Are hackers or script kiddies trying to hack your WordPress blog? Don’t think that just because you haven’t been hacked (yet) that they aren’t trying!
I recently added some Mod_Security rules to the servers that I manage so I could see login failures as they happened – I was shocked to see thousands of attempts every day across the sites on the servers. All of this is completely invisible to your WordPress dashboard by default and if you aren’t looking for it, you would never even know it’s happening.
Find out who is trying to hack your WordPress
Because I manage the servers for all of my websites I can easily add firewall and Mod_Security rules to see or block these would-be hackers, but the average blogger on a shared host does not have this luxury. There are many security related plugins available that can help you see and block hackers but not all of them work very well and others can cause more issues than they solve so I’ve taken the time to find and test a few lightweight plugins that get the job done for you – because that’s just the kind of guy that I am.
Plugin to log brute-force hacking attempts:
I have tested the Login Security plugin and found that it does a great job of recording every login attempt at your site. It also gives you the option to block the IP after the fact. Use this plugin to find out how many times hackers try to brute-force your blog. This plugin is very lightweight and does nothing automatically to block the attempts, it only logs them for you so see how many times it happens. After a few days when you see how many times your blog is being slammed, you’ll want to do something about it. Dont bother with the “block IP address” option in this plugin, read on and use the next plugin.
Plugin to block brute-force hacking attempts:
Now that you’re good and paranoid about all the bad guys trying to hack your blog, do something about it!
The Security-Protection plugin is a simple and lightweight plugin that adds some ‘fake’ fields to your login page that only the automated-bots can see. When the brute-force-hacker-bots try to log-in they (usually) enter something in these invisible fields and the plugin blocks the login attempt. I’ve done quite a bit of testing and it seems to do the job. Just install it and forget it. No configuration required!
Just use one, not both
The only problem with the Security-Protection plugin is that it seems to render the Login Security plugin (the one that logs the attempts) useless because it seems to block all of those attempts before they can be logged. Now that you know the bad guys are trying to get in, you can go ahead and uninstall Login Security and rely on the Security-Protection plugin to quietly stop (most of) the badguys.
One more thing!
If your WordPress administrator username is “Admin”, CHANGE IT NOW! and if you aren’t using a good, strong password on all of your accounts, update them! Don’t make it easy for someone to hack your blog!
If you run Mod_Security2 and would like some simple rules to block a lot of these attempts at the server, leave a comment or contact me.Prevent Brute Force Logins On WordPress by Randy "Wilson" Brown