Due to its popularity, WordPress attracts hordes of attacks from unscrupulous individuals on a regular basis. The WordPress admin page is an easy target for hackers because the default URL is easy to access. Moreover, a lot of WordPress users don’t bother to bolster the security of this crucial access page.
In this post we’ll explore ways to secure the WordPress admin page to minimize the chances of breaking into your website.
Without further ado, let’s get on with some handy ways to guard against intruders by hardening your admin page and your website in general.
Use A Custom Login URL
The first basic step in securing your admin page is to use a custom URL when accessing it. By default you can access the admin page via the following URL: yourdomain/wp-login.php or yourdomain/wp-login.php. These defaults are hard-coded into the core files that run WordPress and are not easy to change without distorting many things. They are very visible and any person with basic knowledge of WordPress knows how to access them, including hackers of course.
Altering these defaults goes a long way in preventing direct access to the login pages by potential intruders.
If you know your way around WordPress and how the .htaccess file works, you can do it by editing that file directly. For most users, however, the safer and most recommended way is to use a plugin.
There are plenty of plugins that can rename your login links in addition to augmenting other areas that are particularly prone to attacks.
Check and see if these plugins meet your needs:
Force Login and Admin Access Via SSL
Even after renaming your admin and login URL’s, some clever hackers might figure them out and try to launch attacks. To make this harder for them, force all login access to go over SSL. This means that your site’s login forms will always be submitted over SSL, an extra layer of security that keeps out active attack attempts (such as snooping your traffic).
First though, you need to install an SSL certificate before enabling this option. Once installed, access your wp-config.php file and add the following line below the line that sets the WP_DEBUG option:
define( 'FORCE_SSL_LOGIN’, true);
Limit Login Attempts
While this seems like a basic security step that everyone should do, the vast majority of WordPress users either ignore it lazily or simply take security matters lightly.
Limiting login attempts is especially useful for guarding against brute force attacks where a bot or spider tries multiple login attempts by switching login name and password combinations over and over again until one combination works, of course in the case of weak passwords.
The easiest way to implement this security step is by using a plugin. Head over to the official repository and type a search for limit access or login attempts and you’ll have plenty of options to choose from. Paid options are available too but they tend to offer a lot more features than you actually need for a simple blog.
Blacklist Known Offenders
The Internet is laden with various groups of organized criminal gangs that create, sell, or even share intrusion and hacking tools for free, in addition to carrying out attacks on websites. But just as these groups exist so do security tools that track their activities.
Using special plugins, you can blacklist and ultimately block known offenders. This is an extreme measure but one you should take if circumstances dictate so. For example if your website is a victim of persistent attacks, chances are good that the majority of those attacks are from repeat offenders. In that case you might want to block some people based on IP or some other criteria.
Some security plugins maintain a blacklist of known security offenders and block them based on IP address. In addition, a plugin may collect login info from users – such as number of failed attempts – and then deny access to such users or agents and their associated with that agent IP.
Some security plugins maintain a blacklist of known security offenders and block them based on IP address. In addition, a plugin may collect login info from users – such as number of failed attempts – and then deny access to such users or agents along with any other user associated with that IP range.
If you were not securing your admin page, it’s time you implemented these measures. If you are just starting out with a new blog, you might not experience attacks immediately but as you add more content, build links, and your blog becomes more popular, you’re guaranteed to receive attacks on a consistent basis.
What methods do you use to secure your admin page.
Featured Image: CC BY 3.0