One way hackers will try to hack into a target website is by running a program that tries thousands of different passwords. A complicated password should defeat them, but you can make certain of this by detecting them at the source and locking them out. And on WordPress it is very easy to do.
By Keith Lunt, ©howtostartmyblog.com

Hackers wanting to get up to some mischief on a blog might just use a brute force attack to try to get access to it. A complicated password means that they have to try for longer and longer to gain access, but how long will that keep you safe for? Changing the user name to something that they cannot guess straight off is also excellent protection, but such a prolonged brute force attack could use a lot of bandwidth and ultimately slow down your blog as readers are trying to access it.

Slowing Down A Brute Force Attempt Is The Secret To Stopping It
You need to put them off by blocking them out. If they see that they are going to get locked out after every 3 or 4 attempts and not be allowed to try any more for an hour or more, then they know that just to try 100 passwords is going to take over 2 days. Therefore, to try the number of password / user id combinations needed to break your security is going to take years and hopefully they will move on.

Sadly, Not All Plugins Deliver On The Promise
There are several plugins that do exactly this, however in testing some of them on my own blogs I have discovered that not all do the job properly! They might lock out the login form, but you can still submit a userid / password indirectly and successfully log on.

The Plugin That I Use On My Blogs
The plugin that I was not able to defeat was Limit Login Attempts and I like it as it has a lot of good options. You can set how many attempts there are before a lockout and then how long the lockout is for. Then, if there are more lockouts within a longer time period you can lock the attacker out for much longer.

And with each failure, the person trying to log on is told that there are only a few attempts left, so they know what they are dealing with and hopefully will leave you alone.

What If You Log Yourself Out?
Yes, get your password wrong and you could log yourself out. And it is no good trying a different user id – the plugin monitors the IP Address of the attempt and will block any further login attempts from that IP address. So if you get it wrong, either because Caps Lock is on or because you are testing it, then you are locked out.

Assuming that you can’t change your IP address, you can still get back on. You just need access to your databases and then remove the record that shows that you are locked out!

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)