The Most In-Depth & Essential Guide to WordPress Login Protection

Aug 23, 2018

The Most In-Depth & Essential Guide to WordPress Login Protection

Aug 23, 2018

The WordPress login page is the gateway to a WordPress site. Anyone with access to the WordPress admin gets control over the entire site.

WordPress Login Protection

A typical WordPress login page

Each day hundreds of thousands of websites are attacked. Hackers try to crack the login credentials to the WordPress admin in hopes of gaining control of the site. No website is too small to hack. Case in point, we at MalCare recorded over 10,000 blocked login attempts on a small website in a single week.

So if you think your website is too small to draw a hacker’s attention, think again.

Since plenty of small websites don’t have the correct security measures in place, they become an easy target. Big or small, the need for website security is urgent and necessary.

Hackers use automated tools to attack millions of WordPress websites on the internet. And the login page is one of the most commonly attacked part of a WordPress site. Cracking the login credential will give them complete access to the WordPress admin. Hence, it’s important to implement the right protection on your WordPress login. In this post, we are trying to look at the different techniques that’ll enable you to do that.

What Are the Different WordPress Login Protection Techniques?

There are many ways to secure WordPress login. Login protection techniques can be divided into three parts: essentials, advanced and miscellaneous login protection techniques. While essential techniques are of highest-priority and absolutely necessary, advanced and miscellaneous techniques offer additional protection. They help to make your site harder to crack.

In this post, we’ll cover not only the essentials but also the advanced and miscellaneous login protection techniques so that your WordPress login page can be as safe as possible.

The following are the login protection methods that we are going to discuss. 

a) Essentials Login Protection Techniques:

  1. Enforce Strong Passwords
  2. Use Unique Username
  3. Change Your Display Name
  4. Prevent Discovery of Username

b) Advanced Login Protection Techniques:

  1. CAPTCHA-based Protection
  2. Blocking Suspicious IP Addresses
  3. Protect Yourself Against Global Bot Network
  4. Use HTTP Authentication
  5. Install SSL Certificate
  6. Implement Two-Factor Authentication

c) Miscellaneous Login Protection Techniques:

  1. Set Passwords to Expire
  2. Change WordPress Login Page Slug
  3. Auto-Logout When No Activity
  4. Restrict Dashboard Access for a Specific Time
  5. Change WordPress Security Keys
  6. Country Blocking

a. Essentials Login Protection Techniques:

There are 5 essential login protection techniques and we are going to discuss them one by one in the following paragraphs. The very first technique is to –

1. Enforce Strong Passwords

Over the past few years, password cracking methods have matured significantly. An easy to guess password can be cracked within a few minutes. Having strong passwords can defend against such sophisticated password cracking techniques.

WordPress goes to some length to encourage users to use strong passwords. It auto-generates strong passwords but you can still create an account using a weak password. And therein lies its shortcoming. WordPress encourages the use of strong passwords but doesn’t enforce them.

Therefore the onus of enforcing strong passwords falls on you.

WordPress Login Protection1

You can create accounts using a weak password

Educate your site admins about the importance of using a strong password. Check in on them from time to time. Hold them accountable if they are still creating new user accounts with weak password. Change their roles if they can’t perform their administrative work properly.

Using a strong password minimizes the chances of a security breach. But strong passwords are hard to remember unless you have a few tricks up your sleeves. This post explains how to manage WordPress passwords.

2. Use Unique Username

Securing passwords is an important step towards protecting your login credentials, but there is a second component to any credentials – the username. If your username is easy to guess then the hacker only needs to focus on the password. But if the username is not known then it makes the job of the hacker a lot more difficult.

Up until a few years ago, WordPress encouraged people to use “admin” as a username. Hundreds of thousands of websites were using “admin” as a username making themselves an easy target.

Although WordPress has stopped auto-suggesting “admin” as a username, many people still use it. Hence, we need to take measures to make sure that accounts are not created using common usernames such as “admin”.

You need to ensure that no one uses any of the targeted usernames which include not just “admin” also, “test,” “administrator,” and “root”. Here’s an exhaustive list of commonly used username that you need to avoid.

Share this list with all your admin users. They will consult this list everytime they create a new user account. Moreover, go through the existing users of your site and if you find a username that matches with the list of common usernames, then change them.

WordPress Login Protection

3. Change Your Display Name

By using unique usernames, we have not completely thwarted the hackers. They will try and find the usernames associated with your site. Display Name is one of the ways they can get the username for your account.

For instance, on our website, my display name is “Lawrence.”

WordPress Login Protection

My old display names was also my username

“Lawrence” is also my username.

It’s not uncommon to have the same username and display name.

Changing the display name will make it harder for a hacker to find my username.

Thankfully, WordPress allows users to change their display name. And so, I altered my display name from “Lawrence” to “Phoebe”.

WordPress Login Protection

New display name hides my username

When my website is targeted, hackers will pick up the name “Phoebe” and try to log into my site using it. They’ll inevitably fail.

Changing username does not really hide the username. My username is still visible in my author slug (i.e. URL). Hackers will find it if they know where to look.

WordPress Login Protection

Changing the display name had no effect on my author slug

4. Prevent Discovery of Username

Apart from the author slug, another way hacker can discover username is by using WordPress Rest API. It’s a core WordPress feature introduced in 2016. And it allows anyone to discover information users of a WordPress site. All they have to do is run a simple URL: example.com/wp-json/wp/v2/users

To see if it really revealed usernames of a site we ran the URL on our site WordPress Fansite: http://westworldfansite.com/wp-json/wp/v2/users. And it reveals all information on just one but all our site users.

WordPress Login Protection

Anyone who runs the specific URL can view all our user information

We, of course, didn’t want to knowingly leave a door open for the hackers. To prevent discovery of username, place the following code snippet in the function.php file.  

add_filter( 'rest_endpoints', function( $endpoints ){

    if ( isset( $endpoints['/wp/v2/users'] ) ) {

        unset( $endpoints['/wp/v2/users'] );

    }

    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {

        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );

    }

    return $endpoints;

});

It hides the user list and gives a 500 error when someone tries to access this URL – http://westworldfansite.com/wp-json/wp/v2/users.

 

WordPress Login Protection

Viewer are blocked from seeing any of our user information

b. Advanced Login Protection Techniques:

1. CAPTCHA-based Protection

Hackers program automated bots to launch attacks on many websites at the same time. Within the span of a few seconds, these bots try various combinations of username and passwords multiple times. And they don’t stop until they find the right ones. This type of attack is called brute force attack and it’s one of the most common attacks made on WordPress sites.  

To protect our site from brute force attacks, we use CAPTCHA-based protection.

When someone tries to log in to our website and fails three consecutive times, MalCare automatically generates a CAPTCHA. Once you solve the “I’m not a robot” CAPTCHA, an image grid appears where you have to select identical images of a “bus” or a “crosswalk” or whatever you are being instructed to select. You must be thinking how does this help in protecting your login page?

Image grids are solvable only by a human being. Bots are unable to read images and until they solve the grid, they cannot access the login page. This way, bots are prevented from making any further attempt at cracking your login credentials.

WordPress Login Protection

Bots are unable to bypass image-based CAPTCHA

CAPTCHA protection is designed to prevent bots from cracking your credentials. But what if we could stop hacker bots from accessing our site permanently?

2. Blocking Suspicious IP Addresses

Every machine (computer, mobile, tablets) is hooked to an IP address. Even, the device on which you are reading this article comes with an IP address. Hack attempts on your website are being made from a certain IP. If you can identify that IP address and block it, your site should be safe.

IP addresses of failed login attempts made on our site

We already have MalCare Security Service installed on our site. One of the many things MalCare does is that it shows us the IP addresses of users who have been trying to login unsuccessfully.  

Going through this log we noticed how some of the IP addresses were failing to log in on a regular basis. We also noticed how some of these IP addresses were trying to login in using common username such as “adm2016”. It strengthens our belief that these IP addresses are malicious and need to be blocked.

Over the period of a week, we tried to block any suspicious IP we saw in our logs. We placed the following code in our .htaccess file:

order allow,deny 

deny from 192.168.20.10 

allow from all

“192.168.20.10” is one of the IP’s we banned. You can replace it with the IP address that you want to ban.

While executing IP blocking,  we learnt 3 things quickly:

1> We accidentally blocked an actual user to the site and had to unblock them.

2> Hackers can just change their IP and try attacking our login again.

3> Although, it didn’t happen with us there are cases where admins accidentally blocked their own IP addresses, proving that manually blocking IP addresses is a risky work.

In this light, joining a network level protection is useful as it automatically prevents bad IP address (or traffic) from accessing our site.

3. Protect Yourself Against Global Bot Network

Hackers rarely target a single site. Instead, they attack many sites simultaneously. In the course of these attacks, they use the same IP address which gets recorded by security plugins such as MalCare. The plugin collects information from malicious login attempts made on all websites in their network and blacklists the IP that’s carrying out those malicious login attempts.

Every time an IP makes a request on your site, it is checked against the blacklisted IP addresses.

If the request is malicious, it’s blocked from entering your site, if not it is allowed to pass. The best thing is that the entire process is automated so you don’t have to worry about accidentally blocking any of your users.

4. Use HTTP Authentication

HTTP authentication offers an extra layer of protection to the login page. It prevents you from using your credentials unless you unlock the page using a special HTTP authentication credential.

WordPress Login Protection

HTTP authentication enabled on our WordPress login page

The plugin, HTTP Auth, lets you easily password protect the admin of your site. Using HTTP Auth, we set up a special HTTP authentication credential and distributed it among users. Within a few weeks, one user forgot what the authentication credentials were. He noticed that there’s no option to recover the forgotten credentials so he got in touch with another user.

Since we have more than one user, we can remind when someone forgets their HTTP authentication credentials. For websites with a single user, forgetting the credentials would mean you have no one to ask you to help out. The only solution is to access your site is by disabling the plugin from the File Manager.

Moreover, HTTP authentication credentials can be stolen, especially if your site has no SSL certificate installed. Hence, to use HTTP authentication, you must install an SSL certificate.

5. Install SSL Certificate

When you create a WordPress site, some of you may notice a green lock at the beginning of your site URL and some will not see the lock. The lock signifies that no one is snooping around, reading the login credentials that you are using to access the site. A website without this lock is in danger of unwittingly exposing such sensitive information.

WordPress Login Protection

We have SSL certificate installed on our website

Hence, if your site does not have the green lock, you need to switch to HTTPS. You can do this by purchasing an SSL certificate. Back in the old days, SSL certificate was used either for payment pages or login areas of websites. But with Google’s drive to make the web safer, many websites are switching to HTTPS entirely. Earlier it was difficult to purchase an SSL certificate with the advent of free services like Let’s Encrypt, anyone can install SSL certificate on their site.

6. Implement Two-Factor Authentication

Have you ever noticed how Gmail authenticates users after logging in by sending a code to your smartphone? You use the code to access your account. Facebook also comes with a similar feature as it helps protect your Facebook account better. With more and more services using two-factor authentication, it is undoubtedly the wave of the future.

WordPress websites can also be protected using two-factor authentication (2FA). There are many 2FA plugins that allow WordPress sites to implement two-factor authentication. We decided to try out Mini Orange plugin because it works in tandem with the very popular Google Authenticator app. [Full disclosure: The two-factor authentication feature is in the works and MalCare users will be able to enable the feature soon.]

WordPress Login Protection

We had to enter the passcode sent to your smartphone to access our WordPress dashboard

Installing the plugin and setting up the app was easy. After setting it up, we logged out and tried logging into our site again. As usual, we used our username and password. Then, instead of taking us to the WordPress dashboard, we landed on a page asking for an OTP. OTP stands for a passcode that we can get from the Google Authenticator app on our phone.    

This setup ensures that only valid users like myself can access the site. In the worst case scenario, hackers who may have cracked my password, still need to get the unique passcode which is only available on my smartphone.

Since two-factor authentication heavily relies on your smartphone, people without one will be unable to implement this type of protection on their site. Moreover, if you happen to lose your smartphone, it’ll be impossible to log in to your site unless you disable the plugin from the File Manager.

With this, we come to the end of advanced login protection measures. Moving on, we’ll discuss some miscellaneous techniques that’ll help you further secure your WordPress login page.

3. Miscellaneous Login Protection Techniques:

a. Set Passwords to Expire

Organisations like banks need us to change our passwords every few months. It can be an annoyance but can have some benefits too. For instance, even if someone cracks your password, they will only have a limited window to exploit the information if you change your password often.

The plugin “Expire Passwords” lets you set your passwords to expire after a number of days. When a user signs in after the specified period, they will be redirected to password reset screen.

WordPress Login Protection

Users are forced to reset password after a specific period of time

Does it help improve site security?

The benefits of setting passwords to expire are debatable because when someone has already got access to your site, they can create a new user account instead of using your account. When forced, they’ll simply set a new password.

b. Change WordPress Login Page Slug

All WordPress sites come with a default login page that looks like this: “example.com/wp-admin”. Since WordPress login is one of the most commonly attacked parts of a WordPress site, if hackers can’t find the login page, they won’t try to crack your credentials.

iThemes comes with a feature called “Hide Backend” using which we changed our login page from https://westworldfansite.com/wp-admin/  to https://westworldfansite.com/wplogin.  

Following the change, we tried to access the default login page (https://westworldfansite.com/wp-admin/) but we were shown a told that the page is not found.

Although this technique hides your login page, it doesn’t necessarily protect your WordPress site in any way. Security tools as iThemes change your login URL to a default address that the tool gives you. Just as I changed my login slug to the auto-suggested “wplogin,” many other websites using iThemes are using a similar URL format for their login page.

WordPress Login Protection

iThemes auto-suggested “wplogin” for login page URL

Does it help improve site security?

Changing the WordPress login page URL is possibly the most recommended method and can be helpful against login attacks. But this is again quite easy to circumvent for experienced hackers.

If hackers know the format, they can still find your WordPress login page. Fortunately, you can change the default slug to something unique and hard to guess.

However, changing the login page slug without prior information may prove to be inconvenient to your site users if they are not properly informed.

c. Auto-Logout When No Activity

Running a multi-user site comes with its own set of challenges. For instance, many of the users of my site work remotely from their home. Chances of abuse of user rights can be higher when the users go away to tend urgent business but without logging out.

We want our site to be safe when the user is inactive. Hence we decided to auto-logout any user who is inactive for a specific period of time using Bulletproof Security’s “Idle Session Logout” feature. This security plugin lets us set a time at the end of which all inactive users are being logged out automatically.

WordPress Login Protection1

User see this page when they are logged out automatically

Does it help improve site security?

Chances are that if someone wants to snoop around the website when a user goes to tend urgent business, they are going to do it immediately after the user leaves.

Moreover, users who have a habit if being inactive for some time in the middle of their work found it mildly annoying to have to log in every time they want to get back to work.

Also Read: WordPress Limit Login Attempts

d. Restrict Dashboard Access for a Specific Time

Another way to secure your site when there’s no activity is by blocking access to the WordPress dashboard for a specific time every day. Typically, at night time when no one’s working on the website.

On our website, we tried iThemes Security Plugin. It comes with an “Away Mode” prevents access to our dashboard during a period that we specify in the Settings.

Does it help improve site security?

Over the course of using this feature, we learned that during an emergency we couldn’t log into the site before the curfew time was over. Hence this type of security is not suitable for all WordPress websites.

e. Change WordPress Security Keys

Ever wondered how your browser stores login credentials? After signing into your user account, your login information is stored in the cookie in an encrypted manner. WordPress uses random variables called security keys to improve the encryption of login information stored in your cookie.

There are a total of four security keys and they look like this:

WordPress Login Protection

This is how typical WordPress security keys look like

Although hard, it is not impossible to break your encrypted password. If you suspect site has been hacked, changing the security keys will immediately log out all users including the hacker. Since breaking your encrypted password is difficult to perform, logging out the hacker may discourage him to hack your site in the same way again.

To change your website security keys you need to modify the “wp-config” file. It’s a very important WordPress file and should be handled with caution. One misstep can lead to an irreversible disaster. Hence, users without any technical knowledge of WordPress files should use a tool like MalCare Security Service to change their security keys. MalCare comes with a “Site Hardening” feature that enables users to change security keys in the config file without having to manually edit it.

Does it help improve site security?

One of the first post-hack measures is to change all passwords. If the hackers have the security keys, they can regain access to the site even if the passwords have been changed. Hence when a site is hacked, it is important to change the security keys along with the passwords.

f. Country Blocking

Sometimes hacker groups launch a massive attack on websites around the globe. This type of attack aims to cause severe damage to websites. The good news is there’s an effective way of safeguarding your site from attacks such as this. When too many suspicious failed login attempts are made from the same country, you can opt to block the country. But this should only be done after making sure that your site doesn’t draw a large number of traffic from that particular country.

On our website Westworld Fansite, we noticed that several failed login attempts were being made from the United States. But a majority of our traffic also comes from the US and therefore we couldn’t block the country.

WordPress Login Protection1

Quite a number of failed login attempts were made from the US

Does it help improve site security?

Country blocking helps mitigate hack attempts but you need to tread with caution while relying too much on this tactic for security.

Over to You

While hardening your login page is not difficult, knowing what measures to take, and how to make them can make all the difference. By employing a comprehensive login protection strategy, you can sleep better at night knowing that the gateway to your website is equipped to handle all types of hack attacks like brute force attacks, phishing attacks, SEO spam, etc.. Whether it is by using security plugins, or through manual login protection measures, don’t forget to keep website backups to ensure you’re always prepared for the worst.

What do you think of the article? Did we miss any WordPress login protection measure? Let us know.

Thanks for reading.

Complete guide to Wordpress Login Protection
Share via
Copy link