Being a WordPress blogger, it is obvious that you are much concerned about the blog security. We all like to keep our blogs secure against the hackers. WordPress users are lucky enough that there are several security plugins and other template tweaks to safeguard the blog from hacking attempts. One of them is changing the default WordPress username ‘admin‘. If you haven’t done this yet, I strongly recommend to do it by referring here.
Brute force is one of the oldest forms of hacking, where a hacker run a script and attempt to login to your account by trying different combination from dictionary Words. Depending upon the complexity of your password, it may take 1 hour to few days to get access to your account. This is one reason, why I keep asking you to stop using “admin” username and change it to something else. Also, always use a complex password.
You should know that by default WordPress allows unlimited login attempts through the login page. It may encourage the potential hackers to guess your password by the method call BruteForcing.
You need to ensure that your login page is protected from Brute Force attack. Here I’m sharing two plugins (#1 is highly recommended) to protect your login page from Brute Force attack.
Use Jetpack Brute Force protection
I have updated this post to let you know about newest feature addition in Jetpack WordPress plugin. Chances are you might be using Jetpack plugin & if yes, you don’t need to use Limit login or any other plugin to protect from Brute force attack. Jetpack have added a new module call Protect.
If you have Jetpack plugin installed, enable the Protect module, and your WordPress blog will be protected from Brute force attack. The dashboard will also show you the number of blocked malicious login attempts. You also get an option to whitelist specific I.P. from Jetpack > Settings > Protect > Configure
Limit Login to Limit the number of logins tries in WordPress:
Brute Force attack can also be prevented by using Cerber Limit Login Attempts plugin. It helps the admin to limit the number of login attempts through normal login & it automatically lockout I.P’s which is trying to brute force your WordPress login page.
- Limit the number of retry attempts when logging in (for each IP)
- Informs user about remaining retries or lockout time on the login page
- Optional logging, optional email notification
- Handles server behind reverse proxy
- Plugin options page:
Even though the plugin is straight forward to use, you should definitely configure the Hardening section. By default Cerber plugin Block access to the XML-RPC server (including Pingbacks and Trackbacks) & WordPress rest API. If you are using anything which requires access to WordPress rest API (Example: Your blog android or iOS App), you should allow access to WP rest API & XML-RpC.
One important thing:
Disable redirect dashboard requests (Disable automatic redirecting to the login page when /wp-admin/ is requested by an unauthorized request) if you are unable to access WordPress admin dashboard. I suggest you to configure while start using this plugin.[Plugin download page]
If you are getting too many hacking attempts, you can use WordPress Stealth Login plugin. It helps you to create custom URLs for logging in.
- 7 Essential WordPress security tips
- Top WordPress security plugins to check hacked blog
- Top security plugins for WordPress to protect WordPress blog
Do share other useful WordPress plugins which you use to keep your WordPress blog safe and secure?