Recently lot of WordPress blogs were attacked by huge botnet of hacked computers in attempt to guess admin passwords using brute-force. Unfortunately some of the blogs were taken down by hackers. Scary news.
Is there any way to secure your WordPress installation against this kind of attack?
First of all – you have to change your default admin name to something else. It is best to do during installation, but can be changed later too without too much troubles.
Another way of defense is to limit number of allowed login attempts – it is very easy to do as there is excellent free plugin called Limit Login Attempts.
How to use Limit Login Attempts plugin?
After installing the plugin it is time to configure it. There is nothing complicated about it at all, let’s take a look at available options:
Lockout – after how many failed login attempts plugin will put your blog into lockout mode, which means nobody will be able to log in for some time, defined in “X minutes lockout”. Next option allows you to define how many lockouts will put your blog into major lockout mode (it is a bit dangerous because attacker may keep you from logging in) and for how long.
Site connection – leave it set to Direct Connection
Notify on lockout – plugin will send you an email after given number of lockouts. It will also keep log of attackers’ IPs, which will allow you to ban them using other tools. I advise you to keep both these options on with Email to admin set to small value.
Please remember that even with this plugin installed you should use strong, long passwords made of letters and numeric characters – it will be much harder to break them in reasonable time! It is also good habit to check LLA plugin log for failed break in attempts.