Over the past several weeks, we have seen an increase in brute-force login attacks on WordPress sites. These attacks target the default login page for WordPress – wp-login.php – and continually send random passwords to it in an attempt to guess the correct password and gain access to the WordPress installation.
Every time an attempt is made to log in, the WordPress core must be loaded into memory and several requests are made to the WordPress database to check the login information. These repeated attempts to log in – especially if made from multiple locations – can bring your WordPress site and your server to a screaming halt. If the attackers actually gain access to your site – they can do a great deal of damage.
The good news is that these attempts are easily mitigated. For starters, you should always use a different account than the default “admin” account that is usually set up with WordPress. Just create another admin account with a different name and delete the original admin account. Automated attacks like these almost always target the default admin account.
The second step is to change the URL or of your WordPress login page, and deny access to the default login page. This will prevent automated attacks from being able to submit login requests, and will also reduce the server load from a brute-force attack, as the attempts to login will return a 404 error message instead of the default login page.
You can view a full tutorial on how to secure your WordPress login page here: https://www.a2hosting.com/kb/security/application-security/wordpress-security
Remember, when you choose A2 Hosting for your WordPress Hosting needs, you also get our free HackScan protection. This is just another way to further protect your WordPress blog!