If you have a WordPress website, chances are that it has been the target of repeated, failed log in attempts. These attempts to hack into your WordPress log in are not from individual hackers, per se, but instead, from “bots” or automated software that scour the web looking for your site’s wp-login.php file or attempting to exploit XML-RPC.
Why Do Hackers Try To Gain Access to WordPress Websites?
Hackers are interested in gaining access to WordPress websites for a number of reasons, such as using your website to inject malicious content and code to steal visitors’ information and spread viruses. One particular type of hack known as a “Pharma Hack” implements a “backdoor” which enables hackers to insert malicious files and modify the database. This is why it is very important to keep your website up-to-date with the latest version of WordPress.
What Can You Do to Stop or Protect Your WordPress Website from Repeated Log In Attempts?
Install a Login Limiting Plugin.
One popular and FREE plugin that limits failed log in attempts and can show you a log of failed WordPress log in attempts is Limit Login Attempts Reloaded.
This handy plugin is effective in preventing brute force attacks and improves your website’s performance by limiting the number of times, login attempts can be made via the standard WP login in addition to XMLRPC, WooCommerce and even from custom WP login pages.
Limit Login Attempts Reloaded also enables you, as Admin, to configure customized lockout timings as well as the ability to safelist and blocklist IP addresses and usernames.
Use Strong Log In Credentials.
Always use a strong WordPress Admin username and password. Never use “admin” or any other easy-to-guess username. Of course you can always use your email address which may be a better choice. For passwords we suggest using a random combination of numbers, uppercase and lowercase letters and specials characters that are at least 14 characters in length….the longer, the better. Never use “Password” for your password.
Disable XML-RPC.
XML-RPC is an API that standardizes communications between different systems. In other words, sometimes, we would like WordPress to communicate with other non-WordPress systems such as Blogger or mobile apps, so, XML-RPC makes this possible. From a practical standpoint, this makes it extremely easy and convenient to post WordPress content remotely. However, this same functionality of convenience also makes it easy for hackers to exploit XML-RPC via brute force attacks…using repetitive successive attempts of various password combinations in order to gain access to a website. To address this vulnerability of XML-RPC, you can simply use a plugin called Disable XML-RPC by Philip Erb.
EMAIL US