Who is attacking your WordPress?
The good news – it’s not people who want to log in to your WordPress backend. They are automated bots.
These scripts search the internet for WordPress installations like yours and then automatically try different combinations of usernames and passwords.
That’s why it’s so important that you use a long, complex password and not a simple one like “passwort123“ or “hallo” (the most commonly used password in Germany!).
If one of these bots finds a valid username and password combination, it sends it to its master, who then logs into WordPress and further infiltrates your website.
Why is the website under attack?
Unfortunately, this happens simply because it is available on the Internet. It’s not primarily about your website being attacked, but simply that it’s a website with WordPress.
If a botnet operator can log on to a third-party website as an administrator, he has full control over it. The hacker can then install plugins, change files and take over the website completely.
In most cases, your hacked website is then misused for spam. Either to send spam e-mails or to advertise dubious products. The following may then appear in Google search results under your domain:
How dangerous are the login attempts?
If you (and all other users of your WordPress website!) use long, complex and unique passwords, then login attempts are not dangerous.
The number of passwords in the bots’ password lists is endless, and a genuine brute-force attack in which all possible password combinations are tried is simply not economically viable. Yes, botnet operators also calculate economically and want to reach their target as easily and cheaply as possible.
Wasserdichte Angebote schreiben in nur 10 Minuten?
Hol dir die ultimative Angebotsvorlage für Webdesigner, Web-Programmierer und Online-Marketer.
I see the problem more with the notifications that are sent by various WordPress firewall plugins such as Limit Login Attempts, WordFence & Co.
In my opinion, these have no added value, except that they make you nervous. After all, you don’t get a text message when someone walks past your front door. And a long list of IP addresses that are constantly changing won’t do you any good.
For the developers of the plugins in question, the emails are very useful – because these plugins want to show you that they are useful and protect you. Why? So that you then buy the premium version. Fear works brilliantly in marketing.
My tip: implement the following tips and then deactivate the notifications.
What you can do to prevent login attempts
You can’ t do anything about the login attempts themselves – just as you can’t prevent someone from ringing your doorbell.
What you can do, however, is make sure that there is only one knock and that nobody goes through the door :-)
The following measures will help you to secure your WordPress website against hackers:
- Make sure that you do not have a user with the name “admin”. This user is attacked most often.
- Install a plugin that prevents brute force access and only allows a maximum number of login attempts. For example, Limit Login Attempts or WordFence. Important: configure the plugin correctly and deactivate the useless notifications!
- Use 2-factor authentication for your administrator accounts (2FA). You then have to confirm the login to WordPress with a one-time code from your cell phone (e.g. in 1Password), just like bank transfers. If your password is really lost, the hacker will still not be able to log in to WordPress with it!
I personally don’t think much of captcha plugins because they make the login process less convenient and your website is already perfectly secured with the points mentioned above.
2FA is the same amount of effort during login, but the code is only valid for you and your user and does not give you a false sense of security like a captcha.
TL;DR: chill the base :-)
If you implement the ‘best practices’ mentioned above, you can take a relaxed view of login attempts to WordPress and confidently deactivate the notifications from various tools.
If you use my WordPress installation as a Website Hero, you will also receive a perfectly configured firewall for WordPress. More info about the perfect WordPress setup.
Do you have another tip for me and my readers? I look forward to your comment!
Michael
PS: What do you do in the opposite case – if you can no longer log in to WordPress? Here you can find instructions on how to hack into your WordPress (or that of your customers) yourself.