Who is attacking your WordPress?
The good news – there are no peoplewho want to log into your WordPress backend. There are automated bots.
These scripts search the internet for WordPress installations like yours and then automatically try different combinations of usernames and passwords.
That’s why it’s so important that you use a long, complex password and not a simple one like “hello” (the most used password among Germans!).
If one of these bots now finds a valid username and password combination, it sends this to its master, who then logs into WordPress and further infiltrates the website.
Why is the website under attack?
Unfortunately that happens simply because it is accessible on the Internet. It’s not primarily your website that’s being attacked, it’s simply that it’s a WordPress-powered website.
If a botnet operator can log on to a third-party website as an administrator, then he has the full control about it. The hacker can then install plugins, change files and completely take over the website.
Most of the time, your hacked website will then be misused for spam. Either to send spam emails or to advertise dubious means. The following may then appear under your domain in Google search results:
Spam search results on Google
How dangerous are the login attempts?
If you (and all other users of your WordPress website!) use long, complex and unique passwords, then the login attempts are not dangerous at all.
The number of passwords in bots’ password lists is endless, and a true brute-force attack, trying every possible password combination, just doesn’t make economic sense. Yes, botnet operators also calculate economically and want to get to their goal as easily and cheaply as possible.
I see the problem more with them notificationswhich are sent by various WordPress firewall plugins such as Limit Login Attempts, WordFence & Co.
Failed login attempts, fear of Limit Login Attempts
I think they have no added value, except they make you nervous. After all, you won’t get an SMS if someone walks past your apartment door. And a long list of IP addresses that are constantly changing won’t do you any good.
For the developers of the plugins mentioned, the e-mails are very useful – because these plugins want to show you that they are useful and protect you. Why? So that you can then buy the premium version. fear works great in marketing.
My advice: implement the following tips and then turn off the notifications.
You can do this against the login attempts
You can counteract the login attempts themselves nothing at all do – just as little as you can prevent someone from ringing your apartment doorbell.
But what you can do is make sure it’s just a knock and nobody goes through the door 🙂
The following measures will help you Securing WordPress website against hackers:
- Make sure you don’t have a user named “admin”. This user is the most attacked.
- Install a plugin that prevents brute force access and only allows a maximum number of login attempts. For example Limit Login Attempts or WordFence. Important: configure the plugin correctly and disable the useless notifications!
- Use 2-factor authentication for your administrator accounts (2FA). You then have to confirm the login to WordPress like bank transfers with a one-time code from your mobile phone (e.g. in 1Password). If you really lose your password, the hacker still can’t use it to log into WordPress!
Personally, I don’t think much of Captcha plugins because they make the login process less convenient and your website is already perfectly secured with the points mentioned above.
WordPress login secured with Captcha
2FA is just as much effort during the login, but the code is only valid for you and your user and does not give you false security like a Captcha.
TL;DR: chill the base 🙂
If you implement the above ‘best practices’, then you can try to login to WordPress see calmly and safely deactivate the notifications from various tools.
Do you have another tip for me and my readers? I’m looking forward to your commentary!