Preventing break-ins to your WordPress login page

Preventing break-ins to your WordPress login page

WordPress like most websites with a login page is vulnerable to attack by hackers. Find out some simple steps how to make your site more secure with the following simple steps.

One of the most common ways for hackers to gain access to your site is to guess your username and password so lets first look at ways to prevent this.

Preventing your username from being discovered

For a long time WordPress was installed with the default administrator’s account set to ‘admin’. This wasn’t a good plan because if the hacker already knows your username then they have only one piece of information instead of two to find out in order to discover your login details.

However, even if you don’t use the ‘admin’ username on your site, your username can still be discovered via the author template page. The author page is a page that WordPress uses to display archives of blog posts for each author. This page will by default reveal your username in the web page address…

ie http://chrishodgsonweb.co.uk/author/chris-hodgson

But haven’t I just revealed my username? Well actually no, because I’ve changed the author page on my site to display my full name in the web address rather than my username using this handy plugin.

Preventing your password from being discovered

If your username is discovered, then you are relying solely on a password which is difficult enough for hackers not to be able to guess. There are a couple of rules to follow to make it more difficult for your password to be discovered.

Firstly try to use a longer phrase such as mydoglikestoeastsocks rather than a shorter complex password with symbols and numbers. The reason for this is because longer password take longer for hackers to guess.

Secondly, use a phrase which is meaningful to you and you alone. For example don’t use tobeornottobethatisthequestion. The reason for this is that hackers can get lists of passwords from systems that have been compromised in the past, for example Linkedin. Since this password has probably already been used, then they might already know about it.

Thirdly, make your password slightly different for each site by changing or adding something. You should do this the same way for every site so that you only need to remember the main password and can then alter it for the site. So if you were logging into amazon, you could add ama to the end of your password giving you mydoglikestoeastsocksama. Other options include adding something to the start and end and substituting certain characters. Therefore if one of your passwords is discovered, then all your accounts are not compromised.

Others ways to improve your login page security include:

1. Hide the login page – by default WordPress uses wp-login.php as the login page but you can change this to something different using some plugins.

2. Hide the dashboard page – by default WordPress uses wp-admin as the dashboard page. If you are not already logged in, WordPress will redirect you to the login page, so this is another means to find the login page which you hid in the above step.

2. Limit the number of login attempts – hackers will run automated scripts which cycle through a list of known passwords attempting to login with each one. If you limit the number of login attempts, this will help prevent this type of attack and some plugins will ban users that attempt to login too many times.

3. Ban anyone trying to login using admin – we have already said how the admin username should not be used on your site. So one way to identify hackers are from any attempts to login using admin.

You can achieve all the additional steps above using this plugin.

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>