WordPress is the most popular content management system in the world. As per the WordPress official website, it powers more than 30% of the entire web. This accounts for more than 70 million websites. Out of these more than 30 million sites are hosted on WordPress.com. Self-hosted sites comprise more than 16% of the entire web. Due to such overwhelming popularity WordPress is also a common target for hackers.
It is always easy for hackers to identify security vulnerabilities from one among the millions of sites and try to use the identified vulnerability to attack other WordPress sites. Although WordPress by itself is a very secure content management platform, there may be vulnerabilities introduced to the system by the use of insecure plugins, themes or even by a careless site admin. These provide loopholes in the security system and hence compromise the entire website.
The topic of WordPress website security is so broad that I am not going into any further details. One of the most common entry points for attackers is the login page of our website. In this blog, I will explain about 7 simple steps to secure WordPress login from hackers.
1) Change the Default ‘admin’ Username and Switch to a Strong Password
Earlier versions of WordPress suggested ‘admin’ as the default username and many of the websites still use this. Change this default value and switch to a long, complex username. The same is the case with passwords also. Site owners for the sake of ease, use less secure passwords like ‘qwerty123’ so that they don’t have to remember complicated passwords like ‘zw’%~Pt!g,6uz*G’. This is not at all a recommended practice.
The passwords should always be a minimum of 12 characters containing special characters, upper case and lower case letters together with numbers. It is always better to avoid dictionary words in the password. All of this will make our password difficult to hack by Brute Force or Dictionary Attack.
In the case of a WordPress site with multiple users, it is better to use Force Strong Passwords plugin to enforce a strong password rule for all users. There are useful tools like LastPass and DashLane that helps us to create strong passwords and store them securely in an encrypted format in our browser. Thus we don’t have to remember complex passwords as these tools auto fills the passwords when required.
2) Disable Hints at the Login Screen
If we try to login to WordPress using incorrect username and password then we will get an error screen as below.
But the error message would be different if the username is correct and the password is wrong.
Thus by observing the difference in the error message, it is quite easy to understand if a username exists or not. Once the username is understood then brute force attacks only has to try for the correct password which makes their job simpler. For improved security, it is better to disable login hints on the login page. We can easily do this by adding the following lines of code to the functions.php file in the child theme of our installation.
return 'ERROR: Invalid Username or Password.';
Once the functions.php file is modified and uploaded back to the server using FTP we can go to our login screen and try to login with correct username and incorrect password.
So from now on, we will get a generic error message during failed login attempts. So it is not possible to guess if the username exists or not from the login hints screen.
3) Limit login attempts
We have seen in the case of secure websites like banks that if we enter the wrong password multiple times, we will be locked out of the login for some time. But WordPress by itself does not have any such functionality to limit the number of incorrect login attempts. We can keep on trying different combinations of username and passwords and we will never get locked out. This is exactly how brute force attacks work. In order to make our WordPress login more secure, we can limit the maximum number of incorrect login attempts by a user.
Now we can go to the settings page of this plugin.
Here allowed retries field indicates the maximum failed retries with incorrect credentials. It is better to provide value like 4 or 5. The next field minutes lockout indicates the time for which the user should be locked out once the maximum failed try count is reached. The next field is for setting the lockout period after consecutive lockouts.
This plugin also provides us the option to whitelist and blacklist certain IP addresses. We can add our IP to this whitelist so that we do not get locked out in the case of an unsuccessful login attempt. After entering the fields, click save options button at the bottom. Now let us go to the login screen and try to login with incorrect credentials. As we can see from the below image we get an error message with the remaining count
Once we exceed the maximum specified count we will get an error screen as shown below.
4) Hide Login Page.
The default login page for any WordPress website would be www.yoursitename.com/login.Suppose if this page is not available then the hackers would have to first find the login page before trying to gain access to our website. So it is always better to keep a custom login page if we are having a site few users with login rights. This strategy is not practical for websites allowing membership for a number of users. For hiding our login page, first, we have to install WPS Hide Login plugin. After we install and activate the plugin we can see the plugin option under settings.
Here we can set a custom URL for the login page. After doing this click save changes button at the bottom. Now if we log out of our application and then enter our default login URL we will get an error message mentioning that this URL does not exist. Now for viewing the login page, we have to enter the URL that we have set before. Thus we have successfully made our login URL hidden.
5) Add 2 Factor Authentication (2FA) To Login
Once 2FA is enabled, even if our username and password are compromised, attackers would not be able to access our site. This is because every login process is complete only after entering a security key generated by our mobile phone. It is quite simple to implement 2FA using Google authenticator. Once this is implemented our login screen would have an additional text box to enter the security code from our phone as shown below.
6) Add Google reCaptcha to the login screen
Another simple way of making our login page more secure is by using the Google reCaptcha plugin. We have already discussed adding reCaptcha to the WordPress login screen. Follow the steps in this blog to add reCaptcha. Once done successfully our login screen will be like as shown below.
7) Add Security questions to the login screen
Adding security questions to login screen is another simple technique to improve our site security. Even if someone has access to our username and password he will not be able to login to our website without knowing the correct answers for the security questions. The process of adding security questions is quite simple and takes less than 5 minutes. Once the questions are added the login process will have an additional screen to enter answers as shown below.
Additional Reading: All these methods provide a basic level of security against attacks. But if our site is attracting a good volume of visitors then we should go for advanced security plugins such as Sucuri or Ithemes and keep regular automated backups using Backupbuddy or Updraftplus.