Many alarm themselves when they notice WordPress failed login attempts on their websites. On the other hand, security and tech-savvy people do not bother much about failed login attempts. After all, every website will get its fair share of bot traffic and dictionary attacks.
Does your WordPress website receive a lot of failed login attempts? This article explains why your WordPress gets such attacks and what you should do about them. It also suggests a number of recommendations to help you harden the security of your WordPress.
You notice too many failed login attempts on your WordPress
Those who install an activity log plugin for WordPress on their website are typically surprised by the number of failed login attempts their websites get. So much so that many actually think that as such there is something wrong with the activity log plugin. To highlight this, here is an abstract from the WP Activity Log plugin support forum:
Does this plugin really work?
The activity log shows my site gets so many failed log attempts from various countries like Ukraine, Russia, Vietnam, China etc. almost every day. I am not sure why so many people want to hack my small site. It doesn’t even have much content and I don’t even make any profit from my site as I don’t have any ads or anything. So why my site gets so many failed log attempts? Today some random person from Ukraine tried 10+ times to access my partner’s and my account. I am not sure this plugin really works, or it just generates some false alarms or something.
What the plugin reported were not false alarms. If you install a WordPress activity log plugin on your websites you will see the same activity, even if your website is not popular.
Why are hackers targeting your website?
The majority of attack attempts on your WordPress are not targeted specifically at your website. They are automated bots trying to guess your users’ passwords. Their goal is to find WordPress websites with weak credentials. TIP: enforce strong WordPress password policies.
Your WordPress website is the recipient of such attacks because it is online. It has nothing to do with how popular or not your website is. In fact even non WordPress websites receive such type of requests. Bots just send requests to any responding domain and do not differentiate between WordPress and non WordPress websites. However, typically WordPress websites are targeted because WordPress does not limit the number of login attempts.
Do failed login attempts impact your website’s performance?
The day to day random attacks your website receives do not affect your website’s performance. Only targeted brute force and dictionary attacks can consume an abnormal amount of bandwidth, and very often they lead to a Denial of Service. In such cases, which are not common, there is not much you can do – your web hosting provider needs to take care of such an issue.
What are the risks of too many failed login attempts?
As long as you use strong WordPress passwords, there are no security risks. However, you should consider blocking WordPress users after a number of failed login attempts, as a security precaution. By doing this, you are actually eliminating the chances of an attacker guessing the password of some of your WordPress users. Another best practice is to keep a failed logins history on WordPress, so you can be informed well in advance and act accordingly in case there are suspicious failed login attempts on your site.
Should I block offending IP addresses?
One commonly suggested remediation for thwarting failed login attacks on your WordPress is to block the offending IP addresses. Unless your website is a target of a brute force attack, it is not recommended going down that route. Attackers can easily bypass such blockage and change the IP addresses, so you’ll end up in a cat and mouse game.
Start with the basics – use strong credentials, enable 2FA and follow best practices
Like almost in everything else, start by addressing the basics. Avoid using common usernames such as admin, root, or your first name. Use a combination of letters and numbers for your usernames. For your passwords, use a combination of letters, numbers and special characters. Here are some tips on what makes a strong WordPress password. You should also consider the following:
Improve the security of your WordPress login pages
- Only access your WordPress login page over HTTPS, otherwise it is very easy for the attackers to hack the WordPress username and password,
- Implement two-factor authentication (2FA)
- Put the WordPress login page behind HTTP authentication (this is only practical if a small number of users log in to your website)
Help users keep their WordPress website secure
The security of your WordPress website is only as strong as the users’ password. Don’t rely on your website’s users ability to keep their user account secure. Always:
- Enforce strong WordPress password policies
- Block WordPress users which have too many failed login attempts
Bonus WordPress login page security tip
If you always access the WordPress dashboard from the same IP address, restrict access to the login page to your IP address only. For more information on how to restrict access to a specific IP address or how to enable HTTP authentication refer to our definitive guide to htaccess and WordPress.