Prevent Brute Force Attacks and enhance WordPress SecurityA brute force attack is a hacking technique with huge security concerns. Every person knows that the standard WordPress login page URL is accessed from the backend. Hence, in order to do a brute force attack, they directly add “/wp-login.php” or “/wp-admin/” at the end of your domain name to easily access the backend. To avoid this, customize your default login page URL for wordpress security.
Tips to secure WordPress Website
1. Modify the WordPress Database Table Prefix to secure login pageWp is the default table prefix used by WordPress database tables. You can modify it to “my-wp”, ‘I-wp”, “xyz-wp” or with any random prefix that is easy to remember and difficult to hack. Either modify it at the time of installing WordPress or later on while configuring.
2. Rename login URL slug to secure login pageWhen hackers know the direct URL of the Login page or access it through wp-login.php or wp-admin.php, they attempt to brute force attack your site. Also, they may try to access websites by randomly applying commonly used usernames and passwords. So, change the login URL and make it unique rather than common.
3. Set strong, long and complex passwords to secure login pageIt is a no brainer activity to set complex passwords, but it can secure your wordpress site to a great extent. Set a strong password and change them frequently to secure your WordPress website. You can have a mix and match of special characters, uppercase, lowercase and numbers to set unpredictable complex passwords. Such patterns of passwords are impossible for hackers to predict. Further, someone who has the exact URL can harm your wordpress security. Hence, applying this little strategy blocks access to the login page to an unauthorized individual.
- Change your wordpress wp-login URL slug to set something unique; e.g. my_custom_login
- Change your wordpress /wp-admin/ URL slug to set something unique; e.g. my_custom_admin
- Change your wordpress /wp-login.php?action=register to set something unique; e.g. my_custom_registeration
4. Use two-factor authentication to secure login pageTwo-factor authentication is one of the best solutions for security measures. So, introduce the 2FA module to the login page. The website owner can take a call on what are those two factors to be set for users. Normally, over and above a regular password, people set a second authentication factor in the form of a secret question, a secret code, a set of characters, or more popular usage of the Google Authenticator app, which sends a secret code to your mobile. We prefer to use <a href=”https://wordpress.org/plugins/miniorange-2-factor-authentication/”>
Google Authenticator</a> plugin which will help you to set two-step authentication.
5. Use the email address to log in to secure login pageWhen you log into your WordPress site, by default it enables you to insert your username. However, using email ID to login is a more secure approach as compared to username. People can predict usernames but predicting email IDs can be a challenge. Creating a WordPress account with a unique email address makes it a valid identifier for logging in.
6. Idle users auto-logged out of your WordPress siteUsers leaving your site’s wp-admin panel accessible on their screens can present a serious security threat. Anyone can access it at any time. To avoid unwanted access on idle screens, better set auto-logout functionality for the users that have been not active for a certain period of time say 15 minutes for example. You can set idle user log out of certain time using
<a href=”https://wordpress.org/plugins/bulletproof-security/” target=”_blank” rel=”noopener noreferrer”>BulletProof Security</a> plugin.This plugin enables you to set a specific time limit for inactive users, after which they will be signed out automatically.
7. Monitor your files with security pluginsThe below TWO plugins are highly recommended for WordPress security.
- <a href=”https://wordpress.org/plugins/wordfence/”>Wordfence </a > is a free plugin available on wordpress plugin directory.
- <a href=”https://ithemes.com/security/”>iTheme Security Pro is available on pro version.</a> Both are plugin provide security against Brute Force Attacks, SQL Injection, Cross-Site Scripting (XSS).
8. Take regular backupsIn case you have a backup of your hacked or lost site, you can easily restore it. Hence, ensure you are taking backup regularly; preferably on a daily/weekly basis. This helps in case of any virus or any SQL injection attacks. Have this FREE plugin installed to your wordpress site for security:
<a href=”https://wordpress.org/plugins/updraftplus/”>Updraftplus</a>This WordPress backup plugin provides the functionality of taking backup automatically. And, it stores that backup data directly to cloud, Google Drive, Dropbox, email, Rackspace Cloud, Amazon S3 (or compatible), and similar others. The paid version of this plugin also backs up to Microsoft Azure, Google Cloud Storage, Microsoft OneDrive, Backblaze B2, SFTP, SCP, and WebDAV.