Your WordPress login page is open to abuse
Most users of WordPress don’t give a second thought to this fact and until the day comes when a website has been hacked into and goes offline but most WordPress websites have a major security weakness by default.
2 facts you might not have considered
- by default the same username ‘admin’ is used for every single WordPress installation.
- there is no limit to the number login attempts to a WordPress website
What this means is the hackers out there already have the first piece of the puzzle to access your website, the exact username. Then all they need to do is run a program that tries thousands or millions for that matter of password combinations, know as a brute force attack, until they work out yours. There is nothing to stop them continuously trying to get in to your website.
2 things you can easily do to reduce this risk
- create a new username with administrator privileges and delete the admin user. (I believe thankfully in WordPress 3.0 you will have the option to create a unique administrator level user at the point of installing WordPress so all of these admin users should be reduced from that release forward.)
- install a plugin that limits the number of incorrect login attempts
The plugin(s) I recommend to deal with this issue
Limit Login Attempts – http://wordpress.org/extend/plugins/limit-login-attempts/
It is really easy to install and gives you the option to be emailed after a certain number of failed login attempts.
Also you can set how many attempts can be made before the username is locked out and the more consistent the attempts the longer the lockout period.
I highly recommend getting your new administrator username other than ‘admin’ before using this plugin or you could be locked out yourself if hackers keep attempting to login to using the admin username and that all you have to access your website.
Google Authenticator – http://wordpress.org/extend/plugins/google-authenticator/
Now this one can be used in conjunction with the limit login attempts plugin.
This is a beautiful piece of security to give you peace of mind and two factor authentication.
Once installed on your website you then install the Google Authenticator App on your iphone ( view iphone app here ) or Android phone (view Android app here) which generated a unique code every 30 seconds for your login.
This means that even if someone managed to guess your username and password they will never guess the 3rd item
To setup is very easy if you follow the basic steps correctly.
- Install the WordPress Plugin – Google Authenticator – http://wordpress.org/extend/plugins/google-authenticator/
- Go to your profile page and under the Google Authenticator setting put in a description. Use NO SPACES or it won’t work. Eg JohnSmithsBlog
- Click on Show/Hide QR code
- Install the iPhone version or Android version of Google Authenticator app
- Add new token and click on Scan Barcode
- Now the app will generate a new code every 30 seconds
- Use the current code on your iphone or android app at the time of login
- That’s all you have to do. Just remember you will need to view the app on you iphone or android device every time you login to get the code. How secure it that!
Good luck and I hope you enjoy using this plugin as much as I do!
I’ve been building WordPress websites for over a decade, spoken at conferences around the world, and taught countless people how to build and maintain their sites.
I know its a jungle out there finding the right people for website development.
But I’m here to help.
Author Profile – Tony Cosentino