Tips for Wordpress Admin Login Security

WordPress plugins like Limit Login Attempts increase security of WordPress blogs regarding admin login. The plugin sent me an alert today that there have been several IP lockouts after they tried to login and hack one of my WordPress blogs. This comes only two weeks after I moved to VPS hosting for better security; a fact that is certainly worrying. Fortunately this time I have increased the WordPress security of my blogs as I don’t want them to get hacked twice. The WordPress plugin informed me that 6 different IP’s have tried logging in unsuccessfully. They all tried to login using admin as username!

First tip: Rename the default admin WordPress account

During WordPress installation you usually don’t have the choice to select the default username with administrative access. WordPress picks “admin” as the default username to access for the first time your new WordPress blog. However that results to serious vulnerability in terms of WordPress security. Hackers now have just one task to infiltrate your blog and that is finding your password. Why make it easier for them when there’s a choice to change the admin username and force them to guess two things instead of one?

The easiest method to disable admin login is to create another account as an administrator and delete the default admin one. Most bloggers will find it more difficult to access their mySQL databases and change the “admin” username. Yet if you are adventurous, you should access your domain’s cPanel, login to phpMyAdmin, access your WordPress database and browse the (prefix)_users database entries. All you have to do is edit the admin account and change the “user_login” field to something more complicated than the default WordPress choice.

Second Tip: Install Limit Login Attempts WordPress Plugin

Limit Login Attempts is a WordPress plugin that has been rated 5 stars by many WordPress users, proving it is one of the most useful WordPress plugins. It actually limits the times you can try logging in when you input wrong passwords. In other words it is a great tool against brute-force attack. This method is very common and is mainly used in order to gain access in the WordPress installation. The plugin lets you define how many login attempts are allowed until the IP is locked out for 20 minutes. If the villain behind that IP is locked out 4 times, the admin is notified via email and the IP is forbidden access to the WordPress admin login screen for 24 hours. That is how I found out about the failed login attempts in the first place.

Unless you share your username and/or password of your WordPress installation, these tips will surely increase your blogs’ security against hackers gaining control of your WordPress blogs.