5 Tips to Toughen Up Your WordPress Login Security

No matter the size of your website, losing your site data or not being able to access your own website can be a nerve-wracking experience. WordPress, which powers more than 25% of the Web, is one of the most targeted websites for hackers.

In our previous posts, we have shown you a number of tips and tricks which already covered almost everything to secure your WordPress website. Still, there is always room for improvement. In this post we will be looking at a few more tips to help you make your WordPress site harder to breach.

1. Bcrypt Password Hashing

WordPress was started in 2003 when PHP and the Web in general were still in their early days. Facebook was not around yet, PHP did not even have OOP (Object-oriented Programming) architecture built-in; hence, WordPress inherited legacies that are no longer ideal today – including how it encrypts the password.

WordPress to this day still uses MD5 hashing. Basically, what it does is to turn your 123456 password into something like e10adc3949ba59abbe56e057f20f883e.

However, since computers are now more sophisticated than 10 years ago this hashed password can now be easily reversed into its bare form almost instantly.

PHP has native encrypting since 5.5 and If your WordPress is running in PHP5.5 or above, there is handy plugin called wp-password-bcrypt that allows you to embrace this native utility in PHP.

Install and activate the plugin through Composer or through MU-Plugins. Re-save your password and you are all set.

2. Enable WordPress.com Protect

Brute-force is a common hacking attempt where attackers try logging in to your website by guessing numerous possible passwords, typically words found in the dictionary. This is the reason why you should set a hard-to-guess password.

Automattic, the people behind WordPress.com, has acquired one of the most popular WordPress plugins that can counter brute-force attacks. It is called BruteProtect, and it is integrated with Jetpack.

Based on our experience, it has tremendously helped us combat brute-force attacks more than close to a million times.

Jetpack Report
Jetpack Dashboard Widget reporting the number of attack and spam encountered.

To get it, you need to install Jetpack’s latest version and connect your website to WordPress.com. Then enable the “Protect” module, and white-listing your own IP address as well.

Jetpack Protect module menu in the Settings

Now you should feel a bit more safer.

3. Hide Your Login URL

WordPress is very well-known for the login page, wp-login.php. Hence hackers know which exact page to direct their brute-force attacks. You can make it harder for them by disguising your WordPress login URL.

Fortunately, there are a few plugins that provide this utility:

WordPress login form with the custom URL

4. Disable “Forget Password”

The “Forget Password” utility in the login form is a way in for attackers, who usually go through an SQL injection to get your login credentials. If there are only a few people who have access to the admin area, it might be better to switch it off.

To do so, create a new file upload – name it forget-password.php.

First we change the lost password URL:

function lostpassword_url() {
	return site_url( 'wp-login.php' );
}
add_filter( 'lostpassword_url','lostpassword_url' );

Remove the link. Unfortunately, WordPress does not provide a proper hook to do this neatly through an add_filter function. So, we do it with JavaScript instead.

function lostpassword_elem( $page ) { ?>

<script type="text/javascript">
(function(){
	var links = document.querySelectorAll( 'a' );

	for (var i = links.length - 1; i >= 0; i--) {
		if ( links[i].innerText === "Lost your password?" ) {
			links[i].parentNode.removeChild( links[i] );
		}
	};
}());
</script>

<?php }
add_action( 'login_footer', 'lostpassword_elem' );

Lastly, we redirect the “Lost Password” URL to the login screen.

function lostpassword_redirect() {
	if ( isset( $_GET[ 'action' ] ) ){
   		if ( in_array( $_GET[ 'action' ], array( 'lostpassword', 'retrievepassword' ) ) ) {
			wp_redirect( '/wp-login.php', 301 );
			exit;
		}
	}
}
add_action( 'init','lostpassword_redirect' );

5. Enable HTTPS

HTTPS gives your site an extra layer of security with data transmission. It may also give you a boost in Google search rankings. And now you can get valid HTTPS cert for free through the communal initiative Let’s Encrypt.

For WordPress websites you can easily obtain a Let’s Encrypt certificate with WP Encrypt. So there is no reason why you should not deploy HTTPS in your website today.

Let's encrypt homepage

Wrapping Up

I just like to leave you with the reminder that in spite of all these attempts, our websites could still be subject to attacks, hacks and to being compromised by hackers through means beyond our comprehension. Even large companies like Dropbox and LinkedIn have fallen prey to security threats.

As a last resort, remember to regularly back up your website’s files and database whenever you can.

WebsiteFacebookTwitterInstagramPinterestLinkedInGoogle+YoutubeRedditDribbbleBehanceGithubCodePenWhatsappEmail