Would you leave the front door of your house unlocked all the time? Of course not! But, you wouldn’t believe how many site owners do just that. There are a lot of ways hackers can enter your site. Why make it easy for them by leaving the front door wide open? Read on to discover the super simple ways to secure the login of your site, plus ways to stop inviting hackers to even try.
Your Site is Under Attack
Most site owners think that hack attacks are something that happen to other people. This is especially true if they don’t know anyone who has suffered through it.
The fact is, your site is under constant attack from every direction possible, including the front door of your login page. It is not unusual for a site to get 10-50 hack attempts a day.
Brute Force Attacks
When hackers try to break your site’s login encryption (username and password), it is called a Brute Force Attack. They use bots to automate the process. Given unlimited attempts, the bots rapidly run through all possibilities of characters for both the username and password until they find a match for both.
How to Stop an Attack
Stopping brute force attacks is a two-step process.
- The first is to limit how many attempts the hacker can make to crack the code.
- The second is to have a strong encryption combination (username and password).
Stop the Attack
It’s very easy to limit how many times a hacker can attempt to break the encryption before sending up a red flag. There are two super plugins for this. One is the Limit Login Attempts plugin. The other is the Login Lockdown plugin.
With both plugins, after a certain number of attempts, the hacker is locked out for a specified amount of time before they can retry. The reason this works well is because hackers are not looking for a hassle. If it’s not easy to break in, they move along to another site.
Limit Login Attempts
Limit Login Attempts has become the most popular of the two plugins in the last year or so. It has several settings that you can configure, such has how many attempts are allowed before lockout, and how long the lockout lasts before another attempt can be made.
The problem I have with the plugin is that when a failure occurs, it shows how many attempts are left. When too many failed attempts occurs, it shows how long the lockout will last. If the hacker is not using a bot, they are getting way too much information every time they try.
Login Lockdown
The other plugin, Login Lockdown, has been around for years longer. It is super simple to use – simply install and activate. There are no settings. After three failed attempts, the lockout lasts for one hour. The only message displayed is that too many login attempts were made.
The one and only reason this plugin has fallen out of favor is because there is now a warning on it in the WordPress repository that it has not been updated in over two years and may have conflict errors. In my opinion, it works perfectly as is and needs no updates. But, now that the folks at WordPress are cracking down on plugins that may or may not be supported any longer, it gets a warning label slapped on it. Personally, I’m sticking with this plugin until it is no longer available.
Strengthen Your Login
You might think that activating one of these plugins would be enough to stop brute force attacks, but it’s not. A bot may just happen to crack the code in less than three attempts. That’s why it is critically important for you to have a super strong username and password. Read Protect Your WordPress Website with a Strong Login.
Stop Giving Hackers Half of the Info
Do you show a byline in your posts? Most of the time it will be right below the title of the post (see image below). What does it say? If it shows your username, you are giving hackers half of your login encryption. All they need to do is break your password code.
There are two ways you can fix this issue. The first, and best choice, is to complete your User Profile, then select to show your real name instead of your nickname. This will also help you with your AuthorRank.
The second way is to modify your theme not to show the byline. On premium themes like Genesis, this is easy to do with Simple Edits. But, with many non-premium themes, a change in the code may be required.
The Best Defense
Just as you do with your house, you should take every precaution you can to secure your site. It represents a significant investment and you will lose money if it ever goes down.
It will take you all of two minutes to install one of these login protection plugins.
You should also consider making the investment to set up a good backup and restore option for your site that runs on auto-pilot and makes it easy for you to get your site back up and running if anything ever happened to it. Download this free guide on 14 backup plugins and storage solutions and choose the one that works best for you.
Wrap Up
Do you use a login limiting plugin? If so, which one?
Need help with your site security? Get a 20-point site inspection and tune up.
Amanda Socci says
January 17, 2013 at 3:48 amMaAnna:
Thank you for this insightful and important blog post. I am completely unaware of brute force attacks or whether my site has ever received them, but now that you have mentioned it, I will have to go back and check. I’m also interested in downloading the plugin you’ve suggested. I do not currently use premium wp themes, but at some point, I’d love to. I will know what to look for. Very helpful, thank you.
MaAnna Stephenson says
January 17, 2013 at 5:53 amGlad you found it helpful, Amanda. Both plugins are easy to set up.
Kyle says
January 20, 2013 at 2:36 amGood mechanisms to secure a site from different attacks. I will be using these plugins to feel safe.