In an early post titled Reduce Your WordPress Resource Usage By Hiding Your RSS Feed Link, I explained how I was able to thwart bots that were hammering my WordPress RSS Feed link. It worked and my Resource Usage dropped down to a safe range.
Well, recently my Resource Usage numbers spiked again. Using the tools provided by Siteground, I was able to see that the bots were hammering my wp-login.php file, which is the login page for the admin of a WordPress site.
In the past, I have tried moving the WP-ADMIN section with horrible results. Plugins that worked fine one day, would lock me out the next. I’ve had to spend too much time regaining access to my site.
I needed a more simple approach.
As a user on the Internet, I hate CAPTCHAs, but as a way to protect my WordPress site, I love mine. The one that comes with the All In One WP Security & Firewall plugin asks a math question, which is much better than trying to read blurry numbers and letters.
Before installing and setting up the Login CAPTCHA, my wp-login.php file was getting hit over 100,000 times a day. The plugin that I had to lock down IP Addresses after 3 missed login attempts were not effective at preventing the attempts. I suspect bots can forge their IP Addresses to allow them unlimited attempts at hacking.
The attempt to log into a site counts as an Execution with many hosts, as it is executing server-side code. The bots that are trying to access my site will fail because my usernames and passwords are brutally strict, but when they hammer away trying to access my site, it can ultimately cost me money, as they are running code on the server that I am paying for.
The day after setting up the Login CAPTCHA with the All In One WP Security plugin, the number of executions to the login page dropped from over 100,000 to under 200.
A word of warning if you install All In One WP Security. Unless you are a super guru in WordPress and Apache servers, only set up the Login CAPTCHA. Leave everything else alone. There are settings that will lock you out of your own site and more importantly, any child site you might be hosting on that same account. It happened to me.
The Login CAPTCHA setting is the 3rd tab located under the Brute Force section.
One more tip that should be obvious is to never use the usernames “admin” or the name of your domain. Bots will choose those two names 99% of the time for their attempts to hack into your WordPress install.
** Thanks for reading and any claps! If you need web hosting, check out SiteGround. They helped me regain access to my site after getting locked out when I was too aggressive with the security settings.