I manage and maintain a large number of WordPress websites, and this year I have noticed a HUGE increase in the amount of brute-force attempts / attacks - as have many other webmasters, apparently. For those of you who don't know what a "brute-force" attempt / attack is, it's hackers trying to 'guess' the password of the websites admin account in order to gain unlawful access. They will usually use automated scripts that can submit one password attempt after another in rapid succession, thereby literally flooding your website with password attempts until they hit the jackpot.
Many new webmasters and businesses are unaware that by default WordPress allows unlimited login attempts - either through the login page, or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
However, luckily there are some free WordPress plugins available which can stop the hackers in their tracks by locking them out after X amount of failed login attempts. I personally like the "Limit Login Attempts" plugin, because it will alert me via email and it also logs the hackers IP address as well.
The Limit Login Attempts plugin description page on WordPress.org explains it best:
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
You can download the Limit Login Attempts plugin for free from WordPress.org, via this link: http://wordpress.org/extend/plugins/limit-login-attempts/
One valuable tip when using the "Limit Login Attempts" WordPress plugin:
I have found that the best solution was setting the lockout time to 6 months (4320 hours) lockout after 16 failed attempts - that way you are not banning legitimate users, plus it should hopefully put the hackers off returning. Otherwise without setting it to the 6 month lockout I found that the rotters just kept returning......
- NEVER, ever use "admin" as your administrator username - if you already do, then you can easily change it to something else via Php MyAdmin
- Keep your administrator account username hidden - Instead either display your real name or create another name for the "Nickname" field & then have that set to display on all your posts.
- Use very hard-to-guess and long passwords, and which preferably combine letters, numbers, symbols, upper & lower case, etc
Footnote - Another Problem with Brute-Force Attacks:
One additional problem that this sheer flood of brute-force attacks brought upon us was that it must have essentially "overheated" our server / database due to all the constant requests being made to the Database, and so our (former) web-host at the time suspended the affected CPanel account, which was one of 2 hosting accounts that we had with them (it was suspended / shut-down without any prior notice, too....) citing that we must have too many plugins etc which they felt were causing the high CPU use - I tried repeatedly explaining to them that, in my opinion, it was probably due to the recent flood of hacking attempts, but I might as well have been talking to myself - it seems some web hosts don't like to ever admit that hackers can cause problems with your CPU / web hosting and can result in your business being shut down (......by the way, we moved hosts after they suspended / shut us down the second time, as it's impossible to run a business under such conditions - also both incidents were preceded by a flood of hacking attempts). This website was actually one of the sites hosted on the affected CPanel account, and we lost HEAPS of traffic as a result and we are only just clawing our way back to where we were before being shut-down. I re-built this (formerly Joomla) site in WordPress during the downtime, as we were offline for about 2 weeks or so in total.
Furthermore, if I hadn't been using the "Limit Login Attempts" plugin on all our WordPress sites I probably wouldn't have even known about the brute-force attempts, and I might have just accepted everything the former web hosting company was telling me. Their advice was to effectively remove almost all the WordPress plugins on all the sites and they also provided me with a list of (very popular, VERY widely used) WordPress plugins that we were using at the time, citing them as being only suitable for sites on dedicated servers..... and they also suggested we should purchase a dedicated server from them.
The WordPress plugins that they "outlawed" included the number one WordPress backup plugin, the no. 1 WordPress SEO plugin, the no. 1 WordPress Related Posts plugin, and many others....... So, in order to remain with our former web host we would have either had to strip all of the WordPress sites almost bare, or find $200 a month for a dedicated server.
We cancelled both hosting accounts with our former (very well known, leading no. 1...) web hosting company and we now have all our sites hosted with another much smaller, lesser-known web hosting company - so far, so good. Not only have we not been shut down without any prior warning, (plus they apparently give you a warning first...) but I've also been monitoring the CPU & memory usage etc regularly since the migration - about 6 weeks ago now - and each time I've checked it our usage is way under our allowed limit. On average we are only using 1/8 th or less of our allowed CPU, and only 25-30 % of our allowed memory - despite also now re-enabling all the plugins that the former web-host had banned, too.
Our opinion of the whole matter now is that our previous web host blatantly ignored all the information and evidence provided to them about the brute-force hacking attempts because (a) it seems to have a big problem admitting hacking attempts can cause server / CPU problems, and (b) it simply preferred to screw more money out of us instead.