We rarely need to be convinced to harden our WordPress site security. But, how useful is protecting you login page? And, are you doing it right?

WordPress is a popular CMS, and the fastest-growing platform to build websites. This is why hackers target it; they gain more out of every attack.

Your WordPress login page is what keeps you and other users out of your WordPress dashboard. It’s no surprise, therefore, that the login page is one of the most attacked areas of your WordPress site. Hackers program bots to barrage your WordPress login page with possible username and password combinations, so that once there’s a match, they have unlimited, legitimate access. ‘Guessing attacks’, as they’re known could have bots entering every single possible combination of letters, numbers and characters, or enter a set of probable credentials.

This is why enforcing login protection is an important way to harden your WordPress site against hacks.

This is why enforcing login protection is an important way to harden your WordPress site against hacks.

What is login protection?

Login protection is a means to protect your WordPress site’s login page, especially against guessing attacks.

There are six ways that security blogs recommend using to protect your WordPress login:

1. Using a unique username: Having a unique username can make guessing attacks on your WordPress site (such as Brute Force and Dictionary attacks) harder to perform. This is because the bots would have to guess the username too, along with the password.
2. Using strong passwords: This is paramount to any WordPress site’s security. Choosing a strong password makes it difficult for any hacker trying to log in to your site via Brute Force and Dictionary attacks.
3. Using two-factor authentication: Two means/factors (such as the entry of user credentials and an alphanumeric code) are used to identify the user of the site. Anyone who wants access to the site needs more than just the user credentials; they will need a second token too that is send to them via SMS, email, a phone call, or an app on their phone.
4. Using Captcha: It’s an alphanumeric picture-based challenge to users to determine if they’re bots or not. Captchas, on an average, take about 10 seconds to read and type out.
5. Setting a time-period within which the login page will expire: This means anyone who wants to login beyond that point will have to refresh the page and start all over again
6. Limiting login attempts: This means every user who needs to sign in to your site would be locked out and prevented from accessing it after entering wrong credentials for a specific number of times.

1. Using a unique username

The default username of WordPress is ‘admin’, and a number of WordPress site owners choose to leave it as such. However, this gives hackerbots one thing less to guess. In fact, since the login page only requires the username and password, it reduces the effort and time bots require, by 50%. Hackers using bots and guessing attacks to attack your site generally do not know your site personally, so having a unique username is better for your site’s security. However, if it’s a subscriber who wants to attack your site, they would already know your username. This is why it’s always important to complement having a unique username with other security measures, such as the others on this list.

2. Enforcing a strong password

Having a strong password is one of the key ways to protect your WordPress site from attacks launched on your WordPress login page. Strong passwords are about (or more than) 15 characters in length, use a variety of characters, and do not use very common number-letter replacements. The only troublesome aspect of enforcing strong passwords, is the fact that they’re difficult to remember. This is why it’s important to find good ways to store them.

3. Using two-factor authentication

Two-factor authentication is widely used by financial websites. The two factors are usually what you know– login credentials (username & password) and what you receive on something you have/own– eg: a token (or a graph, as in the instance of Clef), on your mobile phone. Access is granted only when both factors are input correctly.

Most websites use time-based tokens, or One Time Passwords. So once you input your login credentials, the OTP is sent to your registered mobile number. This also ensures that bots are prevented from successfully logging in, since the token is sent via SMS, email or a phone call, and must be entered within a maximum of 15 minutes. A token can’t be used more than once, (or after the time period) and is hence called a One-Time Password (OTP). A couple of plugins that allow you to set up 2FA with WordPress are Google Authenticator and iThemes Pro.

A drawback of this method is that while setting up, the user can set up secondary means of communication (an alternate phone number, or an alternate email address) that the OTP can be sent to. So if a hacker gains access to one of these means, there is a high chance of the website being compromised.

This is why 2FA apps like Clef (which does not require a password as a secondary means of authentication), are deemed to be more secure than the OTP-based 2FA methods. If you’re trying to log in with Clef, you have to match the graph on the WordPress site’s login page with the one that the Clef app on your phone generates.

The trouble here is only when you lose your phone, or when it’s not with you when you want to log in.

4. Using Captcha

A very effective way to protect your login on WordPress, would be to use a Captcha tool, which generates an image with warped alphanumeric text on it. Users are required to read the garbled text, and type it out in the text box below the image. The image expires after a certain amount of time, and must be refreshed after expiry. This makes it a great tool to protect against Brute Force attacks.

The reason this is also a useful tool to differentiate between bots and human is because humans can easily:

1. Recognize different shapes and sizes of letters, despite a variation in fonts.
2. Recognize the space between letters and if they’re separated.
3. Understand the difference between letters based on context (eg: if a letter is an ‘m’ or a combination of ‘n’ and ‘u’).

While the first two forms of recognition come to humans naturally, they are separate tasks for computers, and it requires a lot of time and effort to train bots to perform all three tasks well, and fast.

The only disadvantage of this type of authentication is that sometimes the image can be difficult to read, and those with special needs have a hard time performing the task.

An easy way to add Captcha to your WordPress site, is with plugins like Captcha by BestWebSoft.

5. Setting an expiry-time for your login page

This is a good security measure to use against two types of  attacks: Brute Force attacks, and Distributed Denial of Service attack. This is because the page will expire, and any request that tries to access the login page from that IP address, will be blocked. Requests to the login page will only be taken from the said IP address after the login page is refreshed. A plugin that allows you to do this is Login Security Solution.

You could also set up the expiry time for your login page by using the following code in your WordPress theme:

{

add_filter( ‘auth_cookie_expiration’, ‘keep_me_logged_in_for_30_minutes’ );

function keep_me_logged_in_for_30_minutes( $expirein ) {

return 1800; // 30 minutes in seconds

}

Some security measures, such as NinjaFirewall, WordFence, and iThemes take this step a little further by blocking suspicious login requests from an IP for a period of time that you, as an admin of the site, can set. This means even if the login page is refreshed, any request made from the particular IP to the site in question, will be blocked for the set period of time.

6. Limiting login attempts

Limiting login attempts is a great way to protect your login page from bots or hackers trying a number of username-password combinations to log in to your site. You could use plugins like WP Limit Login Attempts or iThemes security to do this, or use code to modify your .htaccess file, but we recommend using plugins. WordPress firewalls such as NinjaFirewall have this feature inbuilt too. The one downside with this method, is that if you enter the wrong credentials to your site more than the specified trial attempts, you could be locked out too.

Getting access back into your site would require you to follow a series of steps, depending on whether you choose to access the site via FTP and then delete the responsible plugin; or unblock your IP address manually (with code) via phpMyAdmin.

Of course, with security plugins like iThemes and NinjaFirewall, you could use settings to prevent your IP address from getting blocked in the first place.

Misleading recommendations to protect your WordPress login page

While it’s important to protect your login page, it’s also important to be careful about the changes you make to your WordPress site.

A number of recommended practices do not protect your WordPress login page as they are claimed to. One of the main reasons behind this is because they include changes that are complex, might harm your site, and are difficult to undo.  Another reason, is that they advocate security through obscurity.

A few of these recommended practices include:

1. Hiding your login page by moving it to a custom URL

This is another useless security measure that involves moving it to a custom URL. Those who recommend this step, do so with the idea that this would prevent those visiting your site from knowing if it was a WordPress site. Another advantage of using a tool to do this, security experts say, is that it would also help protect against Brute Force attacks, since most hacks are automated, and having the login page at a different URL makes it a little harder to find. However, this step doesn’t necessarily protect your WordPress site in any way. If you’re using a tool such as iThemes to change your login URL to a default address that the tool gives you, chances are, every website used by iThemes has a similar URL format for the login page. This means if a hacker (or his bots) know the format, your site will still be hacked if you don’t have a good username and password combination.

Another case in which this measure would be useless, is if a hacker is actually determined to hack your site (which admittedly is a rare occurrence).

Moreover, suddenly changing your login URL without prior information, might prove to be inconvenient to your site’s users, who might need to login to complete certain actions. On the flip-side of the same scenario, even if you send an email notification about the change to your users and the hacker happens to already have a credible user account, you wouldn’t be protecting your site.

2. Modifying your user enumeration and hiding your WordPress username

These practices involve completely different procedures, but both require changes to be made to your WordPress site’s database or your .htaccess file. These changes, are complex and could affect your site negatively… and are never recommended before having a reliable, recent WordPress backup of your site. Moreover, WordPress doesn’t recommend making such changes because it also spoils the user experience for your site’s subscribers and contributors.

Instead of such practices, just having good login credentials, like a unique username, and a strong password, could protect your site better.

Hardening your WordPress site isn’t difficult, but knowing which measures to use and how to use them is paramount to not falling prey to hackers. No matter whether you choose to implement security measures manually or you choose a plugin to secure your WordPress site, it’s always safer to have a reliable backup solution like BlogVault, in case any of the measures cause your site to crash.