We understand that many sites have installed various security plug-ins to prevent WordPress hacking, but some plug-ins are specialized for the login screen only.
These plug-ins do not provide much protection against WordPress hacking. We will explain why.
Capturing the WordPress login screen does not prevent many hacks (site tampering, viruses)
There are multiple methods by which hackers can deface and hack WordPress.
(1) Defacing the administrator’s password by brute-force and logging into the administration screen
(2) Exploiting various vulnerabilities in WordPress and tampering with it.
(3) Exploiting vulnerabilities in the server itself to gain root privileges and tamper with the server.
(4) Hacking into the database and changing the administrator’s password or creating a new user to log in to the site and tampering with it.
(5) Defacing the site by using backdoors already installed in themes, plug-ins, etc.
As you can see, security plug-ins that only enhance the security of the login screen can only prevent the brute force attack in (1).
It is also important to note that this type of attack is currently not mainstream and is not used very often.
Many of our clients have been relieved to know that WordPress Doctor has been able to remove malware from their systems by only securing the login screen.
It is dangerous to be relieved just because you have taken measures to secure the login screen.
In the first place, is there any meaning in taking security measures (capturing) of the login screen?
WordPress has a function to automatically generate a strong password, and as long as this password is used (unless some major vulnerability is found in WordPress itself), it is unlikely to be breached by a brute force attack.
A password that contains alphanumeric symbols and is of sufficient length is so secure that it could not be breached by brute force even if it took 1,000 years.
Therefore, if you are using a weak password (a few letters), captcha or login lockdown (where you are prevented from logging in after several failed attempts) may make sense, but if your password is strong enough, the security measures on the login screen will not make much sense. However, if the password is strong enough, the security measures on the login screen will be of little use.
In addition, it is possible to conduct a brute force attack to reveal the password by using the WordPress email posting function, etc., in addition to repeatedly enforcing the login from the login screen.
WordPress security is meaningless without comprehensive protection against a variety of attacks.
We will go through the list again to see how to prevent hackers from hacking the site and how to deal with them.
(1) Solve the administrator’s password by brute force to log in to the administration screen and tamper with it.
→Use strong passwords.
(2) Falsification by exploiting various vulnerabilities in WordPress
→Keep WordPress and plug-ins up-to-date, delete unused plug-ins, or change plug-ins through vulnerability testing, and prevent hackers from checking for vulnerabilities in the site.
(3) Hackers can exploit vulnerabilities in the server itself to gain root privileges and tamper with the site.
→The server itself is vulnerable to intrusion with root privileges and tampering.
(4) Hackers can enter the database and change the administrator’s password or create a new user to log in to the site and deface it.
→We recommend that you do not install PHPMYADMIN on the server to prevent wp-config.php from being downloaded due to vulnerabilities in plug-ins and themes.
(5) Defacement of sites using backdoors already installed in themes, plugins, etc.
→Update themes and plugins, constantly inspect for backdoors, etc.
We believe that this is a good idea.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].