Chat with us, powered by LiveChat

This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

4 Ways to Secure Your WordPress Login

September 18, 2019

4 Min Read
secure wordpress login
Reading Time: 4 minutes

Hackers don’t need to be especially sneaky or sophisticated to get what they want. Often, they just break in through the front door. Using the right tools can help, but there’s more that you can do to protect your website.

In this report by Nathan Finch of Aussie Hosting, they reviewed and compared different hosting companies based on their performance. They found that companies with more downtime also had poorly maintained servers that increased the risk of security concerns.

It has been reported that Google blacklists about 70,000 websites per week for security issues like malware and phishing. Your first line of defense against infiltration is protecting your WordPress login. This form of access control seems like a no-brainer, but you’d be surprised at how often the simplest security measures are overlooked or put on the back burner.

Regardless of security features offered by your hosting service on the back end, as a website owner, the buck stops with you.

wordfence responsibility breakdown

– Source: Wordfence

What Makes WordPress Logins Vulnerable?

The very popularity of wordPress is what makes it an easy and attractive target. But, what makes the platform vulnerable to attacks and exploits?

For one thing, hackers do a lot of reconnaissance before cracking a system. They know that certain WP versions have more vulnerabilities than others, and the platform has been around long enough for pros to know what they are. The version number is located on your webpages and in your URL unless you remove it.

Viewing your directory also provides a lot of useful information, such as the type of plugins and themes you have installed. Because it works on open source coding, leaving unused or unsupported plugins in your directory, even if they’re disabled, is a simple way for hackers to gain access to your code. Once inside, they can launch exploits, change the coding, hijack sessions, or lock you out of your own website.

Hackers can check your directory indexing by browsing folder locations and checking for an “Index Of” response like this:

/wp-content/

/wp-content/plugins/

/wp-content/themes/

/uploads/

/images/

They can look for vulnerable plugins in your directory through an active search using scripting tools or a passive search with normal HTML requests. This is achieved by reviewing HTML source code and searching for installed plugins through CSS style sheets, comments, and JS links.

Another way hackers access WordPress websites is through user enumeration. This is a simple prelude to a brute force attack that involves uncovering user names and guessing their passwords through a dictionary attack or trying to enter through default mechanisms. For example, users can be discovered by iterating their Ids and adding it to the URL like this:

wordpressexample.com/?author=1

wordpressexample.com/?author=2

wordpressexample.com/?author=3

If it works, the login ID will be revealed via a 303 redirect.

A tool called WPScan that’s used for vulnerability testing can sift through hundreds of possible passwords within less than a minute. It was able to return the following output from a cheap theme within seconds:

ruby wpscan.rb -u 192.241.xx.x68 --threads 20 --wordlist 500worst.txt --username testadmin

********* SNIP ******************

[+] Starting the password brute forcer

Brute forcing user 'testadmin' with 500 passwords... 100% complete.
[+] Finished at Thu Jul 18 03:39:02 2013
[+] Elapsed time: 00:01:16

4 Ways to Protect Your Login Access

Fortunately, the WP developer and user community are diligent when it comes to providing support. Due to this, there are tools that are freely available and best practices you can learn and deploy to keep your website secure.

Here are four techniques that you can implement to secure the WordPress login page.

1. Remove the WP Version Number

Since hackers usually look for version number first when checking for vulnerabilities, this is the first thing you should change when setting up your website. This should be done in such a way that it’s removed from pages, URLs, and meta tags without removing the header hook or other bad methods that are being touted on the internet.

The best way to remove your WP version number is to add this bit of code to the functions.php file:

// remove version from head

remove_action('wp_head', 'wp_generator');


// remove version from rss

add_filter('the_generator', '__return_empty_string');


// remove version from scripts and styles

function shapeSpace_remove_version_scripts_styles($src) {

if (strpos($src, 'ver=')) {

$src = remove_query_arg('ver', $src);

}

return $src;

}

add_filter('style_loader_src', 'shapeSpace_remove_version_scripts_styles', 9999);

add_filter('script_loader_src', 'shapeSpace_remove_version_scripts

No matter when you installed WP, you should always keep your WordPress updated to the latest version as soon as it’s released. The same goes for plugins and themes.

Read More: Updates Are Crucial for WordPress Security!

2. Change Your Login URL

The default login address for WP administrators is yourwebsite.com/wp-admin and that’s something nearly everyone familiar with the platform knows. All that’s need is to add /wp-login.php after the domain name and you’re in. A simple alteration to the URL is all that’s needed to keep hackers from guessing your login page.

You can use a plugin like iThemes Security to accomplish this effectively.

3. Reduce the Number of Login Attempts

Another flawed WP default feature is allowing unlimited login attempts. This enables dictionary attacks and other password guessing techniques. The iThemes Security plugin has a feature that locks down your website after a set number of failed login attempts and sends you an alert.

If you want only the login logout function, you can install a plugin called Limit Login Attempts Reloaded and go into its settings to configure the number of allowed logins.

4. Limit Access and Use Two-Factor Authentication

By now, you should know to choose a secure password using a two-factor authentication plugin. The next step to limiting access is to limit the number of people who have access to your website’s inner workings. Third, use 2-Factor authentication that uses a combination of password and encrypted key to log in.

Final Thoughts!

While these security precautions and preventive measures explained in this post won’t protect your site 100%, they will provide a huge measure of security.

It’s important to remember that hackers and malicious third parties are looking for the easiest backdoors into your website. Most of the time automated solutions are used to find these backdoors.

Securing your WP login keeps those doors closed and ensures that the only person to have access to your site is yourself.

Disclaimer: This is a guest post contributed by Nathan Goldfinch of AussieHosting.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Start Growing with Cloudways Today!

We never compromise on performance, security, and support.

Mansoor Ahmed Khan

Passionate about technology, entrepreneurship, and marketing, Mansoor Ahmed Khan is in computing since he knows how to type on a keyboard. His daily life is rocked by his family, projects, and his screen. Probably in this order, he likes to be convinced at least.

Get Our Newsletter
Be the first to get the latest updates and tutorials.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!