WordPress Website Security: Dealing with Break-in Attempts

WordPress websites have frequent break in attempts

If your website is like this one, there are frequently attempts to break into the Admin Panel. Being systematic about passwords and monitoring will go a long way to being secure.

It is important to have a strong password protocol.  Also critical is some kind of monitor to keep you informed as attempted break ins happen.  This post explains what I have done to provide a layman’s approach to security. It is strong and should be enough to stop your admin panel from being compromised. The approach is no or low cost.

How to create a strong password system. 

I have a four step system to create strong passwords for everyday use.  Use a password generator.  Copy the strong password to the admin password entry on wordpress admin panel. Then copy it to a text file kept offline for backup. Finally use a password vault tool to login on a daily basis.  

Use a password generator. 

My hosting service, bluehost has a strong password generator on its Cpanel to create strong passwords.  It is to allow users into the cpanel, and the website area.  Using this tool, I created and copied a password which is difficult and incomprehensible.  According to a password tester a standard computer running a password cracking software will take decades to break a password created this way.  This strong password is my primary line of defense against break ins.

Copy this password from the password generator to the WordPress admin area as the admin password.  I also copy the password to a text file on a USB because I will never remember it and having an off line digital copy on a USB is a good practice.  I use this method for all my other passwords. If I need to recover this password or any other password, I have a backup copy stored offline to recover my passwords. Finally I use a password vault tool like Keeper Password Manager & Digital Vault or anyone of the many available tools like it to use to login on a daily basis.

Change the admin account name. 

Do not name the admin account username admin, Admin, or ADMIN.  Use something else.  Remember user names are case sensitive. These three account names are the three most common user names I am seeing being used to attempt a break-in to the admin area of this wordpress website.  By not using these three names I will show you a strong way to block hacking attempts.

Use a  Monitoring and security tool.

I use All In One WP Security & Firewall.  It is lightweight. It monitors login attempts and informs you when someone attempts and fails to get into your site. It allows you to lockout IP addresses and usernames. Finally the basic version is no cost to use and robust in function.

Lightweight.  This means that the security tool does not heavily use processing resourcesYour website host likely is a shared host and as such, your share of the processing resources is constrained by who else shares your server.  This tool works mostly as a perimeter security tool preventing inappropriate people from gaining access to your admin area. It locks down many avenues of attack on word press sites. However it does not monitor the health of the site, nor use active processing to test or scan users, look for compromised code added to your site or back your site up.  All these other steps are important parts of website host security and should be addressed too.

The  Monitoring and Security tool use:  I have setup the login security as follows: If  someone attempts to login and fails; after 3 attempts within 30 minutes my monitor locks out the IP address that attempted to login for 3 hours.  Additionally if someone uses the user name, admin, Admin, or ADMIN to login they are immediately locked out. By black listing these three user names; the most common problem user names, I have created a strong way to block bad login attempts.  Both of these fails generate a failed login attempt email report.  I use these reports to create a black list of IP addresses and IP address ranges not allowed to login on my site. 

In Conclusion

By always having very strong passwords,  these lock out rules and a growing list of black listed IP addresses I make it very hard for someone to break into my website’s admin panel.

This Post Has 2 Comments

    1. site owner

      Thank you for your positive comment. Since I put it up, we have had a significant drop in break-in attempts. It worked as I hoped to warn away such attempts.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.