authentication makes anyone who wants to login enter an authentication code along with the password. The authentication code is generally sent to your cell phone via text message. Succesful login attempts can be cached for a length of time like 1 month, which means you don’t have to two-factor authenticate every single time you need to access your blog.
Google Authenticator. This plugin lets you enable the Google 2 step authentication on your WordPress blog.
Login Dongle. This clever plugin comes with a bookmarklet that you click on in your browser to enable login to your site. No bookmarklet, no login!
https://www.duosecurity.com/product . WordPress users can install Duo Security’s plugin which enables secure logins via one-time codes that are pushed to you via a text message or a mobile app. The service is free for up to 10 sites / users. Also, hardware dongles are available for only $20 each for even more protection.
Cloud Protection for Your WordPress Sites
Incapsula is a security service that blocks bad bots before they hit your site. I’ve reviewed their security plugin earlier.
Sucuri CloudProxy (now known as Website Firewall) can detect and repel brute force attacks. It does it all without impacting your traffic load or your servers performance. Plans begin at $10 a month per site.
Cloudflare is something I’d only consider as a last resort in response to website attacks. You sacrifice increased end to end latency as well as the occasional “server unavailable” errors that randomly hit some sites using the service. If you are using CloudFlare for the security features, consider using it only for the DNS service and have the caching feature disabled.