This Simple WordPress Tweak Can Protect Your Site From Falling Victim to a Hacking Attack
For SEO, WordPress is arguably the best platform (or CMS, which stands for content management system) to use when building a website. Unfortunately, it turns your site into a magnet for brute-force login attempts from hackers looking to exploit your resources for their purposes. In fact, the WordPress CODEX provides a lot of information about Brute Force Attacks.
At the very least, you should not use the ‘admin’ username. From the Codex:
The majority of attacks assume people are using the username ‘admin’ due to the fact that early versions of WordPress defaulted to this. If you are still using this username, make a new account, transfer all the posts to that account, and change ‘admin’ to a subscriber (or delete it entirely).
For another layer of protection, there is a very simple plugin that I use on all the websites I build for clients called WP Hide & Security Enhancer by NSP Code. It’s robust and has many options that are well documented, but the one feature you should activate immediately (like now!) is the one that changes both the default WordPress login URL and admin URL. Every hacker in the world knows that every default installation of WordPress uses the login page:
There are different methods to increase protection for the login page, from strong passwords (you can use an automatic password generator) to multi-factor authentication. But still, the above does not block any attempts from unauthorized users; anyone can utilize a brute force access. A hacker can write a script that tries thousands of username and password combinations in a matter of seconds. This will slow down your site and eventually the hacker will discover a working login credential combination.
After you install the plugin, “WP Hide” will appear in the left column. Expanding it will reveal “Admin”, click it. Now you’ll see two tabs, the first is wp-login.php. In the space provided, substitute anything for “wp-login”. You’ll need to add the .php suffix after the word you use. Then, click the “Yes” radio button in the section Block default wp-login.php. Now click “Save”.
The second tab, Admin URL is even more important and it’s layout is similar to the screengrab above so I’m not including one. Again, hackers know that the default installation of WordPress creates the following URL to log into the Admin Panel of a WordPress site:
In this tab you’ll change wp-admin to something different. Like in the last tab, check “Yes” in the section Block default Admin URL. Now click “Save”. Now hackers will have no idea what the admin login URL is and won’t be able to conduct a brute force attack.
The plugin has many other advanced features (look at them all!); in fact it can completely hide your WordPress installation! The settings are a bit more complicated but the author’s documentation can guide you, should you choose to take advantage of them. For now though, just changing these two login URLs on your WordPress site will help reduce the likelihood of your site falling victim to a brute force attack. Good luck!