Of all the malevolent things hackers do, one of them is mindless, full frontal attacks on websites trying to crack passwords.
Luckily, in the WordPress universe, if you keep WordPress and its plugins up-to-date (to harness the ongoing work of its coding teams), you are doing a lot to stay safe.
However, if you want extra peace of mind, there is a simple plugin that earns its keep regularly – Limit Logins.
That plugin sent my client this email regarding their website this morning:
16 failed login attempts (4 lockout(s)) from IP: 18.104.22.168 Last user attempted: admin IP was blocked for 24 hours
That is smoking gun evidence that somebody was trying to be evil with their website from the Ukraine (that is where the IP address is based – it is also listed on some blacklists around the world).
This very simple plugin counts how many times you try to enter a username and password and punishes you for being sloppy or wrong.
In its default set up, if you enter a username and password combination incorrectly four times, you get locked out of the site for 20 minutes.
If you try again and get it wrong, you are out for 24 hours, and so on.
It really frustrates that lowest type of human being (the hacker) as they set their bots to work through millions of combinations to crack your code.
Apart from that plugin, some other simple housekeeping is:
- Never use admin as your username
- Always use upper case, lower case, numbers and punctuation marks in your passwords
- Have at least eight characters in your passwords
Those three steps should give you plenty of breathing space – Limit Login buys you a tonne more.