Hackers love to use dictionary or brute force attacks to try to get admin logins into sites. What they do is find your admin login page and continue to try hundreds or thousands of passwords until they find yours. There are 3 pretty easy ways to prevent this from working:
- Change your admin username.
- Use a hard to guess password.
- Install Login LockDown
Changing your admin username
To do this you will need to login to cPanel and go to phpMyAdmin. Select your WordPress database and browse the wp_users table. Edit the first entry which should have the username “admin” and change the value to something else.
Use a hard to guess password
Your password should be at least 8 characters with a mix or upper case letters, lower case letters, numbers and special characters. If you would like a secure password generator you can find one here.
Install Login LockDown
Login LockDown allows you to set a threshold for failed login attempts before a user is blocked. From their WordPress plugin directory description:
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
Installing Login LockDown is just like any other plugin. Download the .zip file from the plugin directory. Go to your WordPress admin dashboard and navigate to Plugins > New > Upload. Upload the zip file and activate the plugin. You can the setup your rules.