How to add security to your WordPress site in just 5 minutes
There are dozens of plugins out there that provide security solutions for WordPress websites. They come in all shapes and sizes from huge, intimidating plugins that cover all the bases when it comes to WordPress security and simple plugins that focus on one aspect of a site’s security. I just want to share one of these simple plugins with you that will put a damper on one very common type of website attack, known as a Brute Force Attack. And the best part: it only takes 5 minutes to set up.
How likely is it that my site will be subject to brute force attacks?
100% guaranteed. Any website that is marketed and/or has traffic will, at some point in time, be a victim of brute force attacks. The amount and frequency of attacks will vary depending on how much traffic your site gets, but you won’t regret protecting your site with the plugin I’m about to share with you.
So what plugin are you talking about?
The plugin is called, “Login Lockdown”. You can install this directly from your WordPress admin panel under “Plugins” >> “Add New”. That’s the easiest method. Or you can download the plugin here and upload it using the Add New Plugin upload option or using FTP.
How should I configure the settings?
Once you have installed and activated the plugin you can access the plugin’s settings by going to “Settings” >> “Login Lockdown”. On the plugins settings page you can see that there are several options giving you control over how “gracious” the plugin is to people/bots attempting to access your admin panel. If you left the options as they are (default) Your site is already much more secure than it was before. However, there are a few things I would change just to make it that much harder for somebody/somebot to break into your admin panel:
Max Login Retries
If you have your user/password combo saved in a safe place and you are dedicated enough to your site’s increased security to take the time to enter your username and password carefully each time you log in, you should be able to change this to 1 without worrying about locking yourself out. It’s up to you, but if you choose to change this it will drastically reduce the risk of a brute force attack actually working. If you don’t know how a brute force attack works, please take the time to understand it by following this link.
Retry Time Period Restriction (minutes)
The same goes for this option. The smaller the number, the safer your site.
Lockout Length (minutes)
You can set the lockout time to whatever you like. I have set this to a day (1440 in minutes) before. Just remember, if you don’t carefully login and keep your user/password combo saved somewhere safe you could lock yourself out for the amount of time you set.
Lockout Invalid Usernames?
I always change this to “yes”. It really helps to keep people/bots from figuring out what your valid username(s) are. If they figure out what username(s) are valid then they only have to figure out the password. Again, if you don’t have your user/pass combo saved somewhere, this could make it extremely difficult for you to get back into your site!
Mask Login Errors?
I set this to “yes” for the same reason I set “Lockout Invalid Usernames?” to “yes”. The same warning applies here as well!
Show Credit Link?
I hate to hide the credit link because the author (mvandemar) has provided us with such a great plugin to make our sites more secure. But, I don’t want to tell the person/bot (currently trying to guess my login credentials) what tool I am using to rain on their parade. So, I always change this to: “No, do not display the credit link.” And we can all help the author out by telling our friends and colleagues about his awesome plugin!
Now what do I have to do?
Well, after changing the settings above, be sure to click “Update Settings” so that the changes take effect. Then, make sure your username and password are saved in a secure place where only you can access them. Then, just sit back and let the plugin do the work while giving you a little more peace of mind. If you want to see how many attacks your site is receiving just come back to the settings page and check out the list that will probably be growing under the “Currently Locked Out” section.
While this plugin will really help boost your website’s security, there are plenty of other tips and tricks that could help prevent those no-good website hackers from breaking into your website and/or server. Check back for more helpful articles to come.