Security is always one of the top concerns about websites, including WordPress. And login security is the foundation of many other security features, and usually the first line of defense.
Aside from using vulnerabilities in WordPress, a less-skilled but much more common attack is brute force attack. The invader (I don’t want to call them hackers. They don’t deserve the name.) would try to login your WordPress with the guessing usernames and passwords, over and over again. These usernames and passwords may be common ones, such as “admin” with “123456789”. Or they may be aggregated from the leaked data breach.
In the marketplace, we have many different types of solutions to secure your WordPress login. This article discuses some easy and free ways to add more protections against brute force attacks. You could pick one or more of them depending on your situation.
Backup Data Regularly
I know, it’s not going to make your login system safer. But first of all, we all have to admit that, there is NO complete security. Regular backup is important in recovery. Save it for a rainy day.
Captcha
Captcha is a system to determine whether or not the user is human. Without the Captcha protection, the invader would use the computer program to automatically try to login your WordPress tirelessly. With Captcha enabled on the login pages, it increases the bar to launch an automatic attack.
The most popular and free solution is reCAPTCHA from Google. And we have quite a few excellent WordPress plugins to integrate it. Personally I used Advanced noCaptcha & invisible Captcha and Invisible reCaptcha for WordPress.
Unfortunately, Google services including reCaptcha is unavailable or unstable in some countries and areas. If your site has a huge traffic from there, you need to consider some alternatives.
Limit Login Attempts
We might mis-type our password once or twice. How about three times or four or even more? Do you think it’s normal? Probably no. A sequence of failed login attempts seems very suspicious.
Limit Login Attempts Reloaded is a wonderful and essential WordPress plugin. It blocks the requests, if the Internet address sent too many failed login attempts. Before I installed this plugin, I did not even notice that the brute force attacks are so frequent.
Login Notifier
Limit Login Attempts Reloaded would notify you if someone tried but failed to login your WordPress site. But what if they stole or got the username and password from somewhere else, and successfully logged into your site? I would like a notification at least!
Per a quick search in WordPress site, we do not have many (popular) plugins to choose. Additionally, my use case is very simple: singe site and singe user. So I made this functionality manually:
1 2 3 4 5 6 7 8 | function notice_login($user_login, $user) { $to = 'my email at codesays.com'; $subject = 'Login Alert'; $message = 'Someone logged in as ' . $user_login; wp_mail( $to, $subject, $message ); } add_action( 'wp_login', 'notice_login', 10, 2); |
Two Factor Authentication
Two Factor Authentication (aka 2FA) would drastically increase the overall login security. Nowadays it’s widely used in our online services, such as Google account and bank account.
Personally I do not use it on this site. But per the search on WordPress, there are some highly-rated and popular plugins for this purpose. And Google Authenticator – WordPress Two Factor Authentication (2FA) declares that “for 1 User forever FREE”.
Strong Password
Lastly and the most importantly, use a STRONG password: be long and complex!