Dealing with Failed Logins on Your WordPress

Last updated on March 24th, 2020 by Robert Abela. Filed under WordPress Security

Many alarm themselves when they notice failed logins on their WordPress websites and blogs. On the other hand, security and tech savvy people do not bother much about failed login attempts; stating that it is the norm.

Does your WordPress website receive a lot of failed login attempts? In this article I explain why your WordPress get such attacks. I also explain what you should do about them and how to improve the login page security.

You notice too many failed login attempts on your WordPress

Those who install a WordPress activity log plugin on their website are typically surprised by the number of failed login attempts their WordPress websites get. The below is a post from the WP Security Audit Log plugin support forum. It basically sums up what many WordPress administrators might think:

Does this plugin really work?

The audit log shows my blog gets so many failed log attempts from various countries like Ukraine, Russia, Vietnam, China etc.. almost everyday. I am not sure why so many people want to hack my small site. It doesn’t even have many contents. I don’t even make any profit from my site as I don’t have any ad or anything. so why my site gets so many failed log attempts? today some random person from Ukrain tried 10+ times to access to my and my partner’s account. I am not sure this plugin really works or it just generates some false alarms or something.

What the user reported were not false alarm. If you install a WordPress audit trail plugin on your WordPress websites you will see the same type activity, even if your website is not popular.

Why are hackers targeting your website?

The majority of attack attempts on your WordPress are not targeted specifically at your website, as explained in Targetted VS non-targetted WordPress attacks. They are automated malicious bots trying to guess your users’ passwords. Their goal is to find WordPress websites with weak credentials. TIP: enforce strong WordPress password policies.

Your WordPress website is the recipient of such attacks because it is online. They are in no way related to how popular your website is. In fact these attacks are very generic and every website on the internet is a target. Even non WordPress websites receive such type of requests, because most bots just send requests to any responding domain.

Do failed login attempts impact your website’s performance?

In the majority of cases they do not have an effect on the performance of your WordPress website. The only cases where failed WordPress login attempts can slow down a website, or consume an abnormal amount of bandwidth are during brute force/dictionary attack launched specifically against your WordPress login page, which could also lead to a Denial of Service.

What are the risks of too many failed login attempts?

As long as you use strong WordPress passwords, there are no security risks.

Should I harden the WordPress login page?

Even though failed WordPress logins bear no security risks, you should always try to make it more difficult for attackers. For example, you should:

Should I block offending IP addresses?

One commonly suggested remediation for thwarting failed login attacks on your WordPress is to block the offending IP address(es). Unless your website is a target of a brute force attack, I would not recommend going down that route. Attackers can easily bypass such blockage, so you’ll end up in a cat and mouse game.

Start with the basics – use strong credentials, enable 2FA and follow best practises

Like almost in everything else, start by addressing the basics. Avoid using common usernames such as admin, root, or your first name. Use a combination of letters and numbers for your usernames and a combination of letters, numbers and special characters for your passwords. Here are some tips on what makes a strong WordPress password.

Other WordPress login page security improvements

  1. Only access your WordPress login page on HTTPS since it is very easy for attackers to capture your WordPress username and password.
  2. Implementing two-factor or HTTP authentication (the best WordPress two-factor authentication (2FA) plugins).

Bonus WordPress login page security tip

If you always access the WordPress dashboard from the same IP address / location, restrict access to your IP address only. For more information on how to restrict access to a specific IP address or how to enable HTTP authentication refer to out definitive guide of htaccess and WordPress.

WordPress Hosting, Firewall and Backup

This Website is:

2 comments

John 07/02/2020

Basically if you have a strong password (at least 15 characters long), and change it once a year, you should be fine. I get hundreds of failed login attempts every day, so I just change my password often and don’t even look at the audit trail anymore…

Robert Abela 13/02/2020

Very good point John. Indeed, if you use a strong password and 2FA you should be sorted. But you would still need to review the activity logs from time to time, just ignore the failed logins 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *