As your WordPress site grows, bots will increasingly become more of a problem. At first you just notice an increased amount of comment spam most of which will be filtered out by Akismet or any other similar plug-in you’re using. Soon however you will also start noticing site slowdowns and perhaps even a message saying “Too many database connections!” These usually indicate a huge number of automated spiders and bots hitting your site, searching for vulnerabilities, or trying to insert their own links into your content. A disproportionate number of these attacks are direct towards your WordPress admin and login pages. They take advantage of the fact that many people retain the default admin username and set poor quality passwords. Needless to say if one of these bots manages to get into your site it could cause irreparable damage.
But here’s the problem – even if you have a strong password and your site is well protected, it’s still being hammered by potentially thousands of requests every day. Both the login and the admin pages are PHP files and each attempt at a failed username/password combination takes up a database connection, bandwidth, and CPU time. By itself, they can make your site all but inaccessible. These are three examples of how to deal with this problem:
Limit the number of login attempts;
Community based Blacklists;
Renaming your Login and Admin pages.
Limiting Login Attempts
This commonsense approach prevents a specific spider or a bot from repeatedly trying thousands of username/password combinations. By itself, WordPress places no limits on the number of tries, but you can easily use a plug-in such as Limit Login Attempts to do this. It’s slightly risky because there is a danger of you being locked out as well!
You can take advantage of crowd intelligence by proactively blocking IP addresses and user agents who are known to indulge in bad behavior. Very similar to the kind of blacklisting performed by services such as CloudFlare and others, you can use a WordPress plug-in called BruteProtect which maintains a central database of failed login attempts across all of its users and once a certain agent passes the threshold, it is denied access to all of the other sites under its umbrella as well. It’s an elegant solution. Sometimes however, bad IP addresses are released and given to new users and I don’t know if this database “forgives” them after a period of inactivity.
Renaming Admin and Login Pages
To my mind, this is the most elegant solution of all. Every bot and spider attempting to access your site will use either “wp-login.php” or “wp-admin.php” to do so. These are hardcoded into the WordPress installation and there’s no option to change them out of the box. Therefore they are a highly visible target. Renaming them cuts the feet out from under hackers since they have no idea what URL to access! If you’re a typical WordPress site, you don’t allow random sign-ups and logins for unknown users.
You can rename these pages without actually touching your WordPress installation with a little bit of .htaccess magic. Or you can do as I do and simply install the Better WP Security plug-in that not only allows you to rename these crucial pages, but also hardens your site against a wide variety of attacks. Like most good plug-ins it has a lot of options and I’ll definitely be reviewing them individually someday.
Like I said earlier, you won’t experience any of these problems if you’re just starting out. But as you add more content, become more popular, and have a large number of links pointing to your site, I can guarantee you that a time will come when you simply have to do something about malicious spiders and bots. Hopefully these tips can get you started.