How Hide My WordPress Ghost can help you to have a secure website
A brute force attack is an activity which involves repetitive, successive attempts using various password combinations to break into a website.
Hackers try various combinations of usernames and passwords, again and again, until they get in. For their attacks, hackers use bots or automated tools.
Brute force attacks are common against popular CMS platforms (e.g. WordPress, Joomla, etc.) and against common services, such as FTP and SSH. Statistics show that WordPress has been the most affected CMS in recent years.
Most brute force attacks work by targeting a website, typically the login page and xmlrpc file.
Usually, every common ID (e.g. “admin”) has a password. All hackers need to do is to guess the password based on words in a dictionary.
The majority of password-guessing attacks will try to hit your admin and login URLs (/wp-admin or /wp-login for WordPress; /administrator for Joomla)
an API endpoint URL that accepts a user name and password (e.g., /xmlrpc for WordPress).
1. Pay attention to your passwords.
2. Hide the fact that you are using WordPress CMS.
3. Limit Login Attempts.
4. Restrict access to the authentication URLs.
(Deny the IP address after a few fail attempts.)
5. Use reCaptcha or human recognition .
In the following, I’ll explain every step that you should take to have a secure website.
You’ll learn how to use Hide My WordPress Ghost to protect your website from hackers.
By default, WordPress allows unlimited login attempts, either through the login page or xmlrpc.
Therefore, you need to limit the number of login attempts for incorrect usernames or passwords.
As you can see in the image you only need to write some numbers, save and the protection is on.
Hide my WordPress Ghost plugin limits the rate of login attempts and temporarily blocks the IP address.
By default, the maximum number of failed login attempts is 5 and the ban duration is one hour.
With one click you can access the Brute Force Protection Settings Tab and simply set up the maximum fail attempts and ban duration.
You can also inform the user about the remaining retries or lockout time on the login page.
The most important URLs are the login page and admin page.
We recommend restricting login page access to only authorized IP addresses if possible.
You can do this by modifying in the .htaccess file. However, to do this you will need some programming knowledge.
Whitelist the IP addresses or range of IP addresses that you want to have access to the login page on your website.
Also, you can ban the IP addresses or range of IP addresses that you never want to be able to access the login page.
You don’t need developer skills for this, and it works with any kind of hosting server.
If you block your IP address by mistake, you can use the safe URL to login and rollback the settings to default.
You can prevent a lot of problems by hiding the fact that you are using WordPress.
Filters you can add into the .htaccess file to protect your website:
CAPTCHA = Completely Automated Public Turing test to tell Computers and Humans Apart
The primary goal of a CAPTCHA is to provide an extra layer of security on sensitive pages.
When used as part of a registration, login, or order form, this feature can help stop malicious bots from creating spammy comments or getting access to your personal information.
If you’ve ever been asked to solve a simple math problem or “prove you’re human” before performing an action on a website – you’ve encountered a CAPTCHA.
Google has even implemented a new variety they’re calling the No CAPTCHA, reCAPTCHA, which only requires you to check a box.
The goal of your password is to make it difficult for other people to guess and difficult for a brute force attack to succeed.
There are many automatic password generators available that can be used to create secure passwords.
Things to avoid when choosing a password:
– Any permutation of your own real name, username, company name, or name of your website.
– A word from a dictionary, in any language.
– A short password.
– Any numeric-only or alphabetic-only password (a mixture of both is best).
Copyright © WPPlugins