WordPress Login Security

When malicious scripts on remote computers discover the login page of a WordPress site, they hammer the page with a large number of brute-force login attempts to try and break in. While almost all attempts fail, the net result is that the server gets bogged down, negatively impacting the performance of all web sites hosted on that server.

WordPress security plugins are not enough

There are a number of popular plugins that can be added to WordPress to enhance its security. While this is certainly a step in the right direction, most of these do not help with this particular problem. In fact, we've seen that some of these plugins actually make the problem worse. This is because WordPress itself is causing the load, and the security plugins add even more load.

Blocking IP addresses is not enough

Only in a few instances is the same IP address used to make repeated attempts to break in. An increasing number of brute-force login attempts come from botnets whereby the IP address is different for each attempt. Efforts to block specific IP addresses, or even whole subnets, prove to be fruitless as they change too frequently. It becomes a never-ending cycle of adding new blocks.

Our recommendation: restricting WordPress logins to known IP addresses

The majority of WordPress sites we host are used for content management whereby the login page is only needed by a few people who update the site. In these instances, our recommendation is to completely block the WordPress login page from the public and only allow access to the few people who are authorized to use it.

Stargate has already put in place a number of "Access Restricted" blocks on several customer WordPress sites when we discovered they were under attack.

We do this by:

  1. adding a simple PHP script that states the login is restricted, and lets the user know what their IP address is
  2. adding a redirect in the site's .htaccess file that sends all requests for the WordPress login to the above script, except for white-listed (authorized) IP addresses
  3. the customer and/or their web developer(s) can then either send us their IP address(es), or add them directly to the .htaccess file themselves

The benefit of this approach is that WordPress never loads for any unauthorized login attempts, and therefore does not overload the server.

Please contact webupdates@stargate.ca if you would like this feature proactively added to your site hosted with us.

Stargate may add this block without a customer request

When Stargate notices a drop in server performance due to these types of attacks, we will respond by adding our login block to the targeted sites to restore server performance.

Remember – although these attacks target specific sites, the performance drop affects everyone on a shared server. Stargate reserves the right to take whatever measures are necessary to protect the security and performance of our network, its servers and all of our customers using these services.