Join Jeff Starr for an in-depth discussion in this video Secure your login page, part of WordPress: Developing Secure Sites .
- [Instructor] In this video, we want to prevent unwanted access to the WordPress admin area by locking down the login page, which essentially is the doorway to your entire site. So it's important to keep it as secure as possible. As you can see, the login page is easy to find on any WordPress site. And by default, there is no limit to how many times someone can try to guess your password and gain access to everything. To fix this, we want to limit the number of times a visitor can attempt to log in. The easiest way to do this is with a plugin.
And currently, one of the best is Cerber Limit Login Attempts. The Cerber plugin is freely available here in the WordPress Plugin Directory. Let's check out the highlights. As explained here, Cerber protects against brute force attacks, and it provides tools to control user activity. Cerber brings lots of great features, and it's compatible with the latest version of WordPress. It's recently updated, has lots of active installs, and it has excellent ratings.
And the screen shots look good, so yeah. Plus, I've used this plugin on my own site so can verify that it works great. One of the better limit-login plugins that I've had the pleasure of using. The Cerber plugin already is installed and active on our demo site. So let's the visit the Cerber Settings to configure the plugin. If you're short on time, the default Cerber settings are going to work just fine. But let's take a moment to explore the options and see what's possible. Here is the main part of the plugin, Limit login attempts.
I like to set this at three attempts in 30 minutes and then block for 60. It's totally up to you. Just remember that your legitimate users sometimes make mistakes. Aggressive lockout settings should be fine as is. This is a great feature, by the way, further strengthening the security of your login page. Cerber also provides an option to send an email notification if things get crazy. For Site connection, leave this disabled unless you have reason to do otherwise.
The next section, Proactive security rules, provides some advanced options. The only things I would maybe change here are uncheck Non-existent users, because even legit users make mistakes. And uncheck Redirect dashboard requests, because some users may access the login page by entering the dashboard URL directly. So disabling this option is a good idea. Everything else should be good to go just using the default settings, but feel free to experiment with any features that look useful.
Once the settings are configured, click the button to save your changes. Note that these other tabs provide various tools and data to help you manage your user logins and lockouts. You don't really need to do anything upfront with these tools, but as you continue with the plugin, you can explore further and take advantage. Now that the plugin is active and configured, let's log out of the admin area and see how it works. Note, don't try this test on your own site, or you will be locked out of your account for 30 minutes or whatever interval you've specified in the settings.
So let's pretend we're a brute force attacker, and we enter a username and password. Notice it says "2 attempts remaining." Let's try again. And one attempt remaining. So they're not going to get very far. And for their third try, they're locked out. The same thing will happen to any bad guys trying to brute force their way into your site. The Cerber plugin is going to lock things down and keep your login page nice and secure.
Going further, here are some additional login-related plugins that you may want to check out. Two Factor Authentication, Clef two factor authentication, and Google Authenticator. And then there's also Login No Captcha reCAPTCHA, WPBruiser, and Login LockDown. These plugins are reputable and known to provide additional layers of security for the WordPress login page. In this tutorial, we learned how to protect the WordPress login page with the awesome Cerber plugin.
It only takes a few minutes to implement and doing so helps to improve the security of your WordPress site.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security