Why You Need to Limit WordPress Login AttemptsDec152021
Did You Know?
- Google blacklists about 10,000 each day for malware and thousands more each week for phishing.
- Your site could potentially get blacklisted if it’s compromised.
- If your site is attacked and hacked, your online business will be dead in the water until all is resolved.
- If you use WordPress for your business website, then it’s important to closely monitor WordPress security.
What’s a Brute Force Attack?
Typically, an online brute force attack is considered a method where bots use trial-and-error to hack into a WordPress website.
The most prevalent form of brute force attack is by guessing the password. Automated software is used that continuously tries different combinations until the admin password is unlocked, and access is gained to the site.
Better Safe Than Sorry
WordPress doesn’t have any presets to limit how many times a password attempt is performed. Limiting the number of login attempts greatly reduces the probability of hackers breaking into your website through the admin password portal.
Use a WordPress Plugin to Limit Login Attempts
The easiest way to limit login attempts in WordPress is by using a dependable and reputable plugin specifically designed to detect and lockout bot attacks after several failed attempts. A plugin will also temporarily block attacker IP addresses, and notify you when a user is locked out.
A popular plugin is the ‘Limit Login Attempts Reloaded’, with over 2-million active installs.
Features of this plugin include:
- Limit the number of retry attempts when logging in (per each IP).
- Configurable lockout timings.
- Email notification of blocked attempts.
- Logging of blocked attempts.
- Safelist/Blocklist of IPs and Usernames (Support IP ranges).
- Sucuri compatibility and Wordfence compatibility.
- XMLRPC gateway protection.
- Woocommerce login page protection.
- Multi-site compatibility with extra MU settings.
- GDPR compliant.
After installing and activating this plugin, locate and click ‘Settings’ in the Left navigational menu.
Then click ‘Limit Login Attempts’:
After clicking Limit Login Attempts in the navigation, the Dashboard for this plugin appears.
The Dashboard displays daily and cumulative numbers for failed attempts, failed attempts by county, etc.
From the Dashboard, Click ‘Settings’:
The default settings work well for most sites, but there are a few settings you’ll want to configure.
GDPR Compliance, check the box if you want to make this plugin GDPR compliant.
Notify on Lockout, enter an email address to receive lockout notifications, and set the threshold number of lockouts to be reached before you’re notified.
Scroll down the page to: Local App. Enter preferred numbers for allowed retries, minutes lockout, etc.
Be sure to ‘save settings’ before exiting.
Locate Top navigation, click ‘Logs’.
The Statistics page will display.
In the ‘Safelist’ box, you’ll enter all IP addresses you want to exclude from blocking.
To find what your IP address is - in a browser go to: ipchicken.com.
Your IP address will display. Enter that IP number in the Safelist box.
Enter IP addresses you want to block in the ‘Blocklist’ box. This area is useful if you’ve identified from your visitor stat analytics, sites/IPs that constantly are pounding on your site. IP ranges can also be entered here.
If you believe your site needs blocklist/safelist configuration beyond your knowledge level, don’t hesitate to reach out to us to analyze your logs, and configure this plugin for you.
Additional Ways to Protect a WordPress Website
Passwords
The initial layer of protection is to always assign a super-strong password, and then write it down for easy reference. Change passwords every three months.
Keep WordPress Updated
WordPress is an open-source software that’s maintained on a regular basis, and is frequently updated. WordPress usually auto-installs minor updates. It’s your responsibility to initiate and/or allow Major releases.
Themes and plugins are offered and maintained by third-party developers that release updates often. These WordPress updates are crucial to maintain theme and plugin stability as well as security. It’s your responsibility to update installed themes and plugins as needed – as well as the WordPress core.
Hosting for WordPress Site
The hosting service you choose is important to the security of a WordPress website. Your host provides an array of safeguards to protect your site - including automatic backups, and advanced security configurations.
It’s recommended to utilize ‘WordPress Hosting’ for a WordPress site. Compare hosting plans and you’ll see our WordPress Hosting plan includes security updates, and an SSL certificate.
WordPress Sites Need SSL
Data transfer between a browser and your website (and visa-versa) is open to intrusive attacks. SSL (secure socket layer) encrypts data transfer. The SSL encryption protocol makes it highly difficult for a WordPress website to be compromised.
More to Explore:
Why a Good Domain Name Matters
Google Suppresses Sites without SSL in Search Results
Is Your Site Due for Its Annual Checkup?
Return