Your WordPress login page is open to abuse
Most users of WordPress don’t give a second thought to this fact and until the day comes when a website has been hacked into and goes offline but most WordPress websites have a major security weakness by default.
2 facts you might not have considered
- by default the same username ‘admin’ is used for every single WordPress installation.
- there is no limit to the number login attempts to a WordPress website
What this means is the hackers out there already have the first piece of the puzzle to access your website, the exact username. Then all they need to do is run a program that tries thousands or millions for that matter of password combinations, know as a brute force attack, until they work out yours. There is nothing to stop them continuously trying to get in to your website.
2 things you can easily do to reduce this risk
- create a new username with administrator privileges and delete the admin user. (I believe thankfully in WordPress 3.0 you will have the option to create a unique administrator level user at the point of installing WordPress so all of these admin users should be reduced from that release forward.)
- install a plugin that limits the number of incorrect login attempts
The plugin(s) I recommend to deal with this issue
Limit Login Attempts – http://wordpress.org/extend/plugins/limit-login-attempts/
It is really easy to install and gives you the option to be emailed after a certain number of failed login attempts.
Also you can set how many attempts can be made before the username is locked out and the more consistent the attempts the longer the lockout period.
Warning:
I highly recommend getting your new administrator username other than ‘admin’ before using this plugin or you could be locked out yourself if hackers keep attempting to login to using the admin username and that all you have to access your website.
Thanks for the tip Tony. What I like in your post is you not only provide the tip but show how to use it. Makes life easier for non techos.
Susan
Thanks great to hear Susan,
I love hearing from the 'non techos' so I can provide quality information to you. Please let me know of any other areas you would like a post or video tutorial on.
Tony
Thanks for the info. I got caught out one by not changing the default 'admin' username …. haven't made that mistake again
I'll check out that plugin too. Looks handy.
Thanks Mark,
real examples like yours help bring home the message about how vulnerable the admin username makes your website. Thanks you for adding value to this post.
Tony
Very useful, Tony. Thank you for helping to keep us protected online.
Your really do build my WordPress advantage.
Well done.
Best, Robin
Thanks Robin,
'Building your WordPress advantage' is my mission statement that came from this fantastic post / project you have written / facilitated. http://www.radsmarts.com/2010/05/share-words-the-…
Thanks for ongoing support and feedback
Tony
Thanks for the review!
Note that the plugin handle lockouts based on IP, not user name. This means admin will not be locked out for you when someone in Moldova attempts to brute force the password.
It is still a good idea to make sure "admin" is not a privileged account, of course.
Thanks for this posting. I have been interested in the security question. Very helpful thanks.