There are dozens of computers trying to login to this site over the course of a day. It’s not an important site, not a site that’s chock full of credit card information, and not a site that matters to anyone but me. (Yes, I put out my lower lip while typing that last one.) Nonetheless, the login attempts continue.
The attempts are coming from bots… computers that are infected with malware that puts them under the direction of various command and control servers. They scan, look for WordPress sites, and try to login. If they succeed, they let someone upstream know, and then push malware onto the system.
I have blogged about this before. I’m using WordFence as one of the defense layers for this system. It locks out anyone who tries to login with incorrect information. The login settings are:
A few minutes ago, I tweeted “It’s fun using #Wordfence to watch bots try to login as ‘admin’ to my #WordPress sites. I auto-block that ID.” And it is, although the ongoing attempts are both annoying and a waste of bandwidth. This was a big deal a few weeks ago. In fact, the sheer volume of attempts to login as ‘admin’, over and over again with commonly used passwords, was enough to bring down several shared hosting sites.
As a hosting server, what can you do? It seems to me that you should monitor http traffic, looking for multiple login attempts with the ID ‘admin’ and use firewall blocks to throttle traffic from those IP addresses. I chose to say “throttle” rather than “block” because — just maybe — there might be a real user out there struggling to remember his admin password.
As a WordPress site owner, what can you do? First, don’t have a user named ‘admin’. They can’t login on an account that’s not there! Second, install the WordFence plugin. On the options panel, enable “Login Security” with fairly agressive settings:
If you want to see if it’s effective, enable WordFence’s “Live Traffic View” and on the Live Traffic panel, click on the “Logins and Logouts” tab
If you set up your WordPress site with an ‘admin‘ user, how do you remove it without breaking the site?
Create a new user on the site that you’ll use for administrative purposes. Make sure you give it a strong password and don’t forget to assign it the adminstrative role.
Log out and log back in as the user you just created.
Under “users”, select and delete the orginal adminstrative user, ‘admin’. WordPress will allow you to reassign content posted by this user to another user.
How else do you secure your WordPress sites?
Hello, fellow WordPressers!
Did you just follow me home?
It seems you came here from a link on the WordPress.org forums.
If you are following up on a support question that we were discussing in a forum, please note:
What happens in the forums stays in the forums
Bringing a forum argument here or to any other moderator's site is a violation of forum rules.
This is not the place to ask questions about forum moderation.
I do not provide paid, private support for any questions raised on forums, nor will I respond privately to any questions or issues raised on the forums.