How To Lock Down Your WordPress Admin And Save Your Server Resources

Kumar Gauraw

Did you know that hackers may be trying to consume your server bandwidth and CPU resources at this very moment if you have a WordPress powered website?

lock down WordPress Admin - Protect your website and server resources

Do you have any mechanism to know that someone is trying to get into your website? Do you have any protection mechanism enabled?

You Might Have Heard Of BruteForce Attacks

A large botnet of more than 90,000 compromised servers has been attempting to break into WordPress websites (randomly) by continually trying to get into the WordPress admin dashboard using the default “admin” username and guessing passwords.

This isn’t an old story. InMotion reported about these brute force attacks on 17th July 2014 and a couple of websites on Krishna World Wide Hosting servers came under attack in the last two days as well.

Your Username And Password Might Be Strong

if you have been using WordPress for some time, you should know by now that “admin,” as a username, is very poor website security. In fact, some web hosts require you to remove that username to comply with their security policies.

However, the problem is, even if these botnet attackers may not be able to get into your website, just by continuously trying to login, they can consume all your bandwidth and possibly bring down your server.

Know If Anyone Tries To Hack Into Your WP-ADMIN

There are many good WordPress plugins that notify you when someone is continuously trying to hack into your WordPress administration. They also perform other security checks on your site.

Since Sucuri is actively scanning and protecting all websites hosted at Krishna World Wide servers, I only use Limit Login Attempts to get notified when somebody is repeatedly trying to guess  a username and/or password for my websites.

If you are not using the premium services of Sucuri, you might want to use one of these top WordPress security plugins as I list them for your reference here:

  1. iThemes Security (formerly Better WP Security.)
  2. Wordfence Security

These are some of the most widely used and admired WordPress plugins loaded with features essential to protect your website against several vulnerabilities.

Lock Down Your WP-ADMIN Access In Two Steps

Limit login attempts is a great way to notify you if someone is trying to get into your WordPress administration continuously for a specific number of times. You can set it up to send you an email when that happens.

Well, this is how I found out that I was under attack. I received about 30 emails within six hours from my server. I knew that it was a brute force attack since the IP address was different after each lockout.

Now, this is one thing one thing that I knew I will need to address one day. I had known about it for some time, but I was waiting for something like this to happen before I act. Usually, I am not big on adding new plugins to my WordPress.

But, it was time to act and so here is what I did and step # 1 towards tightening my WordPress security.

Step 1 – Hide WP-ADMIN From Public View

WordPress’ default login URL is /wp-login.php (or you can just type in /wp-admin/ and it’ll redirect you there if not yet logged in). For example, you could just enter: http://www.example.com/wp-login.php and a login screen will render.

The trouble is, it is a standard WordPress login screen and hackers try to get access to your WordPress administration area by invoking this default PHP file.

So, the first thing I did was to install a small free plugin called Lockdown WP Admin which allows you to conceal the WordPress administration and login screen from intruders. It can hide WordPress Admin (/wp-admin/) and and login (/wp-login.php).

The plugin also allows you to change the wp-login.php URL without touching WordPress code. This is an excellent way to block hackers and brute force spammers from getting access to your login screens.

Step 2 – Disable XML-RPC Access On Your WordPress Website

The “failed login attempts” emails didn’t stop, even after hiding my wp-admin URL. Initially, it seemed strange. But, after investigating the problem, I found out that hackers have gone to the next level.

They are not just trying to access your /wp-login.php file. If that doesn’t seem to work for them, they turn towards XML-RPC based access. They kept pounding my server with failed attempts through XML-RPC this time.

It is interesting to know that most of us DO NOT publish anything remote. Most of us have no use of the XML-RPC option. If you are using an iPhone. as I do,  or other smart phones to access your WordPress administration, you probably have some use of XML-RPC. But, is that much flexibility worth the risk of being hacked? I don’t think so!

WordPress, used to have an option in the settings area to enable or disable XML-RPC. Version 3.5 onwards, they removed that option and now, XML-RPC is enabled by default for every WordPress installation.

I decided to disable XML-RPC on my websites because I wanted the brute force attacks to stop. So, I installed another small WordPress plugin called Disable XML-RPC. All I had to do was to activate the plugin and XML-RPC were instantly disabled.

Yes, I could not access WordPress administration from my iPhone anymore. But, I have not received a single “Failed login attempts” email on any of my websites since then.

Conclusion

Strong passwords, custom table names, removal of WordPress and server footprints are important aspects of locking down your WordPress from unauthorized access.

However, to protect yourself from brute force attacks, hiding your WP-ADMIN, changing the URL for /wp-login.php to something else, and disabling of XML-RPC on your WordPress installation is equally important.

Your Turn To Share – Any Better Ideas?

If you have faced brute force attacks on any of your WordPress websites, how did you got it stopped? Do you have any better ideas on XML-RPC? Can it be locked down for unauthorized access without disabling it?

If you have any experience on this subject, please share your thoughts and add value to this post. Thank you kindly!

Kumar Gauraw

Posts Twitter Facebook

Kumar Gauraw is a Personal Branding & Social Media strategist helping entrepreneurs and skilled professionals achieve personal and professional success by developing leadership and leveraging the power of the Internet, Blogging and Social Media.

33 Awesome Thoughts So Far, Add Yours Now...

  1. Hi Kumar,

    This is very useful information. I knew username should not be admin, but didn’t know that by even trying to login the hackers might be able to use the site resources and possibly bring it down!

    I use Wordfence, and its good. It also limits the login attempts. The plugin you suggested Lockdown WP Admin sounds good too. Earlier I had used BetterWPSecurity and that too had such security options.

    Okay, so I need to install Disable XML-RPC too, so two more plugins for my bog. But as you said, its worth upping the security than falling to the hackers.

    Thanks for sharing this important information. Have a nice week ahead 🙂

    • Hi Harleena,

      I am against using plugins myself. But the problem is, I could not find a better and any more reliable solution than this to keep away the intruders.

      Additionally, these plugins are not very heavy. For example, I would have written a small little function in PHP and added it to my WordPress functions.php by myself. But then, the XML-RPC plug-in that I shared about, does the exact same thing and nothing more. So I thought that it’s not worth my time. I’ll be better off using this plug-in for now.

      You already use WordFence, I know. So, you may not need limit login attempts like plugin. However, if you haven’t done anything to hide your WP-ADMIN, this plug-in is not a heavyweight and does an excellent job of keeping intruders at bay.

      Maybe you should try them out and let me know if you find something better than this because I am always looking for optimized solution for any problem. I would love to know if there is anything lighter than this to achieve the same results.

      Thank you for dropping by and I hope that this post at your value to many other people.

      Regards,
      Kumar

  2. Hey Kumar,

    I’m good with all of these but I don’t have the mobile feature disabled. I don’t use it anyway and probably never will so is there another way around using a plugin? Gosh I hate using them if I don’t have to.

    My username and password they’ll probably never crack. They can’t get to my log-in page either, took care of that last year around this time so that’s good. Changed the names of all my database tables too so that’s good to go. I was being hit hard by a certain country but have blocked that one now so it’s slowed down but if I ever access my dashboard from another device it won’t be a mobile one. Probably my laptop if anything.

    Thanks for sharing this and eager to hear your reply. Hope you’re doing good and have a great week. Thanks for the info.

    ~Adrienne

    • Hi Adrienne,

      There is yet another way of disabling XML-RPC as shared by WPBeginners here. But I still think it is not much different than using this plugin which actually does the same thing.

      I would rather go with the plugin so I don’t have to meddle with the code if WordPress changes something in future around this functionality 🙂

      We all want to have less and less number of plugins for sure. But sometimes, plugin is a better deal than other times 😉

      Regards,
      Kumar

  3. Hi Kumar,

    I think this is good info but most of us don’t know enough to truly make the changes you describe to protect ourselves unless we use plugins. I’m one of them. I’d have to use the plugins but sometimes even setup of the plugin can screw up other stuff. I’m very leery of new plugins although security is truly important.

    Thanks for providing this info. I’ll digest it and definitely look into these plugins.

    Have a good week.
    Regards,
    Barbara

    • Hi Barbara,

      Yes, some plugins can cause trouble and mess up your website. Remember your Facebook problems? It was because of a few plugins that we’re not appropriate.

      But, we’re not talking about kool plugins here. And you realize the imminent threat of brute force attacks, you will realize that this plugins become a difference between your website being alive are going down. We’re talking some serious stuff here related to security.

      Now, if you have taken care of your website security or you are hosted with a premium service such as Krishna world wide hosting, you don’t have to worry about setting up these plugins. Our clients tell us what they want and we do it for them.

      However, if you are doing it all by yourself and you get targeted by spammers and hackers, these plug-ins are there to help you.

      Regards,
      Kumar

  4. Hi Kumar,
    Having the plugins in place sure beats getting 101 Limit Login attempt emails.
    Thank you for your kind assistance in locking down the wp admin.

    All the best!
    Bill

    • Hi Bill,

      Tell me about it. It can be stressful especially during times when you are not home and your sites get this kind of failure emails 🙂

      Well, I am glad we were able to take control and block those bad guys 🙂

      Cheers!
      Kumar

  5. Hi Kumar,

    this is some good advice as there are too many gremlins around that try to attack and bring down someone’s server. And it can happen to everyone, no matter how popular a site is.

    It is better to be safe than sorry and as you say, to have the right tools in place to defeat those attacks. Personally I have iThemes Security installed on my blog which provides more than 30 ways to protect your site.

    Have a great day,
    Torsten

    • Hi Torsten,

      iTheme Security is awesome. If you have that, probably you don’t need any of these plugins because it will take care of these issues for you. I am not sure though if it does hide the wp-admin for you?

      Regards,
      Kumar

  6. Hi Kumar,

    I really wanted to find out this information, so couldn’t wait to dig into your article.

    I’m so glad that from the very beginning I’ve been using a strong username and password for my WordPress sites.

    Since I’m using Wordfence Security plugin, do you think I still need to add Lockdown WP Admin? I am trying to definitely pare down the amount of plugins I’m using, but if you think I need it, I’ll get it because I trust your judgment.

    Thanks so much for a thought-provoking article and for helping us keep our sites safe! I mean who doesn’t need that, right?

    I will also stop accessing my site with my iPhone! Great heads up!

    Take Care,
    – Carol 🙂

    • Hi Carol,

      Since you are already using Wordfence, I don’t think that you need any additional plugin to hide your WP-ADMIN. It gives you the option to do that out of box.

      However, I am not sure if Wordfence has any future to disable XML-RPC. Probably, that’s the plug-in you might still need to install to block do spammers from pounding your servers using that backdoor.

      Thank you for your kind words and I really appreciate the fact that you enjoyed this post and found some value in it.

      Have a wonderful rest of the week!

      Regards,
      Kumar

  7. Hi Kumar,

    I’m sure glad I have your service Krishna World Wide! I have heard about all these attacks on WordPress, but I think I have the proper plugins installed.

    So far so good with me, but if I see any suspicious emails, I will contact your team immediately. This is why I have chosen Krishna WW. Having a managed WordPress hosting company like this does give me peace of mind as promised!

    I was blessed the day I met you!

    -Donna

    • Hello Ms. Donna
      I just wanted to say I totally agree with you regarding your comment on this post.

      I am so thrilled and of course blessed with Mr. Kumar and his company.

      Glady

    • Hi Donna,

      Wow! I am so happy to know that you are happy and that’s all is the goal of Krishna World Wide hosting initiative. Thank you for being such a supportive and happy customer 🙂

      Okay, if you start to get those they blogging emails, please do let me know and I’ll take care of those bad guys for you.

      You have a wonderful rest of the week, actually happy weekend almost!

      Regards,
      Kumar

  8. Hi Kumar,

    If there is something that will never stop, it is attacks on WordPress blogs. That’s why security remains a top issue for WordPress bloggers.

    So many newbies still setup their blogs today and run it with the “admin” username. I have found that a couple of times trying to help some starters out.

    Have you tried hashcash.io? It’s an interesting plugin that disables the submit button on all WordPress forms (login, create account, comment,etc) until the user clicks a button to run some maths. It’s powerful but I have had some issues running it on my blog so I took it down. Here is a review I wrote about it: at enstinemuki.com/wordpress-spam-hashcash/

    iThemes Security has an settings to either completely disable XML-RPC or disable just rackbacks/Pingbacks. I completely turned this feature off and ran into issues with CommentLuv and JetPack which currently run on my blog. Those are some of the issues that come with it 😉

    I remember I had an option with Better WP Security to hide wordpress backend.

    You could change wp-login.php to something like /loginXXX/ and /wp-admin/ to something like /XXXadmin/ and /wp-login.php?action=register to something like /xxxregisterxx/

    But it looks like they took off this option when they renamed the plugin.

    Thanks for this security reminder. Hope to be back

    • Hi Enstine,

      I did not know about hashcash.io before you mentioned about it. but, I wouldn’t try that because I don’t want to have that mathematical calculation thing all over website and forms.

      Wordfence has the facility to rename login pages and also to tackle these brute force attackers. However, it is a heavy plugin and I did not want to add a plugin with a lot of features that I am not going to use and bloat my website code. So, I took it down. These two plug-ins are small and accomplish what I wanted to do. So, I am going to keep them for a while, until I find something better 🙂

      Thank you for sharing your experience with Better WP Security which still seems like a good plugin with a lot of great features. Yeah, You will have a couple of conflicts here and there. But, that is the price to pay for these awesome free plugins.

      You have a wonderful day my friend. I will see you soon.

      Regards,
      Kumar

  9. Hello Mr. Kumar
    Just to say thank you for servicing my site. I trust your knowledge and I know if I have problems, I can contact you.

    I was one of those that used Admin at the beginning, but now I know better. Thank you for helping me understand this difficult industry.

    Gladys

    • Hello Ms. Gladys,

      I remember your admin user. I am glad we went past that and you wear able to use another user ID comfortably. Sometimes, technology can be overwhelming. But, it only becomes frustrating when we don’t have anybody to help.

      You are a business woman and you understand value of your time. So, you did not want to waste your time figuring things out by yourself distracting yourself from things that are more important for your business. That was a wise decision and that is why you don’t have to worry as long as Krishna World Wide team is having your back.

      Look forward to serving you more and better.

      Regards,
      Kumar

  10. I was having same problem. I was getting a lot of failed attempts notifications in my email. Gosh! how they managed to attack on a single site 100 times a day. What I did that time was locking server with htpasswd. Now if you open my blog’s wp-admin, it will show you a pop up asking for id password. If you put the correct credentials then only you can reach to wordpress login page.

    • Hi Atish,

      That’s great. I see that your HTTP authentication is working. However, I am not sure how securely your userid and password is transmitted using the mechanism. You might want to do some research to make sure that it is safe to use port 80 for such authentication.

      The brute force attackers have no better job. They just keep pounding on your server and dry out your server resources. It just doesn’t make sense. But, they seem to have a lot of fun doing it.

      So, you and I have to be in defending mode. If you get into that problem again, you know you have other options to tighten your security.

      Have a great new week my friend. Take care!

      Cheer!
      Kumar

      • Thanks for the great info Kumar. I will be careful.

        P.S. I didn’t got notified via email when you replied to my comment here, why? You are using Commentluv premium right? It has Reply me plugin inbuilt. Please use it so that readers can get notified when you reply to their comments. Thanks

        • Hi Atish,

          Yes, I do have the premium CommentLuv configured. However, I don’t send replies by default. There is a checkbox that you can select if you want to receive reply notification.

          I do that because some people get annoyed with reply notification emails and I had issues where some people marked my emails as SPAM.

          As a corrective action, I had to put that choice in the hands of commentators.

          Now, did you choose to receive email notification this time? Or not?

          Regards,
          Kumar

  11. Nice post and really helpful, So you are now sharing technical posts these days!

    I was know how to lockdown the server resources but never tried personally and I guess sometimes its really important to do.

    Will try it out soon.

    Thanks

    • Hey Robin,

      I am an IT professional at core you see! How long can I hold on to my IT instincts? 🙂

      Cheers!
      Kumar

  12. Thanks for sharing your article. This is the most effective way to know and learn about WordPress. This article will be very helpful and useful on how to lock down your WordPress admin and save your server resources. I had fun reading this and I will share this information with my friends and they will certainly love to read this. Very informative, I’ll definitely give these 5 stars.

  13. Kumar- Great suggestions. My blog is part of my main website so it uses the same protocol prevent hackers. Also if I am able to see the IP address I am able to block that as well. I also have a firewall on my dedicated server. Hackers are everywhere. I can tell your IT person and have been impressed with your blogs. I change my passwords and logins on a regular basis which I also think helps.

    • Hi Arleen,

      I am glad you have your hosting company taking care of a lot of security issues for you. We all need to be aware of the risks and have a mechanism to mitigate them.

      Thanks for dropping by and sharing what you do for security of your websites.

      Regards,
      Kumar

  14. thanks for sharing for website security.it very nesscery for admin security.i have a new blog but i am not using any security for my blog.but after reding your artical i will think for it.thanks

  15. Hi Kumar,

    You always bring something remarkable.

    I have heard about bots attack. Bloggers need to lock their WordPress as you have mentioned above that people can limit their login attempts so that they can get notifications via e-mail if any hacker tries to login.

    I always try to seek something better which can save my blog and every blogger does that.

    There are many plugins to check but how? If are attacked by many hackers at once then is it possible to be safe?
    May be when we try to login then it would be hard for us but how?

    Many questions are running in my mind.
    Hope you are having a nice weekend.:)
    ~Ravi

    • Hi Ravi,

      There are only two ways for hackers/spammers to attack your WP-ADMIN:

      1. They need to know what is your URL. That is why changing the default URL to something else which only you know is very very important.
      2. They need to access your site using XML-RPC to attack your site from that site. Well, if you disable this feature they cannot get to it.

      If you take care of these two aspects your chances of being attacked by botnets reduces drastically. That is a great relief that many bloggers achieve when they do this to things.

      I hope that helps. You don’t have to think everything and all aspects of security. I will suggest just take one step at a time 🙂

      Cheers!
      Kumar

  16. Nice tips sir. I was really in need of this guide as I am new to WordPress platform.. Anyways, thanks for sharing and do have a nice weeks ahead.

  17. I didn’t know this is getting serious; using the admins as username is that wrong? but I have learnt so much, i will just need to see how to go about the different plug-ins installations and see whether anything will get done.

Please Note: My goal is to host interesting conversations with caring, honest, and respectful people. Therefore, I reserve the right to delete comments that are snarky, offensive, or off-topic.