I can’t believe this wasn’t on my list of favorite WordPress plugins (I’ve since modified the list to include it).
I first installed the Limit Login Attempts plugin some time ago but after forgetting my password a couple of times I disabled it. You see, with so many blogs I don’t always update all of the passwords at the same time. So, by inserting an incorrect password one too many times, I would end up locking myself out of my own blog. Not fun!
Change of Heart
I recently decided to reinstall the Limit Login Attempts plugin. After looking at my traffic logs. I found quite a few IP addresses accessing my WordPress Login screen. It doesn’t take a rocket scientist to figure out why someone besides me is spending time on my Login screen.
By installing the Limit Login Attempts plugin, I’m able to add a layer of protection between would-be hackers and my blogs. The plugin allows me to set the number of login tries before being locked out. I can also configure it to notify me after a pre-set number of lockouts. Some blogs I set the number to 1 and other blogs to 2.
Several Tier Lockout
After a lockout, the hacker, er I have 60 minutes or so before I can try again. I’ve actually increased the lockout time to about 6 hours. After that, if anyone gets locked out again, the lockout time is increased to several days. In the meanwhile the plugin logs the IP address and the username used when attempting to login.
Oh, and to get around being locked out because I forgot the password, I created a second login username and password that is impossible for me to forget. Therefore, if I happen to lock myself out using username #1, I can always use username #2 to gain administrative access and reset the lockout.
Security Layer Number 2
Because my blogs are hosted on HostGator, HostGator provides a feature in their control panel called IP Deny Manager. By adding the questionable IPs to IP Deny’s list, those IPs are denied access to all of my HostGator sites. So, at the end of the day when I receive all of my “too many login attempts” notifications, I gather the IP addresses, log into my HostGator account and add the IPs to the list so those particular hackers won’t be able to access my sites again.
This is not foolproof because if someone truly wants to hack in, they will, but I can’t just sit idly by and watch them gain access to my sites.
A Little Advice
After installing a new blog, always change the username from the default “admin” to something a little less predictable. Each hacking attempt tried using “admin, Admin or webmaster” as the user name.
Maintaining a blog is sort of like gardening. No matter how much you care for your garden, weeds are always ready to take over. You have to weed out the online hackers just as you have to pull weeds from your garden.