In brute force attacks, an automated attempt is made to hack into the WordPress administration by repeatedly trying out new username/password combinations. The fact that the former standard user “admin” is still present in many older WordPress installations and has all the rights plays a role here, so in this case only the correct password has to be hacked.
For security reasons, the “admin” user should no longer exist. Renaming via the profile settings is not intended, but can be changed directly in the database (login with a new user name and old password) or with the help of a plugin (e.g. Better WP Security offers this).
To get rid of the old admin in the conventional way, register a new admin and a writer or editor, hand the admin posts over to the latter, and then delete the old ‘admin’. The person who (often) takes care of WordPress editorially and appears “outside” is then someone who only has the rights of an author or at most an editor.
When it comes to password strength, it’s a good idea to listen to WordPress and use passwords that are as strong are rated.
Administration via SSL makes login data tap-proof (if you already have SSL, why limit it to administration?).
However, it did not prove very reassuring to limit the number of login attempts per IP address and within a defined period of time. The attacks did not stop after the blocking, but continued (depending on the scenario) via a new IP address, or already came via several IP addresses at the same time.
What counteracted this was to specifically protect the login page from direct calls.
If you are traveling with a fixed IP address and only update your WordPress via this, you can use the
wp-login.php Block globally and only allow access through your own IP address.
a notice: make a backup copy of the .htaccess file beforehand.
in the .htaccess file comes:
Code-Sprache: HTML, XML (xml)
<files wp-login.php> order deny,allow Deny from all Allow from xxx.xxx.xx.xx </files>
(replace xxx.xxx.xx.xx with IP address or IP address range)
Allow multiple IP addresses:
<files wp-login.php> order deny,allow Deny from all Allow from xxx.xxx.xx.xx Allow from yyy.yyy.yy.yy </files>
Unauthorized IP addresses are blocked from entering the login form.
You don't have permission to access /wp-login.php on this server.
The logic of the measure is simple: no more brute force attacks if the login form is not accessible.
The password protection variant, on the other hand, is IP address-independent (the content of .htpasswd can be generated on the “htpasswdgenerator” site – if md5 does not work, test sha1 and crypt). Then move the password file to a directory on the web server – ideally outside the public web area.
Code-Sprache: HTML, XML (xml)
<files wp-login.php> AuthName "administration" AuthType Basic AuthUserFile /file/directory/yourweb/ordner/.htpasswd require valid-user </files>
Before the login screen can be seen, the username and password must now be entered. Anyone who does not have the login data will be rejected with
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
a notice: Readers who should be able to access individual pages or articles that are protected by a password must use the wp-login.php. In such cases, other methods are more appropriate.
Addendum 03/21/2021: it has now proven very useful to move the login page to a secret location. This is easy to do with the WPS Hide Login plugin. In this case, simply save the login link with the access data and do not publish it anywhere.