WordPress Security Tutorial To Help Stop Login Hacking

WordPress hacking has become quite popular this week. That is because people love to use the default username admin, which leaves them open to being hacked. The reason this leaves them open to being hacked is because hackers don’t go from site to site trying each wp-login.php, no they are much more sophisticated or lazy, depends how you look at it. They are using an automatic script to use search engines to find websites that end in the link wp-login.php and then try to hack them. The first thing their script tries is the user admin. Since we use limit login attempts., I’ve seen the usernames they try. Limit login attempts blocks the IP address that is trying to hack you, however there are at least 90,000 different IP addresses attempting to hacks sites with the Admin username. This is why you could really benefit from using the free version of cloudflare that detects this hacking attempt and stops it. The paid version also stops this.

I know a lot of people believe that it doesn’t matter if someone knows the username since people will see the username in the author tag. First, you can remove the author tag, and second we aren’t fighting people. We are fighting scripts. These scripts just go to wp-login.php and start guessing usernames and passwords. You shouldn’t have an account called admin as an administrator, since that is their first guess. Honestly, you shouldn’t have an account called admin period.

If you don’t have people logging into your site besides yourself you should de-index wp-login.php from search results. This is quite simple and can be done via your robots.txt by putting disallow:wp-login.php. Not all bots listen to the robots.txt file, however most legitimate search engines do. It is also worth pointing out that anyone can read your robots.txt. If you want to be super secure you can modify your .htaccess file or httpd.conf to only allow certain IP addresses to access your wp-login.php page. htaccessfile.com has a very good tutorial on this technique.

WordPress is currently discussing ways to let people rename the admin account in the future here and here.