WordPress being OpenSource is vulnerable. Its login page is pretty much kind of alone having just a login form which will not stop attackers to attempt again and again until they get it. Here is a collection of some really useful and strong WordPress plugins, tips and hacks which will create a stronghold around your blog and it will be impossible for a hacker or hackers to break in your blog admin as well as this will stop all kinds brute-force attacks and spam once and for all.
WordPress Plugins to Secure Login
Use the following plugins to secure WordPress login area. You can limit login attempts, lock down login on some kind of attack and even login secretly and hide all obvious areas which everybody knows e.g. ....wp-admin/.
AskApache Password Protect
This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site. You can set up Password Protection for your blog using HTTP Basic Authentication, or you can choose to use the more secure HTTP Digest Authentication. The power of this plugin is that it creates a virtual wall around your blog allowing it to stop attacks before they even reach your blog to deliver a malicious payload. In addition this plugin also has the capability to block spam with a resounding slap, saving CPU, Memory, and Database resources. Choose a username and password to protect your entire /wp-admin/ folder and login page. Forbid common exploits and attack patterns with ModSecurity, ModRewrite, Mod_Alias and Apache's tried-and-true Core Security features.
Limit Login Attempts
Limit rate of login attempts, including by way of cookies, for each IP. Limit the number of login attempts possible both through normal login as well as using auth cookies. By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Login LockDown
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
User Locker
Default WordPress installation is vulnerable to brute force and dictionary attacks, because there is no limit how many times user can use invalid password before finding the correct one. This plugin closes this security hole by introducing maximum number of invalid login attempts. When someone exceeds this number, his/her account becomes locked, and can be unlocked only by requesting new password (using Lost Password option) or asking Admin for help (he/she can do it too). This makes brute force and dictionary attacks nearly impossible.
Stealth Login
Using www.yourblog.com/wp-admin/ for login area. Don't. Because everybody knows where is the gateway to enter your blog. This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login url on your homepage, you can create a url of your choice that can be easier to remember than wp-login.php, for example you could set your login url to http://www.myblog.com/login for an easy way to login to your website or let's say http://www.myblog.com/secretplacetologin.
You could also enable "Stealth Mode" which will prevent users from being able to access 'wp-login.php' directly. You can then set your login url to something more cryptic. If someone does manage to crack your password, it can make it difficult for them to find where to actually login? This also prevents any bots that are used for malicious intents from accessing your wp-login.php file and attempting to break in.
Secure SSL Login - Admin SSL
You can login to WordPress Admin Panel through the encrypted channels with SSL. Meaning that your session URLs will have https://. You must confirm with your webhost that you have Shared SSL, or you own a SSL certificate. Once you have confirmed paste the following code in your wp-config.php file:
define(’FORCE_SSL_ADMIN’, true);
You can use a plugin called Admin SSL for that which will force SSL on all pages. Admin SSL secures login page, admin area, posts, pages - whatever you want (all areas which require password) - using Private or Shared SSL. Once you have activated the plugin please go to the Admin SSL config page to enable SSL.
Semisecure Login Reimagined
When you don’t have SSL enabled, this method comes in handy. Semisecure Login Reimagined increases the security of the login process using an RSA public key to encrypt the password on the client-side when a user logs in. The server then decrypts the encrypted password with the private key. JavaScript is required to enable encryption. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.
One-Time Password
This simple to use plugin enables you to login to your WordPress weblog using passwords which are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments, like internet cafes, for example by key loggers. The one-time password system conforms to RFC 2289 of the Internet Engineering Task Force (IETF).
WordPress Hacks/Tips to Secure Login
Follow these tips and hacks to secure WordPress Login Admin area.
Change the default Username 'admin' or remove it
You should change or remove all obvious hints (which can help an attacker) from your blog. Change the default Username 'admin' or remove it completely. Every WordPress installaion comes with a default username. Well if hacker knows the user name, half of his work is done already. All he has to do is to 'guess the password'.
Goto your PhpMyAdmin, look for table wp_users and then edit the entry for username using change username option.
OR
When in PhpMyAdmin, click on SQL option and run following query:
update tableprefix_users set user_login=’newuser’ where user_login=’admin’;
Or create another admin user and delete the user named as 'admin' from users of your blog in admin area.
Pick a Strong Password
Choose special characters for password. More characters, the better. See how to choose a strong password?
Limit Admin Access via IP Address
You can limit access to your WP-Admin Panel or Login page and only allow certain IP Addresses to access. All you have to do is create a .htaccess file in /wp-admin/ folder if there is not one there already. Sometimes its hidden. Use filter in ftp to see hidden files there. Paste the following code in .htaccess:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “WordPress Admin Access Control” AuthType Basic order deny,allow deny from all # allow my own IP address allow from xx.xx.xx.xxx # allow another IP address allow from xx.xx.xx.xxx
You can modify above method in the following way if you want to access some IP at different location but involving double security:
AuthUserFile 'some htpasswd file' AuthGroupFile /dev/null AuthName “WordPress Admin Access Control” AuthType Basic order deny,allow deny from all Require valid-user # allow my own IP address allow from xx.xx.xx.xxx # allow another allow from xx.xx.xx.xxx Satisfy Any
The "require valid user" and “satisfy any” lines will force the Apache Server to request a Username and Password before you can access the WordPress Login screen. Please DO NOT use the same Username and Password in the htpasswd file that you use for your WordPress access, or you will defeat the purpose of the extra level of security.
Remove Admin Login Page Error Message Display
At wrong attempt of login, WordPress hints that which one of two requirements is true and which one is false. It will display a message whether user name is correct or password and the other one is not correct. You can disable that hint display by using the following method.
Add this one liner in theme functions file.
<?php add_filter('login_errors',create_function('$a', "return null;")); ?>
sudharsan Says:
super site for website begineers
its very usefull for me to develope my website
pls i request u to guide me how to avoid injection in my site or publish in ur site.
inform me in:- sudharsan.ec90@gmail.com
thankk u ……
Hiroshi Says:
@sudharsan: Hi Sudharsan, I write here much stuff as much as i know about security, vulnerability, threats, XSS and fixes. You can subscribe to this blog if you want to get updated at regular basis.
Barbra Scurley Says:
I don’t know If I said it already but …Hey good stuff…keep up the good work! :) I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say I’m glad I found your blog. Thanks,)
A definite great read….Barbra Scurley
Jocelyn - Portland Wordpress Web Design Says:
Thanks for the post – I was able to use User Locker to beef up a site that had been hacked
Jason Says:
Good tip on filtering the login errors, but something more friendly than a blank box would be helpful. This will do the trick:
Regards,
Jason