Secure Your WordPress Admin and Login Pages from Bots

Posted on

As your WordPress site grows, bots will increasingly become more of a problem. At first you just notice an increased amount of comment spam most of which will be filtered out by Akismet or any other similar plug-in you’re using. Soon however you will also start noticing site slowdowns and perhaps even a message saying “Too many database connections!” These usually indicate a huge number of automated spiders and bots hitting your site, searching for vulnerabilities, or trying to insert their own links into your content. A disproportionate number of these attacks are direct towards your WordPress admin and login pages. They take advantage of the fact that many people retain the default admin username and set poor quality passwords. Needless to say if one of these bots manages to get into your site it could cause irreparable damage.

But here’s the problem – even if you have a strong password and your site is well protected, it’s still being hammered by potentially thousands of requests every day. Both the login and the admin pages are PHP files and each attempt at a failed username/password combination takes up a database connection, bandwidth, and CPU time. By itself, they can make your site all but inaccessible. These are three examples of how to deal with this problem:

  1. Limit the number of login attempts;

  2. Community based Blacklists;

  3. Renaming your Login and Admin pages.

Limiting Login Attempts

This commonsense approach prevents a specific spider or a bot from repeatedly trying thousands of username/password combinations. By itself, WordPress places no limits on the number of tries, but you can easily use a plug-in such as Limit Login Attempts to do this. It’s slightly risky because there is a danger of you being locked out as well!

Crowdsourced Blacklisting

You can take advantage of crowd intelligence by proactively blocking IP addresses and user agents who are known to indulge in bad behavior. Very similar to the kind of blacklisting performed by services such as CloudFlare and others, you can use a WordPress plug-in called BruteProtect which maintains a central database of failed login attempts across all of its users and once a certain agent passes the threshold, it is denied access to all of the other sites under its umbrella as well. It’s an elegant solution. Sometimes however, bad IP addresses are released and given to new users and I don’t know if this database “forgives” them after a period of inactivity.

Renaming Admin and Login Pages

To my mind, this is the most elegant solution of all. Every bot and spider attempting to access your site will use either “wp-login.php” or “wp-admin.php” to do so. These are hardcoded into the WordPress installation and there’s no option to change them out of the box. Therefore they are a highly visible target. Renaming them cuts the feet out from under hackers since they have no idea what URL to access! If you’re a typical WordPress site, you don’t allow random sign-ups and logins for unknown users.

You can rename these pages without actually touching your WordPress installation with a little bit of .htaccess magic. Or you can do as I do and simply install the Better WP Security plug-in that not only allows you to rename these crucial pages, but also hardens your site against a wide variety of attacks. Like most good plug-ins it has a lot of options and I’ll definitely be reviewing them individually someday.

Like I said earlier, you won’t experience any of these problems if you’re just starting out. But as you add more content, become more popular, and have a large number of links pointing to your site, I can guarantee you that a time will come when you simply have to do something about malicious spiders and bots. Hopefully these tips can get you started.

2 Comments on “Secure Your WordPress Admin and Login Pages from Bots”!

  • use a good captcha at the signup / signin process

  • This wordpress security plugin called Ozioma can be handy as well, it
    adds two-factor authentication model to wordpress by generating and
    sending verification code to the wordpress administrator when wordpress
    has authenticated the person trying to access admin page. With the
    plugin installed and configured the person will be taking to sms
    verification page instead of admin page where he/she will be mandated to
    enter verification code sent to administrator via sms, if the person
    can’t enter correct verification code on 3 tries he/she will be logged
    out automatically and be denied access to admin page. The plugin can use
    any sms gateway for this purpose once configured properly. Download
    from the plugin home page:

Leave a Reply

Your email address will not be published. Required fields are marked *