If you are concerned about someone trying to crack your WordPress login ID and password, then you definitely want to create a strong login ID and password. But, even with that, crackers will still try brute force attacks, dictionary attacks, and many other methods to try to crack the door on your WordPress website.
What Can You Do?
You can install a simple plugin such as Limit Login Attempts to lock them out after a defined number of failed attempts. And that works quite effectively – I use it for my clients.
Can More Be Done On The Login Side
If the login screen is where they will try to access your WordPress website – trying to guess your login ID and password, then why not just eliminate that port of entry? Oh yeah, there’s that pesky business where we might need to log in ourselves and take care of some task.
Then, why not limit the access to the login page altogether?
Block Access Except To Certain IP Addresses
In the root directory of your WordPress installation (where the wp-content folder is located), edit your .htaccess file adding the following lines of code BEFORE anything else in the .htaccess file.
01 <files wp-login.php>
02 order deny,allow
03 deny from all
05 # whitelist Your First IP address
06 allow from xxx.xxx.xxx.xxx
08 #whitelist Your Second IP Address
09 allow from xxx.xxx.xxx.xxx
11 #whitelist Your Third IP Address
12 allow from xxx.xxx.xxx.xxx
Add as many #whitelist sections as you need to allow access from.
If you are on a Dedicated (or Static) IP then you are set.
Only the IP addresses that you’ve white-listed can even see your Login page to even attempt any type of login to your WordPress website. Anyone else that tries to access the login page will get a 404 error which will be handled however you’ve programmed 404 errors to be handled.
What If I Don’t Have A Static IP?
Some people believe that you should NOT use this method if you are not on a static IP. I don’t subscribe to that idea.
It’s too simple for me to type “What is my IP” into a Google search, discover my new IP, and then using my FTP software, edit my .htaccess file to use the new IP address. Grand total of a couple of minutes to change the allowed IP address.
What If I’m In A Public Access Point (Starbucks, McDonalds, a friend’s house)?
Use the same steps as when your own IP address changes – Google search to find your IP and add that IP as an additional access in your .htaccess file. But, when you are finished at that location, be sure to remove that access so no one else can potentially access your login page from that location.
O.K. Now My WordPress Website Is Secure. Right?
Your WordPress installation is definitely more secure than it was prior to this point, but it’s not completely secure. There are plenty of more steps you can take to secure your WordPress website. Take an evening to read through many of the articles on WPMU.org that have been written about WordPress security. You will come away more educated to protect your WordPress installation.
Are there any specific steps you’ve taken to better secure your WordPress installation? Share them here so that everyone can benefit.