Your website’s security should always be a top priority, whether you are using WordPress or some other platform. Fortunately, with WordPress hardening security is generally fairly simple to implement.
For instance, by default WordPress does not limit login attempts. This is not a good thing.
Hackers use a very common hacking tactic called a Brute Force Attack to break into websites. With a Brute Force Attack a hacker runs an automated bot that keeps hammering your site with up to several hundred, or even thousands, of hits per hour, trying to guess your login password. If you don’t limit those attempts, they will keep at it until they succeed and gain access to the backend of your site. Once in, they are free to do whatever damage they like.
EVERY site owner needs to take steps to limit failed login attempts. With WordPress, this is as simple as installing the Limit Login Attempts plugin.
The plugin limits the number of login attempts allowed, both through normal logins and the use of special cookies. It then blocks offending internet IP addresses from making further attempts to login after a specified number of failed logins occurs. This effectively stops all attempts at making a brute force attack on your site.
Here is what a human hacker would see:
- Limit the number of standard login attempts per IP.
- Limit the number of attempts to log in using auth cookies per IP.
- User notifications upon failed login informing them of the number of retries they have remaining and the lockout length, if they fail to login successfully.
- Statistics on the number of currently active lockouts and total lockouts.
- Activity log showing IP addresses that have been locked out and the user accounts they attempted to access.
- Email notifications when IPs are locked out.
- Option to handle server behind a reverse proxy.
- Option to whitelist specific IPs (though not recommended).
After installing and activating the plugin you can customize the following options via Settings » Limit Login Attempts.
- Allowed retries before lockout. We normally set ours to 3 or 4, but we also use the LastPass Password Manager to help avoid mistakes.
- Number of minutes to lockout an IP after retry limit reached.
- Number of lockouts allowed before lockout time increases. We set ours to 1 or 2, then enter a very long lockout time. If someone is hitting your preset limits, they are definitely a hacker and should be blocked for a long time to discourage future hacking attempts.
- Number of hours before retries reset.
- Direct connection is the default because it is used by the majority of people. If you operate from behind a proxy, then check that option.
Handle cookie login:
- Leave this option selected.
Notify on lockout:
- Default is to log IPs. Leaving this checked allows you to monitor IP addresses and completely ban any that make repeated attempts to log in.
- Send an email notification after 1 lockout. We leave this default setting on for HTWP2.0, however, it does lead to a lot of emails when our site is under attack. Which, while irritating, does provide us the opportunity to tighten our settings even further for the duration of the attack, if we think it necessary.
Here is a screenshot of our settings page, which includes a portion of our lockout log. As you can see, Limit Login Attempts has performed a total of 1543 lockouts since its last reset. The log shows a sampling of the variety of IP addresses and user accounts that hackers have attempted to login to.
You will either have to wait the allotted time until your lockout ends, or you can do one of the following:
- Access your plugins folder via FTP or SSH and deactivate Limit Login Attempts by renaming the file “wp-content/plugins/limit-login-attempts/limit-login-attempts.php”.
- Access your database via phpMyAdmin and clear the limit_login_lockouts option in the WordPress options table.
- Edit your functions.php file to whitelist your IP, then use the “Restore Lockouts” button on the plugin’s settings page to regain full access to your admin area. You should remove the whitelist function from your functions.php file when you’re done.
See the plugin’s FAQ page for more details.
If you are not already using the Limit Login Attempts plugin, don’t wait another moment, go and install and configure it now! It only takes a few minutes and you’ll sleep better tonight.
You will likely be shocked at the volume of hack attempts made against your WordPress website on a regular basis.
What Do You Think?
Are you using Limit Login Attempts? If not, why not? Have you been hacked in the past? We’d love to hear from you. Let us know your experiences in the comments below.
If you found this article helpful, please share it with your friends.
- The Definitive Guide to WordPress Security - Moz
- WordPress 3.5.2 Maintenance and Security Release - WordPress News
- 4 Google Trust Factors That Can Provide Negative Signals About Your Website SiteProNews | SiteProNews
- Keeping your WordPress site safe - Financial Review
- Hackers Find WordPress Easy Pickings | Hacking | TechNewsWorld
- Limit Login Attempts Review: Stop Brute Force Attacks to your Blog
- Prevent Brute Force Attacks On Your Blog With Login Lockdown
- Limit Login Attempts WP Plugin Review and How to Use it Video ...
- Limit Login Attempts Plugin | Bluedepth's Journal
- Limit Log In Attempts Plugin For WordPress: A Review - iPentimento ...