How to Secure Your WordPress Login Page & Mitigate Hacking Risks
The most common point of entry for hackers into a WordPress site is via the login page. While a properly secured WordPress installation should be able to expose its login page without making itself vulnerable, it’s often a good idea to make things a little more difficult for hackers by hiding or moving the page so that unauthorized users don’t have access. It removes a temptation for hackers, and while hiding your login page will not automatically make your site secure in the absence of the proper implementation of other security strategies, it will reduce the surface area that is open to attack.
Most attacks of WordPress sites are carried out by bots that expect a specific configuration. If those bots can’t find your login page, they are more likely to move on to an easier target. At the very least, securing a site’s login page will spare it from being showered with bot-driven brute force attacks that attempt to guess correct username / password combinations.
In this article, I’ll run through the basics of securing a WordPress login page, and then discuss the best techniques available for hiding login pages from attackers.
Change The Default Admin User
This is really one of the first things that WordPress site owners should do. Most WordPress attackers rely on the default “admin” user to make their job easier. If they already know the username of at least one administrative user, then they only have to work out the correct password for that user, rather than a username / password combination, which is orders of magnitude more difficult.
The names of accounts cannot be easily changed, so the best way to go about getting rid of the “admin” account is to create a new user with admin privileges and delete the default “admin” account.
Choose Decent Passwords
The security of username / password combinations lies in the difficulty of effectively figuring out the right combinations of characters for both pieces of information. If either of those components is easy to guess, it drastically reduces the difficulty of falsely authenticating. Once you’ve removed the default “admin” user, it’s time to make sure that all administrative accounts have decent passwords.
The 3.7 release of WordPress will include a password meter, which will tell users whether the password they have chosen is sufficiently complex to hinder brute force attacks, but until that release, common sense should prevail. Make sure that passwords are long – at least 8 characters and preferably more, do not contain dictionary words, and are made up random characters that span the entire available set of characters, including numbers, upper and lower case letters, and punctuation symbols. Don’t think you can be clever and choose an easily memorable password that will outfox hackers. Just about every “clever” password has been leaked at some point and is in the password cracking databases that hackers use in brute force attacks.
Limit The Number Of Login Attempts
Unless your username / password combinations are particularly simple, it will take the botnets hundreds or thousands of attempts to find the right pair. You can prevent this by using a plugin that will limit the rate at which login attempts can be made and block future attempts from IPs that seem to carrying out a brute force attack. You can use the Limit Login Attempts to do this, and there’s a great article over on WPSpeak.com that explains how to use it.
Move Your Login Page
As I explained at the top of this article, if the bots can’t find your login page, they’ll almost certainly give up and move on to an easier target. There are a number of plugins that will let you change the URL of the login page and other pages in the admin dashboard.
- Better WP Security (Free) — A plugin that will change the URL of various admin pages, including the login page, as well as implement a number of other security best practices, like changing the database table prefix and removing login error messages. It will also let you rename the default “admin” account as recommended above.
- Modal Login (Premium) – Replace the WordPress login page with an alternative page of your own design and change the URL.
- Hide My WP (Premium) – This plugin adopts the premise that to reduce hack attacks, it’s best to obscure the platform you’re using as much as possible. It allows you change many features that reveal a site’s WordPress roots, including the URLs of the admin pages.
If you implement these suggestions, the chances of your WordPress site being hacked are very small indeed unless you come to the attention of a particularly devious and determined hacker.
If you only follow two pieces of advice from this article, please change the default admin username and use secure passwords. It will frustrate the vast majority of WordPress attacks.
About Graeme Caldwell — Graeme works as an inbound marketer for Nexcess, a leading provider of Magento and WordPress hosting. Follow Nexcess on Twitter at @nexcess, and check out their tech/hosting blog, http://blog.nexcess.net/.