Many alarm themselves when they notice failed logins on their WordPress websites and blogs. On the other hand, security and tech savvy people do not bother much about failed login attempts; stating that it is the norm.
Does your WordPress website receive a lot of failed login attempts? Are they something you should be worried about and should you do anything about it? In this article I am going to explain why your WordPress get such attacks and what you should do about them.
There Are Many Failed Login Attempts on Your WordPress
Those who install a WordPress audit trail plugin on their WordPress are typically surprised by the number of failed login attempts their WordPress websites get. Below is a post from the WP Security Audit Log plugin support forum that sums up what many WordPress administrators might think:
Does this plugin really work?
The audit log shows my blog gets so many failed log attempts from various countries like Ukraine, Russia, Vietnam, China etc.. almost everyday. I am not sure why so many people want to hack my small site. It doesn’t even have many contents. I don’t even make any profit from my site as I don’t have any ad or anything. so why my site gets so many failed log attempts? today some random person from Ukrain tried 10+ times to access to my and my partner’s account. I am not sure this plugin really works or it just generates some false alarms or something.
What the user reported were not false alarm. If you install a WordPress audit trail plugin on your WordPress websites you will see the same type activity, irrelevant of the website’s popularity and profitability.
Why Do Hackers Want to Login to Your WordPress?
The majority of attack attempts on your WordPress are not targeted specifically at your website, as explained in Targetted VS non-targetted WordPress attacks. The failed logins on your WordPress are being generated by automated bots (robots) malicious hackers use to crawl the internet aiming to find WordPress websites with weak credentials.
Your WordPress website is the recipient of such attacks because it is online. They are in no way related to how popular your website is and in fact such activity is seen on any other type of website. Even non WordPress websites receive such type of requests because most bots just send requests to any responding domain.
Do Failed Login Attempts Impact the Performance of Your WordPress?
In the majority of cases they do not have an effect on the performance of your WordPress website. The only cases where failed WordPress login attempts can slow down a website, or consume an abnormal amount of bandwidth are during brute force/dictionary attack launched specifically against your WordPress login page, which could also lead to a Denial of Service.
What are the Risks of Failed WordPress Login Attempts?
As long as you use strong passwords, there are no security risks associated to failed login attempts on your WordPress websites and blogs.
Should I Harden the WordPress Login Page?
Even though failed WordPress logins bear no security risks, there are a few things that you can do to add an extra layer of security to your WordPress login page. You can implement two-factor authentication or add HTTP authentication, as an additional layer of authentication.
There are several other WordPress security improvements that you can implement to protect your login page, such as redirecting the login page and adding CAPTCHA to the login page. Though if you use either HTTP authentication or two-factor authentication it should be enough.
Should I Block the Offending IP Addresses?
One commonly suggested remediation for thwarting failed login attacks on your WordPress is to block the offending IP address(es). Unless your website is a target of a brute force attack I would not recommend going down that route mainly because the options attackers have to bypass such blockage are infinite, and you’ll end up in a cat and mouse game.
Start with the Basics – Use Strong Credentials for Your WordPress
Like almost in everything else, by addressing the basics you ensure that your WordPress website does not fall a victim of such common attacks and you should not worry about them. Avoid using common usernames such as admin, root, or your first name and secure your WordPress administrator user. Use a combination of letters and numbers for your usernames and a combination of letters, numbers and special characters for your passwords.
Other WordPress Login Page Security Improvements
- Only access your WordPress login page on HTTPS since it is very easy for attackers to capture your WordPress username and password.
- Implementing either two-factor or HTTP authentication.
Bonus WordPress Login Page Security Tip
If you always access the WordPress dashboard (admin pages) from the same IP address / location restrict access to the WordPress login page to your IP address. For more information on how to restrict access to a specific IP address or how to enable HTTP authentication refer to out definitive guide of htaccess and WordPress.