If your answer is no then you probably aren’t monitoring their failed login attempts…it’s likely that brute force attacks are occurring on your site 24/7 and without adequate security you won’t even know about them.
The truth is that WP is so ubiquitous and, if not hardened and/or maintained properly, is therefore an easy target for hackers. Even if you’ve added some security and kept WP and your plugins up-to-date, the brute-force hackers will still have a go; the hack attempt is usually automated so they’ve nothing to lose and everything to gain. Believe me, the clean-up required after a hack is far-reaching (including damaging SEO) and will be costly.
Step #1 – Change the default WP admin username
And to my point. Don’t make it easy for them. Changing your default WP admin username from ‘admin’ to something more secure is obvious but it always surprises me how often this is overlooked. Don’t do this and you’ve already given them a 1/3 of the equation. They then just need to guess another 1/3 – your admin password! Better hope it’s not also ‘admin’…or something not so obvious but that a dictionary hack would uncover. Always mix lower/upper-case, symbols and numbers.
Another overlooked security hole is posting using your admin username. It’s best to create one specifically for posting and one that has limited WP permissions associated with it should the worst happen. ‘Contributor’ is a good role for this (public) username as that user type can only write and manage their own posts but cannot publish them (though as Admin, you will be able to).
But that’s only 2/3 you say. Yes, my maths is not that bad. Where’s the other 1/3 gone? It’s the WP login url.
Step #2 – Change default WP login url
By default this is always www.yourdomain.com/wp-admin and the hacker knows that. So make it harder for them and change to www.yourdomain.com/memorable-name where ‘memorable-name” is not easy to guess. That way they are unlikely to even reach the WP login page to attempt a brute-force login.
Taking this step will not stop the more astute hackers out there who exploit other more complex WP, plugins, database and server OS vulnerabilities but, in my experience, they seem to be in the minority.
I’ll get around to reviewing the WP security plugins I use in a future post but for now, check out the available WP security plugins, many of which will do the WP admin url change for you plus much more to harden WP. You should also spend some time reading WP’s own guide to Hardening WordPress. Good luck!