WordPress blogs are a popular target for hackers who want to exploit the weaknesses in WordPress and use your site to link to other sites for SEO purposes, to host phishing content or to deface your web site. This is why it’s important to take steps to secure your WordPress installation.
In this guide, we’ll cover several steps that you can take to secure your WordPress site from hackers and reduce your site’s bandwidth usage at the same time. The less requests made to your site, the quicker it will be to load for legitimate visitors.
You should also install a WordPress backup plugin (we recommend UpdraftPlus) and take regular backups to a different location such as Dropbox, so that you can easily restore your site in the event it does get hacked.
Most Important Step: Add A Security Plugin to Protect Against Brute Force Password Attempts
Brute Force password attempts are the most common way that hackers gain access to your WordPress install to deface it and trash your site.
While the Loginizer plugin (formerly “Limit Login Attempts”) is one of the most widely used plugin to protect a WordPress site and installed by default on some of our providers, there are better options that you should replace it with.
Replacing it with a full security plugin like Wordfence is a great way to increase the protection on your site from a large number of brute force hacking attempts and decrease the risk of having your site defaced.
Wordfence allows you to block IP addresses who attempt to login with an incorrect password or incorrect username, based on custom parameters including how long it counts those attempts over and how long it will block an offending IP address for.
We recommend installing Wordfence on your site and enabling the following settings.
In the Wordfence > Options page, tick the “Enable login security” box under Basic Options.
Then scroll down to the “Login Security Options” and set the options the same as the screenshot below:
This will lock out anyone who attempts to login with an incorrect password, and block their IP address for 60 days.
Wordfence Alternative: You can also use the Login LockDown plugin to protect against Brute Force attempts. This does the same thing as the Login Security component of Wordfence, and allows you to mix up the plugins that you are using for this function.
Under Settings, Login LockDown, configure it the same as the screenshot below.
Rename wp-login.php and wp-admin folders
The Rename wp-login.php plugin will allow you to rename the wp-login.php file and wp-admin folders to something unique, reducing the traffic to those pages that would otherwise be generated by hackers that are trying to gain access to your site by brute force guessing passwords.
Implementing all of these steps will help reduce the amount of bandwidth that your site uses, and at the same time significantly improve the security of your site. At the very least, you should implement either Wordfence or Login LockDown, and configure it based on our screenshots above to secure your sites from Brute Force password attempts.