Well most attacks are not targeted. They are done using automated scanning tools deployed over large botnets. Attackers us a technique called brute force attacks to try to get into your WordPress site.
During a brute force attack, the attackers try to guess your username and password. You may think this would not work, but it does. Using a botnet, they can easily try 100’s of combinations in a matter of minutes. Sooner or later, they find someone who’s been lazy and used a poor username/password combination and their in.
While my favorite method to prevent this is using HTTP Authentication, here are some other tips on how to secure your WordPress Login.
1.Don’t Use Admin as Your Username
When you setup your WordPress site, do not use “admin” as your username. This is the top tip in WordPress’ own article on brute force attacks. During a brute force attempt, the attacker must guess both the username and password pair. By using admin, you have done half of the work for them. I’ve seen many botnets just simply try admin over and over hoping to get full access.
Changing the username is not foolproof. By default, many WordPress themes create author archives that use your username in the URL. Some of the default headers may also contain this information. A determined attacker can easily poke through your site and find the username. Fortunately, most attacks are automated – they don’t bother with this step. They just try traditional username/password pairs in hopes of getting in.
Use strong passwords. Enough said.
If you want to guarantee strong password, take a look at WP Password Policy Manager, Force Strong Passwords or Enforce Strong Password. (I’ve not tested any of these, but see them recommended from time to time).
server security tips – dont use insecure passwords
You can also use How Secure is My Password if you do not want a plugin, and check out LastPass for a good password manager.
[ois skin=”Wordpress Optimization”]
2. HTTP Authentication
I will keep this short as I detailed this technique in my post on stopping WordPress Brute Force attacks.
This is my preferred method because it depends on an entirely different authentication method – Apache’s HTTP authentication. What this means is that even if there is a bug in WordPress or a brute force attack targeting the WordPress login URL, this will prevent that attack.
http authentication for wordpress login.
Use HTTP Authentication in addition to the standard WordPress Login to improve security.
I suggest you use different username/password combinations for the HTTP AUTH and your WordPress login.
If you have multiple authors or guest accounts, this will may not work for you, but if only you or a small group access the site, this is a terrific way to protect your WordPress login data.
3. Security Plugins
I found over 2000 plugins tagged with security at WordPress.org. So there’s a lot of options. Choosing the right one depends on your goals as many do more than just stop brute force attacks. As with any plugin, I use the following criteria to judge which plugin to use when there are many options.
- Is the plugin actively maintained?
- What is the security history?
- How widely is it deployed?
- Does it have active user base?
You may notice I did not mention rating. Ratings are too easily spoofed, and a high rating on a plugin with few users means little.
Sorting through the results, I found 3 plugins that standout
- BulletProof Security (1.1M downloads)
- IThemes (Formerly Better WP Security, 2.4M downloads)
- Wordfence (1.9 M downloads)
All three of these tools offer various protections against WordPress login attacks. I hope to get a chance to explore these WordPress security plugins in the future.