We all know hackers love to exploit the WordPress admin login page. I was reminded of how tenacious hackers are when I reviewed the settings on the Limit Login Attempts plugin (which logs the number of unsuccessful attempts). In total I have 54 pages worth of unsuccessful login attempts among my various blogs. Each page contains 21 rows of IP addresses. On average each IP address has 5 or 6 lockouts. One industrious hacker, however, got locked out 66 times!
BTW, the most frequently used username hackers use to access your account is “admin.” If you are using admin as your username stop reading this now and change it to something else! After you’ve changed it, come back and finish reading the rest of this post!
So far I’ve been fortunate, but I don’t want to press my luck. As such, I decided to look for reinforcements to protect the login page.
UNLOQ 2 Factor Authentication for WordPress Admin Security
In addition to my username and password I downloaded the UNLOQ app/plugin. It’s free for small-time users like me (free of charge for 100 or fewer users). The beauty of UNLOQ is it offers the option to hide the wp-admin login page. Hackers looking for the usual WordPress admin page will see the following if you opt to hide it:
The other nice feature about UNLOQ is it requires either a one-time passcode, or approval from the app (push notification) or email to authenticate the login. The authentication type is configurable.
I find this all to be great for securing the admin page, but for me it was cumbersome. The push notification meant I needed to have my cell phone accessible every time I logged in. Nine times out of ten I don’t know where my cell phone is. Having to locate it in order to log into my websites became problematic.
I didn’t use the email or time-based password option (maybe I should have). I guess I just didn’t like having to use two programs to access one. The whole UNLOQ process wasn’t seamless enough for my tastes so I decided to try something else.
Securing WordPress Admin Like the Big Dogs
I read somewhere that master blogger Pat Flynn of Smart Passive Income password protects his WP-admin folder. Doing so protects everything in that folder and adds an additional layer of security. The only problem I have with that is there are certain functions that are that reside in the WP admin folder (admin-ajax.php) that are required for the smooth running of a WordPress blog. Allowing access to the admin-ajax file after password protecting the directory requires modifying the .htaccess file.
Not wanting to create another potential problem, I decided to leave that option to the folks who know what they’re doing. I don’t so I’ll leave it alone.
Searching for Another Blog Security Option
I went back to the drawing board in search for a protection option that fits my blogging habits. I was fortunate enough to come across Lisa Irby’s blog post How WordPress Exposes Your Admin Username & How to Fix It! In the post Lisa shares information about how a linkable byline on a blog gives hackers a potential username to try while hacking the WP admin page.
Give it a try. Hover over any linkable byline (try the one of my name on this post for example) and you’ll discover the blogger’s username in the status bar at the bottom of the web browser. Lisa’s blog post gives instruction on how to change the username display. I won’t get into details here or reinvent the wheel. Go to her blog post and follow her user-friendly instructions.
By the way, I followed her instructions so the “webmaster” you see when you hover over my byline is not my admin username.
Blog Security Going Forward
Incorporating Lisa’s advice in addition to coming up with long passwords of at least 16 characters, is what I’ll continue to do for now. It’s a shame that we have to spend so much time and effort securing our blogs, but that’s a sign of the times in which we are living.
I’m curious to know what measures you’re taking to protect your WordPress admin page.