I’m writing an article for work about WordPress security. Part of the process is trying different WordPress security plugins. One of the plugins I tried it Better WP Security, a Swiss army knife of security tools. One of its features is to log failed attempts to log into the WordPress backend.
It turns out I’m getting hundreds of login attempts every day from people trying to guess the administrator password. That’s a bad thing.
A couple of things you can do if people are trying to log into your site:
- Make sure you’re using a strong password.
- Change the administrator account to something other than the default of “admin.” It’s under the User tab in Better WP Security. All of the failed logins for my site are for the “admin” username.
- Turn off verbose login error messages (Remove WordPress Login Error Messages under Tweaks tab). By default, WordPress tells people whether their login failed because the username was bad or the password was bad. With this option off they won’t know which part of the login was incorrect. Let them think they should keep trying to get in with “admin.”
- Enable login limits (Log tab). Users who give bad login credentials x number of times in y time period will be locked out of the site for z minutes. Optionally you can block IP addresses after a certain number of lockouts. You can opt to be notified by email when lockouts occur. The emails include the person’s IP address, which the log screen doesn’t. On my site about 50% of bad logins are from China, 30% are from Russia, and 20% are scattered all over the world.