Worried about hackers gaining access to your WordPress dashboard? One of the ways you can protect your WordPress site is by limiting the number of incorrect login attempts within a short time period. In our Login LockDown review & setup guide, you’ll find out exactly how this plugin will help to keep your site secure.
Why You Need to Secure your WordPress Login from Hacking Attempts
WordPress is one of the most popular Content Management Systems (CMS) on the web — it’s used by about 20% of all websites in existence.
It’s a common misconception that its popularity makes WordPress insecure, but its top-notch security features are actually one of the reasons it’s so popular! Used correctly, WordPress is secure right out of the box — but that doesn’t mean it can’t use a boost on security.
Using a plugin like Login LockDown will help to provide an extra layer of security, making your site a much more difficult target for hackers.
Could Your Site Be Vulnerable to Brute Force Attacks?
Hackers use many different tricks and techniques to break into WordPress sites. One of the techniques they use is called “brute-force” attacking.
A brute force attack is when a hacker attempts to login to your WordPress dashboard by guessing your password over and over again. They often do this automatically using special software in order to guess different passwords as fast as possible.
This is one of the reasons why security experts caution you to not use the default “admin” username, and to use strong, unique passwords. Brute force attacks usually start with the most common, insecure passwords such as “12345,” “password,” or “qwerty.” Unfortunately, there are still many WordPress users around the web who use these insecure passwords, making their sites vulnerable to any attacks.
How Login LockDown Stops Hackers
Login LockDown puts a stop to these brute force attacks by logging the IP address of every person (or bot) who attempts to login to your WordPress dashboard.
If the same IP address (or addresses within the same range) enters the wrong username and/or password repeatedly within a short period of time, they’ll automatically get blocked from logging in for a specific length of time.
How to Set Up Login LockDown
Login LockDown is free to download from the WordPress.org plugin directory. From your WordPress Admin Dashboard, click on ‘Plugins’, then “Add New”. In the Keyword Search Box, type in Login LockDown. Click on the ‘Install Now’ button, then click the ‘Activate’ button. You’re now ready to set up the plugin. You could also download Login LockDown as a zip file from the WordPress Plugin directory and upload it to your Plugins page.
Look at the left-hand navigational menu of your WordPress Dashboard. Navigate to Settings » Login LockDown to customize the plugin settings for your site.
This takes you to the ‘Login LockDown Options’ settings screen.
Login LockDown Options > Settings Screen
Max Login Retries: 3
Retry Time Period Restriction: 5 minutes
Lockout Length: 60 minutes
These settings will lock out any IP address or IP block after 3 failed login attempts within 5 minutes, with the lock out lasting for 60 minutes before they could try again. Brute-force attackers will simply move-in to their next victim instead of having to wait 1 hr.
You can adjust all these numbers within the settings. I don’t recommend increasing the number of tries above 3, or increasing the retry time period above 5, that would be giving the hacker more opportunities to guess your password before they’re locked out.
Lockout Invalid Usernames? Yes
Mask Login Errors? Yes
These settings would automatically lock out anyone who enters a username that doesn’t exist and would hide the reason for the error. Not hiding the error would be giving a helpful hint to the Hacker trying to force their way into your dashboard!
Show Credit Link? No
Finally, you can choose to display a link to Login LockDown on your login form. Again, this would tell Hackers exactly what Security Plugin you’re using. No thanks, I don’t like making things easier for Hackers in any way.
Remember to click on ‘Update Settings’ button when you’re finished to save your settings.
Login LockDown Options > Activity Screen
In this section, you can see a list of locked accounts. By selecting any IP and clicking on Release Selected you can unlock the locked account. Only do this for those you trust. Otherwise, there’s nothing wrong with someone waiting for 1 hr before they try to access your site again, this time going through the Lost Password process. Better safe than sorry!
Other Ways to Keep Your Site Secure
Unfortunately, brute force attacks aren’t the only security issues to watch out for on your website. And while WordPress is designed to be secure out of the box, certain user behaviors can render its security features ineffective.
To keep your site safe and secure, be sure to:
- Use the latest WordPress version – backup your Site before major updates
- Keep Themes Updated and delete those you’re not using – Keep your active theme and only one default WordPress theme like Twenty Twenty.
- Keep Plugins Updated and delete those you’re not using – these are like backdoors into your site
- Change the default username from “admin” to something unique
- Use a strong, unique password for every site you use
- Use the Free Cloudflare CDN and Security service
- Make sure your Security Headers are set for your site – Warning, do not attempt on your own if you’ve never adjusted an .htaccess file before or can’t write PHP. Test your Security Headers, if they’re missing, reach out, I can set them for you safely and correctly.