Are people trying to hack into your WordPress site?
Yes, they are.
You may say, “Hey, I run a small blog. I’m not a target.”
Well most attacks are not targeted. They are done using automated scanning tools deployed over large botnets. Attackers us a technique called brute force attacks to try to get into your WordPress site.
During a brute force attack, the attackers try to guess your username and password. You may think this would not work, but it does. Using a botnet, they can easily try 100’s of combinations in a matter of minutes. Sooner or later, they find someone who’s been lazy and used a poor username/password combination and their in.
While my favorite method to prevent this is using HTTP Authentication, here are some other tips on how to secure your WordPress Login.
1.Don’t Use Admin as Your Username
When you setup your WordPress site, do not use “admin” as your username. This is the top tip in WordPress’ own article on brute force attacks.
During a brute force attempt, the attacker must guess both the username and password pair. By using admin, you have done half of the work for them.
I’ve seen many botnets just simply try admin over and over hoping to get full access.
Changing the username is not foolproof.
By default, many WordPress themes create author archives that use your username in the URL. Some of the default headers may also contain this information.
A determined attacker can easily poke through your site and find the username. Fortunately, most attacks are automated – they don’t bother with this step. They just try traditional username/password pairs in hopes of getting in.
Use strong passwords. Enough said.
If you want to guarantee strong password, take a look at WP Password Policy Manager, Force Strong Passwords or Enforce Strong Password. (I’ve not tested any of these, but see them recommended from time to time).
You can also use How Secure is My Password if you do not want a plugin, and check out LastPass for a good password manager.
[ois skin=”Wordpress Optimization”]
2. HTTP Authentication
I will keep this short as I detailed this technique in my post on stopping WordPress Brute Force attacks.
This is my preferred method because it depends on an entirely different authentication method – Apache’s HTTP authentication. What this means is that even if there is a bug in WordPress or a brute force attack targeting the WordPress login URL, this will prevent that attack.
Use HTTP Authentication in addition to the standard WordPress Login to improve security.
I suggest you use different username/password combinations for the HTTP AUTH and your WordPress login.
If you have multiple authors or guest accounts, this will may not work for you, but if only you or a small group access the site, this is a terrific way to protect your WordPress login data.
3. Security Plugins
I found over 2000 plugins tagged with security at WordPress.org. So there’s a lot of options.
Choosing the right one depends on your goals as many do more than just stop brute force attacks.
As with any plugin, I use the following criteria to judge which plugin to use when there are many options.
- Is the plugin actively maintained?
- What is the security history?
- How widely is it deployed?
- Does it have active user base?
You may notice I did not mention rating. Ratings are too easily spoofed, and a high rating on a plugin with few users means little.
Sorting through the results, I found 3 plugins that standout
- BulletProof Security (1.1M downloads)
- IThemes (Formerly Better WP Security, 2.4M downloads)
- Wordfence (1.9 M downloads)
All three of these tools offer various protections against WordPress login attacks. I hope to get a chance to explore these WordPress security plugins in the future.
Security plugins can protect your WordPress Login.
Bonus: Two-Factor Authentication
While you probably need a plugin to achieve this, I put this in another category. Two-factor authentication means you need two different bits to login.
The most common method is sending a text message to your cellphone with an authentication code. To login, you would need to know your username/password AND have your phone.
Personally, I think this is a bit cumbersome for something you may be using daily, especially when simpler methods like HTTP AUTH exist.
However, if you want to embark on this journey, I recommend you check out DuoSecurity. They offer a WordPress plugin that integrates with their system.
Avoid: Renaming WP Admin Directory
Don’t do this!
I see this pop up many times. This is we call security through obscurity in the information security field. Basically, you are relying on the fact that your wp-admin or WordPress login page are not where they normally should be. You are obscuring this information.
While this technique can defeat bots, I am reluctant to recommend it.
WordPress is built to use the wp-admin directory. Developers of themes and plugins expect you to be using wp-admin. When you change this, you run the risk of breaking WordPress or introducing security exploits.