5 Tips to Toughen Up Your WordPress Login | premiumwd
Optimization / WordPress

5 Tips to Toughen Up Your WordPress Login

by thoriq firdaus on October 12, 2016

No matter the size of your website, losing your site data or not being able to access your own website can be a nerve-wracking experience. WordPress, which powers more than 25% of the Web, is one of the most targeted websites for hackers.

In our previous posts, we have shown you a number of tips and tricks which already covered almost everything to secure your WordPress website. Still, there is always room for improvement. In this post we will be looking at a few more tips to help you make your WordPress site harder to breach.

1. Bcrypt Password Hashing

WordPress was started in 2003 when PHP and the Web in general were still in their early days. Facebook was not around yet, PHP did not even have OOP (Object-oriented Programming) architecture built-in; hence, WordPress inherited legacies that are no longer ideal today – including how it encrypts the password.

WordPress to this day still uses MD5 hashing. Basically, what it does is to turn your 123456 password into something like e10adc3949ba59abbe56e057f20f883e.

However, since computers are now more sophisticated than 10 years ago this hashed password can now be easily reversed into its bare form almost instantly.

PHP has native encrypting since 5.5 and If your WordPress is running in PHP5.5 or above, there is handy plugin called wp-password-bcrypt that allows you to embrace this native utility in PHP.

Install and activate the plugin through Composer or through MU-Plugins. Re-save your password and you are all set.

2. Enable WordPress.com Protect

Brute-force is a common hacking attempt where attackers try logging in to your website by guessing numerous possible passwords, typically words found in the dictionary. This is the reason why you should set a hard-to-guess password.

Automattic, the people behind WordPress.com, has acquired one of the most popular WordPress plugins that can counter brute-force attacks. It is called BruteProtect, and it is integrated with Jetpack.

Based on our experience, it has tremendously helped us combat brute-force attacks more than close to a million times.

Jetpack Dashboard Widget reporting the number of attack and spam encountered.
To get it, you need to install Jetpack’s latest version and connect your website to WordPress.com. Then enable the “Protect” module, and white-listing your own IP address as well.

Jetpack Protect module menu in the Settings

Now you should feel a bit more safer.

3. Hide Your Login URL

WordPress is very well-known for the login page, wp-login.php. Hence hackers know which exact page to direct their brute-force attacks. You can make it harder for them by disguising your WordPress login URL.

Fortunately, there are a few plugins that provide this utility:

WordPress login form with the custom URL

4. Disable “Forget Password”

The “Forget Password” utility in the login form is a way in for attackers, who usually go through an SQL injection to get your login credentials. If there are only a few people who have access to the admin area, it might be better to switch it off.

To do so, create a new file upload – name it forget-password.php.

First we change the lost password URL:

Remove the link. Unfortunately, WordPress does not provide a proper hook to do this neatly through an add_filter function. So, we do it with JavaScript instead.

Lastly, we redirect the Lost Password URL to the login screen.

5. Enable HTTPS

HTTPS gives your site an extra layer of security with data transmission. It may also give you a boost in Google search rankings. And now you can get valid HTTPS cert for free through the communal initiative Let’s Encrypt.

For WordPress websites you can easily obtain a Let’s Encrypt certificate with WP Encrypt. So there is no reason why you should not deploy HTTPS in your website today.

Wrapping Up

I just like to leave you with the reminder that in spite of all these attempts, our websites could still be subject to attacks, hacks and to being compromised by hackers through means beyond our comprehension. Even large companies like Dropbox and LinkedIn have fallen prey to security threats.

As a last resort, remember to regularly back up your website’s files and database whenever you can.

You might also like...

Development / WordPress

5 Ways to Make Your WooCommerce Store Swift and Faster

Starting an online store with WooCommerce is pretty simple. You just need to select a domain, a hosting plan and…

Plugins / Tips & Tricks / WordPress

11 Amazing WordPress Plugins for 2017

Instead of writing a regular top ten piece, I decided to focus on WordPress plugins that you probably don’t know about….

Optimization / SEO

15 Best SEO Practices for Your WordPress Website

 All webmasters are aware that it is top quality seo practices, authoritative content on web pages that can get them high up…

No comments

Sorry, the comment form is closed at this time.

See why people are switching to use our products. See Features Get Started
+ +
%d bloggers like this: