Why should you lockdown your WP Admin Login? Because if you don’t take action to prevent this type of thing from happening then one morning you’re going to wake up and instead of seeing that income-generating site you spent so much time and effort on, you’re going to see “Hacked by John Doe”. Or worse yet, you’ll see nothing. Just a blank screen.
Of course if they were criminals, rather than just bored students, you might not even know. They might have accessed financial data or set up “back doors” so they can get in any time they like.
Now if you’ve been smart and backed your site up (there are plugins you can download and install in ten seconds that do it automatically, so you’ve got no excuse), your recovery process should be fairly quick.
Maybe you’ll just have lost a day’s earnings. Maybe not too many people will have visited your site on that particular day — although it’s pretty certain that any new traffic that saw your site down will never be back. As far as they are concerned, your site is not secure.
The above scenario is the result of one of the most common internet hacks: the Brute Force Attack. Sounds ominous, eh?
If you haven’t taken steps to protect yourself from it, it’s almost inevitable that you’ll get hit sooner or later (hopefully the former — it’s better to have this experience early in your online career if at all). The good news is, there are plenty of simple, easy to implement defenses that will cost you nothing more than a few minutes of your time.
So brute force attacks. What’s the big deal about them?
Brute force attacks target your WordPress login screen: http://yourwebsite.com/wp-login.php. Everyone knows that’s how you get into WordPress, so it’s an easy target for a hacker.
What stops them from getting any further, on an ideal website, is your admin username and your password.
Should be – but frequently isn’t.
Guess what a lot of people use as their admin username? Yep, admin. That sure makes it easy for the hacker, doesn’t it? Second most popular username? The first 8 letters of their website name (that’s the default for some auto-installers). Not too tough either.
If you’ve been using either username, the hacker is pretty much halfway there already. But we haven’t even got to the “brute force” bit yet.
This is where a computer program takes over. A computer script can hit your site with random password combinations way faster than any human could ever type. Thousands and hundreds of thousands of login attempts are made, until the program eventually hits lucky and guesses your password.
Except finding the right key combination for your password — isn’t luck. It’s predictable. It will happen sooner or later. The hacker’s script never eats, never sleeps, and never takes a coffee break. By itself, WordPress will let it have as many login attempts as it needs.
Right about now you might be thinking “yea, but what are my chances of getting hit? After all, there are millions of sites out there, so why would a hacker pick on little old you?”
The answer is that they’re not just picking on little old you, they’re picking on everybody. Botnets — hundreds of computers linked together around the globe — aren’t being used not by bored students but by organized criminals. They target tens of thousands of sites at once. Earlier this year security firm Bruteprotect, who actively monitor this kind of activity, announced distributed attacks on a scale never seen before — 8-times higher than previous figures — and this wasn’t just happening once in a while, but every single day.
So what do you do?
There’s lots of stuff online about protecting PHP files, creating encrypted passwords and altering your .htaccess — and all that is no doubt valid advice. Trouble is, it’s a bit involved. It puts people off from taking action.
Lucky for you, there’s an easier, non-coding requisite way. There are two things you can do that will stop brute force attacks before they even get started.
First of all, change your admin name. This isn’t the name that people see on your blog under your author bio (that’s your Display name), this is the name you use to log in.
Don’t make it part of your site name, or even your own name. Try the license plate of your first car and the last letter of your pet’s name — something obscure that would be impossible for someone who doesn’t know you to guess.
You only have 8 letters/numbers to play with for this one, but you should be able to make it something memorable and unique to you — something a hacker isn’t going to be able to guess easily.
Now, set a new password. The best solution is always a random mixture of numbers, upper and lower case letters, and special symbols. It should be a dozen or more characters long. There are password generators online like Roboform that will do the job for you. You could end up with something like e<C&5G#tTQg t_Q. Not absolutely unbreakable, but way, way down the “likely” scale.
The last thing you need to do now is login with your new login and password and delete the old user. Don’t forget this step. If the old weak combination exists, there’s nothing to stop the hackers from attacking it.
The second thing to do is install a plugin called Limit Login Attempts Reloaded. You can download it from here https://wordpress.org/plugins/limit-login-attempts-reloaded/, but it’s quicker and easier to install it via the plugin section of your dashboard.
Brute Force Attacks work because they keep knock, knock, knocking at your door until they get an answer. This neat plugin will stop that knocking dead by restricting the number of login attempts an individual IP address can make. Set it to 4 and the computer program doesn’t get a fifth (it’s really hard to guess a password like the sample one above in five attempts).
Simple, easy, secure.
You’ll notice that Limit Login Attempts provides a few more options, so let’s take a quick look.
So after installing and activating as normal, head over to Settings > Limit Login Attempts. The following simple screen is the only place you need to go to customize LLA’s settings.
Total Lockouts: gives you the number of hackers who tried to break in, but failed (so you can allow yourself a smug smile).
The Options are pretty straight-forward.
1. Allowed retries: the number of attempts an IP address is allowed to make before you lock them out.
Four is probably the most popular retry amount. It allows real humans who are supposed to have access to make mistakes (because after all, we all do make mistakes when entering passwords), realize they’re entering the wrong password, and fix their error. It’s important to set it to above 1 or 2 particularly if you have frequent guest bloggers or several contributing staff members responsible for managing your site.
2. Minutes lockout: how long an IP address will be locked out.
You might like to set it to “forever”, but that’s not helpful for people who really do make a genuine error — you want those goes to be able to let themselves back in eventually. 20-30 minutes is about right.
3. Lockouts increase.: because if it’s a Brute Force Attack, the computer program is likely be back.
This function basically says “look, I’ve seen you lock yourself out several times before, so now I’m going to lock you out for longer.” One day is a good one to go with.
4. Hours until retries : how long until LLA resets everything and lets people try again.
The remaining options are for those of a technical mindset or for corporations where recording the following is important.
Site connection: It’s likely you have a direct connection. Proxy’s tend to be for people running whole IT departments, in which case you probably wouldn’t be dealing with the security anyway.
Handle cookie login: This deals with admin cookies that are set with each successful login. Unless you have a good reason to do otherwise, leave it set to yes.
Notify on lockout: Limit Login Attempts also gives you an option to log the IP of people that try to break in. The plugin will also email you about it when it happens.
If you have someone in some department who needs to analyze all this data, then, by all means, set it. The majority of entrepreneurs and small businesses, however, are probably way too busy doing what they do and will satisfy themselves just with knowing that they successfully kept the hackers at bay (no email notifications necessary).
The third way to lockdown your WP Admin Login is to change the WordPress login URL. This can drastically affect the number of bad login attempts. There is a great free plugin called WPS Hide Login which allows you to do this.
WPS Hide Login is a very light plugin that lets you easily and safely change the url of the login form page to anything you want.
That’s it, we’re done. Two quick and simple steps to stop the increasingly dangerous menace of Brute Force Attacks from putting a digital wrecking ball through your site! If you want to further increase your website’s security please take a look at our best security plugins comparison.
You can’t claim ignorance for not locking down your site and preventing it from a Brute Force Attack anymore. So go change your password & your username, install Limit Login Attempts, and change your WordPress login URL. These are all good ways to lock your WP Admin login.
Send this to a friend