So ... Here's the thing ...

The most common trick: hackers may try to break into your Wordpress site by guessing your admin password.

And right now I won't waste your time with boring technicalities about so-called brute force attacks, password-guessing scripts, etc.

But here's a heavily overlooked fact: by default, Wordpress allows users to try different passwords as many times as they want!!

Basically, this is the so-called brute force attack.

It means that I can try hundreds or thousands of passwords all day long, till I get access to your Wordpress admin area.

Or I could use a handy software that will do all the heavy lifting, testing 100s of thousands of words, phrases, etc until your website cracks.

I'll give you one example ... One of my sites (hosted outside of WA) recorded 269 failed login attempts in the last 30 days ...

The solution? Luckily, is pretty simple ...

You need to limit the number of failed login attempts per user.

For example: you can say after 3 failed attempts, lock the user out temporarily. In other words: if someone has more than 3 failed login attempts, then your site will block the given IP for a temporary period of time based on your settings. You can make it 5 minutes, 15 minutes, 24 hours, and even longer.

OK. Let's move forward to the next lesson to see how it works ...

Like This 29
Previous Page
Next Page


Join the Discussion
Write something…
Recent messages
TeamIceCream Premium
Awesome! Thank you Zed! ;-)
Sharlee (Chocolate IceCream)
Reply
smartketeer Premium
@TeamIceCream
Thank you Sharlee!
Reply
JMatonge1 Premium
Marvelous work, Smartketeer. This is of great benefit to some of us. Thank you.
Joseph.
Reply
smartketeer Premium
@JMatonge1
Thanks Joseph!
Reply
Floria Premium
Thanks Zed! If our password is crucial, would you recommend using lastPass?
Reply
smartketeer Premium
@Floria
If you are talking about the password manager, yes.
Reply
Floria Premium
@smartketeer
Yes. Exactly. Thank you. :)
Reply
smartketeer Premium
@Floria
My pleasure!
Reply
tslazyk5894 Premium
Before I was a member of Wealthy Affiliate I purchased "Blog Defender," which is "iThemes Premium Security" with "Backup Buddy" and "Cloud Defender," which makes use of Cloudflare. From the sound of this message I should uninstall iThemes Security Pro, correct? I have not yet added the site to Cloudflare. Do you recommend uninstalling ithemes security pro and not using Cloudflare? It seems like I don't even need Backup Buddy which I was going to configure to work with Google Drive. I'm feeling like I should not do all three, since all three would be redundant? It would really be nice if we were allowed to use usernames other than "Admin." Do you foresee that happening anytime?
Reply
smartketeer Premium
@tslazyk5894
If you moved your site to WA you won't need them ...

If your site is outside of WA I'd use them ...

You can change/update your username ...

See this

https://themeisle.com/blog/change-wordpress-usernames/
Reply
kiliwia62 Premium
Thank you very helpful to know :)
Reply
smartketeer Premium
@kiliwia62
Thanks Sylvia!
Reply
Top