If you enjoyed this video don't forget to the like it and subscribe! Then check out this playlist about WordPress security: th-cam.com/video/bXnDaXVtBKM/w-d-xo.html
Hi Bjorn, You do a great job on all your videos. I have one question: I've been using the free version of WordFence where I setup brute force protection that locks out IP's on the 2nd invalid attempt. I use 20 digit passwords on all sites that make it virtually impossible on two logins. The plugins you mention look very good but I'm wondering if you would recommend the free version of WordFence instead?
@@wplearninglab I really appreciate your efforts. I just wana say you, I started my career 3 years ago by watching your videos. You really helped and I have a wonderful job. I wish to meet you one day.
Hi Björn Nice video! Can I add that iThemes has a specific tab for 'Brute Force Attacks'. It reads in part: " The network protection will automatically report the IP addresses of failed login attempts to iThemes and will block them for a length of time necessary to protect your site based on the number of other sites that have seen a similar attack." And iThemes by default is set to disable XML-RPC (can be changed). And for extra security: Make your username as hard to guess as your password! That means as least 10-12 characters (mix upper-/lowercase, numbers and symbols). Cheers.
It’s really freaking stupid that wordfence doesn’t have the option to change the login page. Now you have to add another plugin which means more resources used as well as a potential point of plugin failure/compromise. Also dumb how WF bogs down your site. :( good video though!
After installing my first private Wordpress page and also installing a security plugin I was suprised that my site was attacked nearly every single night. The security plugin informs me by e-mail about the attempts. YOU HAVE TO INSTALL SECURITY PLUGINS. Until now hiding the login page was nearly sufficient to defend my page against attacks. I also created a new admin user and deleted the old admin name, after I had checked that the new admin was able to get access to the dashboard.
Thank you for this vid! I use itheme Security, it also has a lot of functions. I will try your options. Best not use them together? Since a couple of days I got a lot of brute force attacks; my login adress is also changed -just as you mentioned in this video, i’ve also set the login Attempts on 4, They are banned for 10 days. But I always recieve this message when there was another attempt: ‘too many attempts to access a file that doesn’t exists’ what does this mean, do you think? Can’t i block the attempts in some sort of way? Thank you for answering.
@@wplearninglab It's all good. I just thought I'd throw it out there for anyone who does use it. Because I didn't know it either, until recently. I did some firewall rule-based blocking a couple of weeks ago. Afterward, the logs showed the XML-PRC rule triggered by JetPack, so I had to explicitly allow JetPack through. Just want others to be aware of the pains that come along with security hardening. All "exploits" that hackers look for are not useless to proper function and hardening can have unintended consequences if you're not careful.
Hello sir, thanks very much for the video. I had just one question. Which would you suggest is the better option ? Install both wp hide login and reloaded limit login or wordfence plugin ? I have seen through WordPress forums that wordfence can sometimes cause problems with your website such as locking you out of your site to deleting your website etc.. Really appreciate your content as it has helped me to set up my first website in the UK Cheers m8! 😁
I'm sick and tired of this brute force attack, my sucuri plugin keeps on detecting it I want to block those IP but can find a free plugin I installed hide my admin page already but somehow they are still there I will try the limit login ..thanks!
@@wplearninglab You are right! I just found out that a hacker from Russia is accessing my xmlrpc.php and Wordfence blocked it. I think SUCURI SUCKS. I will just use Wordfence for now on. Thank you!
Good stuff! I've enjoyed all the great content you provide for us WP beginners. One question: Will the "Reloaded" plugin conflict with the iThemes plugin? I did enable the Reloaded plugin and when I tested for a false password, the WP error message said it was due to a bad "password." It did not say it was due to a bad "username OR password."
Hey there, both these plugins don’t work. Every website I’m making seems to get attacked like crazy and taken offline eventually. Please make a new video about how to really protect a Wordpress website.
Thanks for the tutorial! This may be a dumb question but does this also mean I shouldn't store my passwords in my Chrome settings or is it "safe" to do that?
@@wplearninglab We use custom modsecurity rules on the servers. Wordpress is one of the most attacked platforms on the internet. And if anyone uses Wordfence they will get lot's of false positives
If you enjoyed this video don't forget to the like it and subscribe! Then check out this playlist about WordPress security: th-cam.com/video/bXnDaXVtBKM/w-d-xo.html
Thank you for posting this great information :)
Hi Bjorn, just to clarify at 11:20, you should check the box to disable XML-RPC authentication shouldn't you. It's allowed by default?
I think you are right. To increase the security, you want the box to be checked.
Thank you for the education. Prevention is like a seatbelt - use it or regret it when you need it.
Thank you SOOOO much , your tutorial is complete and great:)😀
good work keep it up sir
Hi Bjorn, You do a great job on all your videos. I have one question: I've been using the free version of WordFence where I setup brute force protection that locks out IP's on the 2nd invalid attempt. I use 20 digit passwords on all sites that make it virtually impossible on two logins. The plugins you mention look very good but I'm wondering if you would recommend the free version of WordFence instead?
You are a great man ! Thanks
Thanks Asfand, you're great too! Thanks for watching :)
@@wplearninglab I really appreciate your efforts. I just wana say you, I started my career 3 years ago by watching your videos. You really helped and I have a wonderful job. I wish to meet you one day.
excellent video. thanks.
You’re welcome, thanks for watching!
I kept getting emails of a nonstop brute force attack going on 24/7 by different IP address. This video is amazing 😍 Liked and subscibed
Thank you VERY much Bjorn, I'm having brute force attacks on a client's site, and have implemented these changes.
Hi Björn
Nice video!
Can I add that iThemes has a specific tab for 'Brute Force Attacks'. It reads in part: " The network protection will automatically report the IP addresses of failed login attempts to iThemes and will block them for a length of time necessary to protect your site based on the number of other sites that have seen a similar attack."
And iThemes by default is set to disable XML-RPC (can be changed).
And for extra security: Make your username as hard to guess as your password! That means as least 10-12 characters (mix upper-/lowercase, numbers and symbols).
Cheers.
Thanks for the add Peter. If you use iThemes and Move My Login tr hst should be all you need for Brute Force prevention.
very helpful
Thanks Fiaz and thanks for watching!
Thank You for these great Information. Nice Video
Thanks and thanks for watching!
Awesome as allways.
Thanks Bertus and thanks for watching!
Tenho acompanhado as suas dicas aqui no Brasil. Você faz um excelente trabalho!
It’s really freaking stupid that wordfence doesn’t have the option to change the login page. Now you have to add another plugin which means more resources used as well as a potential point of plugin failure/compromise. Also dumb how WF bogs down your site. :( good video though!
Really is this true? Should I add WF on my site then? Or not?
@UCzcHtJ2-cveS4bh-XoN-Fug Thank you, when I want to reach out I will ask.
this is a great video, top class help :) thanks
Love it, thank you, the Tshirt and video guy!
After installing my first private Wordpress page and also installing a security plugin I was suprised that my site was attacked nearly every single night. The security plugin informs me by e-mail about the attempts. YOU HAVE TO INSTALL SECURITY PLUGINS. Until now hiding the login page was nearly sufficient to defend my page against attacks. I also created a new admin user and deleted the old admin name, after I had checked that the new admin was able to get access to the dashboard.
I add these plugin before I start building every site. I also add ithemes security.
iThemes is a great security plugin. It has loads of features and it covers more bases than just brute force.
thank you Bjorn, for reminding of that security :)
No problem, we all forget about it sometimes, but it'd important :) Thanks for watching!
Thank you for this vid! I use itheme Security, it also has a lot of functions. I will try your options. Best not use them together? Since a couple of days I got a lot of brute force attacks; my login adress is also changed -just as you mentioned in this video, i’ve also set the login Attempts on 4, They are banned for 10 days. But I always recieve this message when there was another attempt: ‘too many attempts to access a file that doesn’t exists’ what does this mean, do you think? Can’t i block the attempts in some sort of way? Thank you for answering.
Great video. I'm a Cloudways user, so I don't have to jump through as many loopholes. Very effective though
so what is u r using wp-admin ? also will 404?
Great video. Thanks for sharing. Important note, though - if you use the JetPack plugin and block XML-RPC, JetPack will break.
Hi Katrina, thanks for the tip! I don't use JetPack, so I didn't know :(
@@wplearninglab It's all good. I just thought I'd throw it out there for anyone who does use it. Because I didn't know it either, until recently. I did some firewall rule-based blocking a couple of weeks ago. Afterward, the logs showed the XML-PRC rule triggered by JetPack, so I had to explicitly allow JetPack through. Just want others to be aware of the pains that come along with security hardening. All "exploits" that hackers look for are not useless to proper function and hardening can have unintended consequences if you're not careful.
Thanks usefull
Hello sir, thanks very much for the video.
I had just one question. Which would you suggest is the better option ?
Install both wp hide login and reloaded limit login or wordfence plugin ?
I have seen through WordPress forums that wordfence can sometimes cause problems with your website such as locking you out of your site to deleting your website etc..
Really appreciate your content as it has helped me to set up my first website in the UK Cheers m8! 😁
Is it a good idea to have my browser save my WordPress login passwords?
I'm sick and tired of this brute force attack, my sucuri plugin keeps on detecting it
I want to block those IP but can find a free plugin
I installed hide my admin page already but somehow they are still there
I will try the limit login ..thanks!
Hey Buffy,
They may be targeting the XML-RPC file. If you're not using it, try blocking access to it using Wordfence or htaccess code.
Good luck!
@@wplearninglab Thanks a lot!
I will try that and use Wordfence instead
@@wplearninglab You are right! I just found out that a hacker from Russia is accessing my xmlrpc.php and Wordfence blocked it.
I think SUCURI SUCKS. I will just use Wordfence for now on. Thank you!
Good stuff! I've enjoyed all the great content you provide for us WP beginners. One question: Will the "Reloaded" plugin conflict with the iThemes plugin? I did enable the Reloaded plugin and when I tested for a false password, the WP error message said it was due to a bad "password." It did not say it was due to a bad "username OR password."
Hey there, both these plugins don’t work. Every website I’m making seems to get attacked like crazy and taken offline eventually. Please make a new video about how to really protect a Wordpress website.
What if i have extremely strong password, what are the chances to be hacked? Is any other ways for hackers, even theoretically?
Hi, gr8 channel. Your "Grab your free 17-Point WordPress" doesn't work
Thanks for the tutorial! This may be a dumb question but does this also mean I shouldn't store my passwords in my Chrome settings or is it "safe" to do that?
Your web hosting company should stop all these like our's does.
How does your webhost prevent brute force attacks?
@@wplearninglab We use custom modsecurity rules on the servers. Wordpress is one of the most attacked platforms on the internet. And if anyone uses Wordfence they will get lot's of false positives
@@fredstraw If Wordpress is one of the most attacked platforms, then surely you would be happy to accept more false positives Fred?
@@leslieisaac9104 It is one of the most
browser authentication is one solution