Hackers don’t need to be sneaky or sophisticated to get what they want. Often, they just break in through the front door. Using the right tools can help, but there’s more that you can do to protect your website and secure WordPress login.
In this report by Nathan Finch of Aussie Hosting, they reviewed and compared different hosting companies based on their performance. They found that companies with more downtime also had poorly maintained servers that increased the risk of security concerns.
It has been reported that Google blacklists about 70,000 websites per week for WordPress login security issues like malware and phishing. Your first line of defense against infiltration is protecting your WordPress login. This form of access control seems like a no-brainer, but you’d be surprised at how often the simplest security measures are overlooked or put on the back burner.
Regardless of security features offered by your hosting service on the back end, as a website owner, the buck stops with you.
– Source: Wordfence
What Makes WordPress Logins Vulnerable?
The popularity of WordPress is what makes it an easy and attractive target. But, what makes the platform vulnerable to attacks and exploits?
For one thing, hackers do a lot of reconnaissance before cracking a system. They know that certain WP versions have more vulnerabilities than others, and the platform has been around long enough for pros to know what they are. The version number is located on your webpages and in your URL unless you remove it.
Viewing your directory also provides a lot of useful information, such as the type of plugins and themes you have installed. Because it works on open source coding, leaving unused or unsupported plugins in your directory, even if they’re disabled, is a simple way for hackers to gain access to your code. Once inside, they can launch exploits, change the coding, hijack sessions, or lock you out of your own website.
Hackers can check your directory indexing by browsing folder locations and checking for an “Index Of” response like this:
/wp-content/
/wp-content/plugins/
/wp-content/themes/
/uploads/
/images/
They can look for vulnerable plugins in your directory through an active search using scripting tools or a passive search with normal HTML requests. This is achieved by reviewing HTML source code and searching for installed plugins through CSS style sheets, comments, and JS links.
Another way hackers access WordPress websites is through user enumeration. This is a simple prelude to a brute force attack that involves uncovering user names and guessing their passwords through a dictionary attack or trying to enter through default mechanisms. For example, users can be discovered by iterating their Ids and adding it to the URL like this:
wordpressexample.com/?author=1
wordpressexample.com/?author=2
wordpressexample.com/?author=3
If it works, the login ID will be revealed via a 303 redirect.
A tool called WPScan that’s used for vulnerability testing can sift through hundreds of possible passwords within less than a minute. It was able to return the following output from a cheap theme within seconds:
ruby wpscan.rb -u 192.241.xx.x68 --threads 20 --wordlist 500worst.txt --username testadmin ********* SNIP ****************** [+] Starting the password brute forcer Brute forcing user 'testadmin' with 500 passwords... 100% complete. [+] Finished at Thu Jul 18 03:39:02 2013 [+] Elapsed time: 00:01:16
4 Ways to Secure Your WordPress Login
Fortunately, the WP developer and user community are diligent when it comes to providing support. Due to this, there are tools that are freely available and best practices you can learn and deploy to keep your website secure.
Here are four techniques that you can implement to improve your WordPress login security.
1. Remove the WP Version Number
Since hackers usually look for version number first when checking for vulnerabilities, this is the first thing you should change when setting up your website. This should be done in such a way that it’s removed from pages, URLs, and meta tags without removing the header hook or other bad methods that are being touted on the internet.
The best way to remove your WP version number is to add this bit of code to the functions.php file:
To remove from header:
remove_action('wp_head', 'wp_generator');
To remove from RSS feed:
function remove_version_info() {
return '';
}
add_filter('the_generator', 'remove_version_info');
To remove the version number from scripts and styles:
function remove_version_from_style_js( $src ) {
if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
$src = remove_query_arg( 'ver', $src );
return $src;
}
add_filter( 'style_loader_src', 'remove_version_from_style_js',9999);
add_filter( 'script_loader_src', 'remove_version_from_style_js',9999);
No matter when you install WP, you should always keep your WordPress updated to the latest version as soon as it’s released. The same goes for plugins and themes.
Read More: Updates Are Crucial for WordPress Security!
2. Change Your Login URL
The default login address for WP administrators is yourwebsite.com/wp-admin and that’s something nearly everyone familiar with the platform knows. All that’s need is to add /wp-login.php after the domain name and you’re in. A simple alteration to the URL is all that’s needed to keep hackers from guessing your login page.
You can use a plugin like iThemes Security to accomplish this effectively.
3. Reduce the Number of Login Attempts
Another flawed WP default feature is allowing unlimited login attempts. This enables dictionary attacks and other password guessing techniques. The iThemes Security plugin has a feature that locks down your website after a set number of failed login attempts and sends you an alert.
If you want only the login logout function, you can install a plugin called Limit Login Attempts Reloaded and go into its settings to configure the number of allowed logins.
4. Limit Access and Use Two-Factor Authentication
By now, you should know to choose a secure password using a two-factor authentication plugin. The next step to limiting access is to limit the number of people who have access to your website’s inner workings. Third, use 2-Factor authentication that uses a combination of password and encrypted key to log in.
Final Thoughts!
While these security precautions and preventive measures explained in this post won’t protect your site 100%, they will provide a huge measure of security.
It’s important to remember that hackers and malicious third parties are looking for the easiest backdoors into your website. Most of the time automated solutions are used to find these backdoors.
Securing your WP login keeps those doors closed and ensures that the only person to have access to your site is yourself.
Disclaimer: This is a guest post contributed by Nathan Goldfinch of AussieHosting.
Mansoor Ahmed Khan
Passionate about technology, entrepreneurship, and marketing, Mansoor Ahmed Khan is in computing since he knows how to type on a keyboard. His daily life is rocked by his family, projects, and his screen. Probably in this order, he likes to be convinced at least. You can reach out to him at [email protected].
