There is a great plugin to secure your WordPress login page called Login Lockdown
which you can download from the wordpress.org. The plugin will protect your site from brute force attacks where the hackers want to discover your password. This is achieved by locking out an IP range after a certain number of attempts are detected in a short period of time. This is a great plugin that can be used in conjunction with the Google Authenticator
plugin that I wrote about in a previous article
. With these two two plugins running in tandem it is going to make life pretty difficult for a hacker to access you WordPress admin page. They will first of all need to guess your password within the number of attempts you have configured the plugin for and they will require the six digit code that will be generated by your phone using the Google Authenticator app. The login page of your WordPress site will more than likely be the first place people will attempt to gain access. So taking the necessary steps to secure your WordPress login page is vital to make it that much more difficult to access your site.
Once you have downloaded the plugin and installed it you can go to settings and configure the plugin. Below are the options you have to configure the plugin.
Max Login Retries
The first option is the Max Login Retries which limits the number of login attempts before locking the person out. The default value is 3 which should be sufficient but the value can be increased or decreased depending on your requirements.
Retry Time Period Restriction (minutes)
This value is the number of minutes that the failed logon attempts will be allowed before a lockout of the IP range occurs. So from the two values above the IP range will be locked out if there are three unsuccessful login attempts from a specific IP address in a 5 minute period. Again you can adjust these values depending on your circumstances but I find the defaults to be sufficient.
Lockout Length (minutes)
This setting is the length of time an IP range will be locked out from the login function of the site. Feel free to change this default value depending on your circumstances but 60 minutes seems to be a sufficient amount of time.
Lockout Invalid Usernames
By default this value is set to No but I would strongly suggest that this value be changed to Yes. Firstly the would be attacker is going to try and logon with the Admin account. Presuming you followed the best practise of renaming this account to something else, then you might as well lockout the anyone trying to use this account immediately. If someone is trying to logon using an account that does not exist they are most certainly up to no good so go ahead and lock them out immediately.
Mask Login Errors
Wordpress by default will display messages as to whether the username or password are incorrect. I would suggest setting this to Yes so that the would be attacker would not be if he has managed to guess the correct username or password. There is no ways you would want to make there life any easier by offering them a chance of getting 50% of the problem correct and then telling them they have.
Show Credit Link
This option will display the link of the developer who has created the plugin. This is obviously a personal choice as to whether you allow this or not. However I always leave the default because he has supplied a great plugin for free so a bit of free publicity would not go amiss.
Those are all the available options for configuring the Login Lockdown plugin. The last section on the setting page for the plugin is the ability to release any IP blocks that have been created in error. If you have a user ho has been locked out due to too many attempts and you want to release the IP block then go ahead click the Release Selected button
This is really a great plugin that I would urge all WordPress users to go ahead and use in order to go some way in securing their site.