Remember when you were a kid, and you needed a password to get into the tree fort? Not a bad security step. If you recognized the person who wanted to get in to your fort and they knew the password, that person was welcomed in. If they didn’t have the password – and they weren’t bigger than you – they didn’t get in. If you didn’t recognize them, there’s no way they’d get in, even with the password. Your website can work in much the same way: no username, no password, no entry.
One of my favorite plugins in WordPress is WordFence. Even the free version of the software has some amazing features. You can easily limit the number of login attempts as well as block a user after a certain number of attempts (10 or 20 is what I recommend). In the tree fort, if you didn’t recognize someone, it didn’t matter if they had the password, they weren’t welcomed in; we can do the same through WordFence. If someone uses a certain username, we can automatically lock them out.
One username to block right away is ‘admin’. These usernames are all set up by either your developer who built the site or you yourself when you created the various user accounts. If you never set up an account with the username of ‘admin’ – which you should never do, by the way – no one should ever be looking to login with that username. ‘Admin’ is one of the first names that spammers and hackers will use in a brute force attack to gain access to your site. Block the use of the ‘admin’ username, and then block the IP that they’re using: quick and easy.
The other names you should block are any names that a spammer or hacker attempts to use. With WordFence, the plugin will send you an email anytime a user is locked out because they failed with a username and password 10 times (or whatever you have it set to). An awesome feature of WordFence is that they’ll also tell you what username was used and where this user was logging in from. I received one of these emails from a client’s site and it said that ‘clientsDomainName’ had attempted login 10 times. I went in to the client’s WordFence settings and added ‘clientsDomainName’ to the list of blocked names. Now any time a spammer or hacker attempts to get in with that username, they’ll be blocked immediately. Whenever I receive an email like that, I will always login and block that username.
If you are a Full Scope Creative client on Security Essentials Hosting, you enjoy the benefit of having your site monitored by us. We maintain all of those emails from WordFence for you and will add any of those username attempts as soon as we see them.
When I was a kid, keeping my tree fort free of unwanted visitors was a top priority. Our websites shouldn’t be any different. We know to keep passwords safe and secure, but there’s also work to be done on the usernames as well. Thankfully, with WordFence for WordPress, we’ve got a lot of great tools at our disposal.