When i was started Blogging by WordPress as CMS, more often getting spam comments from online spammer then i have filtered those using some security actions. After some days ago, I'm getting tons of brute force login attempts with and without my username. Brute force is the old hacking techniques, hacker runs brute force script to try many login attempts to attack targeted sites. If you're not taking any protection against brute force attempts you may lose your blog.
Limit Login Attempts
By default WordPress allows infinite login attempts to any users. Hackers using this way illegally to attack targeted sites through automated login script, whereby we have receive tons of failed login attempts. You should track and block those IP address which are trying to login, also use WordPress plugin called Limit Login Attempts. Download and activate the plugin from your dashboard, this plugin is quite easy to use but efficient. Which lockout user's IP address that who are exceeding the specified number of retries and notifies about those IP addresses to admin.
Changing Default Username
WordPress default username is admin. Not changing the default username offers free chance for hackers to catch your site using brute force attacks. That tries many login attempts for your password with username as admin. Avoiding this mistake will harden your site security.
Changing Login Url
These both pages wp-login.php and wp-admin are the login page of wordpress site. Changing the url can achieve via FTP or wordpress plugin. If you're familiar with ftp server then simply navigate to .htaccess file of your site and add the following lines
RewriteRule ^login$ https://menonjats.com/wp-login.php [NC,L] You should edit the site name with yours and choose any name to login instead of wp-login.php. Whether you're a plugin lover can install and configure the Rename wp- login.php plugin
Enable Two Step Authentication
If the time is bad for us, Some brute force attempts may land to be successful login. What should we do to overcome those vulnerabilities take an advanced protection by using Google Authenticator plugin. It work smartly, whenever you login to WordPress this plugin sends random security code to your registered mobile number. Once you entered correct code your login would be successful otherwise fails to login. The security code will expire in specific time for advanced security.