Prevention better than a cure for WordPress
One way to secure your WordPress Web Site is to prevent hackers even wanting to try. If they see a login form that just wants a password then they just have to guess that. But, if that form also wants a user id that they cannot easily guess, then the complexity of a brute force attack increases fantastically. The chances of them guessing the user id and the password at the same time are small, so hopefully hackers will go elsewhere. But, that’s not certain.
WordPress Hosted Blogs
If you are hosting a blog using WordPress then the process is simple. I’ve tried a few suitable plugins, but only one actually worked and that was Limit Login Attempts. Some of the other plugins were quite easy to get around, but this could be my particular hosting. So install it and then test it out!
Looking After Your WordPress Security
If you are writing the website for yourself then you need to look after the security yourself and that makes it a little bit more involved. But not impossible.
First, create a table in your database with just 2 columns – timestamp and IP address. Now when someone submits the login form, the first step is to remove old entries from this table. You can get the time of, for example, an hour ago in PHP quite simply by:
$cleartime = time() – (60 * 60);
Now just delete from the log table any records with a time less than $cleartime. Next, find the user’s IP address. If you are writing in PHP, that’s something along the lines of:
$ip = @$REMOTE_ADDR;
Simply run a count of how many times that IP appears in the log table. If it is more than you want to allow, say three, then just exit the code or return to your home page.
Otherwise, check the user id/password combination. If they are good then log on as normal, else add a record of the IP address and current time to your log table and return to the log on form. It is best if you just say at this point that the details were wrong, rather than saying whether the name or password was wrong, so that you are not giving hackers any clue as to whether they are getting part of it correct.
A step further
It is important and even goes with out saying that you should take your WordPress Security a step further. Obviously a clever hacker might just have access to multiple IP addresses, so a step further is to either monitor the user id attempted and lock that out, or just totally lock out the log on form if there are too many failed attempts in the hour. You can always get around it by deleting the rows manually!
This guide contains a lot of technical terminology and a little more than basic computer knowledge. If you would like help strengthening your WordPress Security, incorporating Firewall protection, and other WordPress Support Services contact CMS Managers today