how to secure wordpress admin login page from Brute force Attack
Are you seeing plenty of attacks on your WordPress admin Login page? protective the admin login page from unauthorized access permits you to block several common security threats. in this article, we are going to show you a number of the very important tips and hacks to shield your WordPress admin login page.
I am facing the same issue from Since last 2 week, someone continuously tries to log in to my WordPress Admin panel. They are using the same IP every time. I think they are using: brute force attack
To security purpose, I am using “Sucuri Security” plugin which is installed on my site and I have also installed “Limit Login Attempts and WPS Hide Login panel”
so let’s start on making your WordPress website login panel more protective.
Table of Contents
Set Strong Password and A Unique Username
Brute force login pages are one among the common kind of hacking attacks that your WordPress site is probably going to face. If you keep a simple and small password or Login user ID, then your Wordpress site will be hacked soon.
list of ofttimes used passwords in 2014.
- 9876543210
- 12345
- 123456789
- 012345
- admin
- football
Password by rank in terms of usage.
If you are using one of those passwords on your website, sooner or later your website will be the hack.
Always Use robust passwords and weird usernames. Still, most new WordPress admins use the WordPress-default username and need to alter their username. you can’t change username directly. you have to add a new Username from Admin user panel.
after that, you have to give Administrator access to that username. As you create a new username then you have to log out current user id and login New username.
when you will log in with the new username, Go to Dashboard – User – All user.
now Delete old username.
Always Use a randomised password generator tool, like Secure password Generator or Norton’s password Generator. All are available on the internet free to use.
If you have difficulty remembering your passwords, You may use password saver or Dashlane’s password manager.
2 Step Verification
Google Authenticator is best WordPress two-step verification plugin which can operate through Mobile or any Android device. The plugin generates a QR code which you have to scan with your Android or ios device or you can enter the key manually that you received on mobile.
Your login will need a secret key which is generated on your device to log in. The plugin will be used on a user by user basis and isn’t recommended for users will less privilege. given that it’s highly unlikely that the hacker has any physical access to your mobile device, your website’s login page will be very secure indeed (assuming there are no other vulnerabilities).
Hide The Login Page or Wp-Admin Page
A hacker needs to find your Admin login page. if he intends to brute attack the login panel to gain access. you can stop this by some of the security plugins, The idea that hiding your login panel from the attacker can defend you from hacking, seeing as the hacker can’t identify login entry point of your website. Your website would be the equivalent of that house without a door where nobody can enter that house.
Generally, a lot of WordPress websites have the login entry point at www.site.com/login.php.
Try typing Tweakerlinks.com/login.php into your browser’s address bar. Doesn’t work, does it? as a result of it doesn’t exist. The TweakerLins login entry will find on a different URL. Similarly, you can modify the access point on your website to something else. essentially we modify the login page URL.
Similar to the login.php page, there’s the wp-admin directory that additionally needs to be secured. it’s fairly easy to do with either of the 2 plugins – WPS Hide Login and protect Your Admin.
Protect WordPress Admin Directory
By default, the Wordpress is already securing your WordPress admin login page. But, setting password protection to your website admin directory provides the double layer of security to your website.
First of all, you have to log in to your WordPress Webhosting cPanel dashboard, on the next screen click on ‘Directory Privacy’ as shown in below.
After that, you have to go in the /Public_Html/ directory. here you will find the Wp-admin folder, select that folder
Next, you have to tick the small box next to “Password protect this directory” and give a name to the protected directory.
finally, Hit on the save button.
Next, you have to hit the back button then generate a user. You have to fill a username/password and then click on the save button.
Now once someone tries to log in to the wp-admin or Website admin directory on your website, they have to fill username and password to access your login panel
Limiting Number Of Login Attempts
That is one enormously straightforward way to reduce brute force login attacks on your admin login page. The lockdown options for failing login tries will solve a large no. of the problem, i.e. no. of frequently brute force login tries.
Whenever there’s a hacking try with one by one wrong password, the website admin panel gets blocked, and you will get notification of this unauthorized login activity.
The brute force login attack works by making a repetitive attempt to find your login id and password by trying a couple of combinations over and over.
You can secure your website, If someone continuous tries to log in to your WordPress, Then you can track that IP and blocked that repetitive login attempts.
Login limit attempt Reloaded provides nice solutions to defend your website’s admin login page. They track attackers IP addresses and also limit the number of login tries to protect your website.
I hope this Post helped you learn some new tips and tricks to protect your website admin login page.
Also, read:
- How to start a Blog to make money 2019 – step by step
- How to Fix Wordpress common Errors and Problems
very informative article .. i am new with my site over internet. i was not known that wp admin can also be hacked. thank buddy for the information.