When managing your WordPress website, it gives you the feeling of doing magnetically malicious login attempts. Do you feel that the login page of your website or blog is threatened, accessible and easy to crack for hackers? Personally, I do not want to think that hundreds of people are playing hundreds of times with the locks on my door. That is the same as the login page of my WordPress website. Logging into Brute Force WordPress is very common nowadays. There are many strategies to overcome this problem. In this article, I will explain how to apply the simple strategies.
Protect your WordPress login page.
Basically, login security is a technique that specifically protects your login page, especially against predictable attacks. A general assault on WordPress is damage the “wp-login.php” page again and again until they enter to the server or until the server dies, so you can do something to save yourself like
- Instead of using “administrator” username use a unique username, keep in mind if you use administrator, is very simple to predict hacker.
- If a strong password by using your site and attempt to sign any hacker will be difficult.
- Use Captcha so it will assess whether a user is a robot or innocent.
- Use Two-factor authentication (2FA) to create additional protection levels to make it harder for attackers to gain access.
- Set a deadline to expire your login page, limit your login efforts and possible block people’s access to “wp-admin” completely.
Hide your WordPress login page.
If your site is not a membership site and login attempts are restricted to visitors, then if you hide your login page, There is no place for hackers to make offensive attacks and a boat that does not find a login page can not try to log in. There are many ways you can do this with plugins and.Htacess etc.,but here we are offering simple, lightweight codes and.Htaccess password protection to protect the login page.
Demo : Hide your WordPress login page with .htaccess.
Use .htpasswd to hide the WordPress login page.
- Open Htpasswd generator online tool and enter the required username and password. Next, click Create .htpasswd file. This tool will generates encode text and copy the text into your .htpasswd file.
- Next, upload your .htpasswd file to the root directory of your WordPress site.
- Next, add the following code to the beginning of the existing .htaccess file in the site’s root directory
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# The following lines prevent .htaccess and .htpasswd files from beginning # viewed by Web clients. <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy all </Files> #BEGIN Protect wp-login <Files wp-login.php> AuthUserFile ~/.htpasswd AuthName "Private access" AuthType Basic require user yourusername </Files> #END Protect wp-login |
Note : make sure replace “yourusername” with the actual user name used in the .htpasswd file, some time you may get an internal server error due to some special character inserted while editing your .htaccess file or maybe this line gives issue “AuthUserFile ~/.htpasswd” on your .htaccess file (i.e. some time path issue) if you face such issue just add full path, example “AuthUserFile /var/www/html/WP/.htpasswd”.
Protect WordPress Login Page with Code
Here is a simple script for choosing a key,value pair(i.e in a query string add key and value ex: ?key=value) and accessing the login page. If you try to access the login page without a key,value pair, you will get an error message, you need to specify a key,value pair in the URLs like below. Example : http://yoursite.com/wp-login.php?key=value
Demo
Please follow the code snippet below. To perform these tasks, put this code into the function.php of the current theme, add it to a new plugin, or click the github button below to get the complete source code.
1.Define here what ever key and value would you like to use in your wp-login page
1 2 3 4 5 6 7 8 9 10 |
/** * define here what ever key would you like to use in your wp-login page * http://yoursite.com/wp-login.php?your_key=your_value */ define('SH_CUSTOM_KEY','your_key'); /** * define here what ever key would you like to use in your wp-login page * http://yoursite.com/wp-login.php?your_key=your_value */ define('SH_CUSTOM_VAL','your_value'); |
2.Before displaying the login form, check the availability and validity of the login key.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
/** * Before displaying the login form, check the availability and validity of the login key. */ function sh_show_login_form_callback(){ /** * check if you are sending a login and password, * this means that the form has been displayed. * Therefore, the login key has been verified. */ if(!empty($_REQUEST['log'])){ return; } /** * Some common Wordpress actions should be allowed. * For example, log if you're logged out, * postpass used to display password-protected posts. */ $valid_actions = array('logout', 'postpass'); /** * Check valid actions */ if(isset($_REQUEST['action']) && in_array($_REQUEST['action'], $valid_actions)){ return; } /** * Check if the key is provided in the query string or not */ if(isset($_REQUEST[SH_CUSTOM_KEY]) && $_REQUEST[SH_CUSTOM_KEY] == SH_CUSTOM_VAL){ return; } /** * Finally, show error message */ die("Your not authorized to access this page...!"); } /** * Overwrite login page hook */ add_action('login_init', 'sh_show_login_form_callback'); |
3.Inject the hidden field login form hook
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
/** * This will add a hidden field to the login form. * Send the password before logging in and review it before validating. */ function sh_add_hidden_field_callback(){ /** * Set, hidden field */ echo '<input type="hidden" name="'.SH_CUSTOM_KEY.'" value="'.SH_CUSTOM_VAL.'"/>'; } /** * Inject the hidden field login form hook */ add_action('login_form', 'sh_add_hidden_field_callback'); |
4.Confirm that the login key is provided on the POST login request hook
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
/** * This method is called before the user is authenticated. * In this case, confirm that the key is provided from the login form. * Anyone can send a request to POST and try to log in without using the login form. * Anyway, that's what the robot does. */ function sh_login_authenticate_callback(){ /** * Check, If you have not sent the login form, please release it */ if(empty($_REQUEST['log'])){ return; } /** * Check, Is the key given for the check? */ if(!isset($_REQUEST[SH_CUSTOM_KEY])){ //show error message die("Your not authorized to access this page...!"); } /** * Check, Confirm the validity of the posted key */ if(isset($_REQUEST[SH_CUSTOM_KEY])&& $_REQUEST[SH_CUSTOM_KEY] != SH_CUSTOM_VAL ){ //show error message die("Your not authorized to access this page...!"); } } /** * Confirm that the login key is provided on the POST login request hook */ add_action('wp_authenticate', 'sh_login_authenticate_callback'); |
Finally, this article will help you learn how to set up a Google Authenticator for your WordPress website, then please Subscribe to ScriptHere.Com by Email. You can also find us on Facebook and Twitter