Your WordPress login page is an access point that’s on the top of every hacker’s list to attack. This isn’t personal. WordPress is powering 12 million websites and a frighteningly large majority of them can be broken into with a simple botnet.
While it’s impossible to make your login completely invulnerable, there are certain ways to harden its security to discourage hackers of the basement dwelling kind.
In this post, we’ll take a look at 5 simple but effective techniques to secure your WordPress login.
1. Passwords and Username
Brute force attack is the first thing that will happen to your login page. And no doubt you have heard all about the need for strong passwords and awfully incomprehensible usernames. “Who’s got time to remember that crap?” you say.
And that flippancy gets your website hacked in one of the easiest possible ways.
The need for long, strong passwords is based on fact: every character you add in your password is another exponential increase in the time required to crack it. Using a combination of letters, numbers, and characters in no recognizable pattern makes your password near-invulnerable to dictionary attacks and does more for your access point security than you realize. Follow this advice everywhere on the internet to discourage password cracking.
You can use random password generator tools (if you’re willing to put your faith in them) like Norton’s Password Generator, LastPass, etc. These are available for use for free. If you have trouble remembering these (you likely do), use a password manager like KeePass Password Safe.
Tip: Make sure to change your default ‘admin’ username to another human-illegible series of letters and numbers. On the same note, NEVER post content on your WordPress website through the admin account.
2. Obfuscate Login URL
Smokes and screens…
Another way to discourage attackers is to prevent them from finding the door (read: login page) in the first place. Call it a delaying tactic, but since the attack is most likely not personal, you can club it up with ‘narrow escapes’.
Your login page is embarrassingly easy to find. An attacker just has to add /login.php to your homepage URL.
Make sure to prevent this little oversight from compromising your login security simply by changing the login page URL. Use a plugin like Stealth Login or use similar features available in complete security solutions like WordFence or Sucuri.
You can also go the extra mile and remove error message from login form altogether with Acunetix Secure WordPress solution.
Secure Socket Layer (SSL) protects data when it is en route to the destination: browser to server and vice versa. It’s used for financial transactions on eCommerce portals and other situations in the need of secure data transmission. It encrypts your data on the off chance that the ‘message’ is intercepted.
You can add SSL to your WordPress login page by contacting your hosting provider. If you have your own server, purchase an SSL certificate and install it. On Shared hosting, once you have received confirmation about SSL, you can enable it in WordPress by adding define(’FORCE_SSL_ADMIN’, true); in wp-config.php.
4. Limit Login Attempts
With enough time and endless ‘lives’, anyone can win a game. Cracking your WordPress login is exactly the same for brute force attackers.
You can put a significant dent in those infinite tries with Login LockDown plugin, or the limit login attempts feature available with security plugins. Some can even track the IP address of a particularly persistent brute force attacker and blacklist or block it.
This is one incredibly simple technique to stop brute force attacks on your login page right in their tracks. A brute force attack works by attempting to get your username and password right by trying multiple combinations over and over.
5. Two Factor Authentication
The next update WordPress rolls out (Version 4.5) will integrate 2FA (read: Two Factor Authentication) in the core. That should give you an idea about how important it can be.
Two-Factor Authentication adds a second layer of security to your login by sending an OTP (one time password) to your mobile and then requesting it to complete the login process. Once setup, the only number it will send the password to will be yours, so the attacker will need to guess not just your username and password, but the authentication code as well.
Google Authenticator is currently the go-to plugin to implement this. CAPTCHA and similar human-confirmation features are also a way to improve security against botnets.