This article was originally authored by Robert Abela of Melapress, a Patchstack partner specializing in WordPress security and user management solutions.

Unauthorized WordPress access is more common than you might think. Learning how to detect and prevent WordPress unauthorized access can help you avoid security incidents. And if they do happen, you'll be able to detect them early and take appropriate action.

In this article, we'll examine different tools, services, and techniques that can help you prevent unauthorized access and detect it when it occurs. Following these best practices will ensure your WordPress site's security posture remains strong.

The importance of detecting and preventing hacks and unauthorized access

Bad actors typically try to gain access to websites for several reasons, including:

• Financial gain (stealing data, installing ransomware, etc.)
• Recruiting servers for future attacks (such as DDoS attacks)
• Sabotage (helping competitors)

Bad actors don't need to have a personal vendetta against you to attack your WordPress website. In many cases, breaches are collateral damage rather than targeted attacks. Your job is to make your WordPress websites secure enough that attackers move on to softer targets.

When bad actors gain access to a website, they typically perform activities such as:

• Stealing data from your site or your users
• Installing malware
• Stealing traffic/injecting links
• Defacing your website

Any of these actions can cost you money and potentially damage your reputation. Investing time in securing your websites will go a long way in keeping you and your users safe.

Detecting unauthorized access in WordPress

Taking preventive measures doesn't guarantee that breaches won't occur. Rather, the goal is to reduce the risk of an incident. To this end, it's important to implement checks and balances that not only prevent breaches but detect them should they happen.

An important point is that not all unauthorized access comes from external sources. Unfortunately, internal threats are common. You need to monitor both external and internal access points to ensure no unauthorized access occurs – and that if it does, you catch it early.

Using logs to detect unauthorized access

Logs are a tried-and-tested method that software uses to record what happened. They tell us who accessed what, when, and from where, what changes were made, and the specific details of those changes. Logs track user and system activity, which helps:

• Identify breaches and unauthorized access
• Comply with regulations and standards such as GDPR and PCI DSS
• Facilitate troubleshooting and forensic activities after a breach
• Improve your security posture

Logs come in various forms. Activity logs are particularly useful for WordPress sites.

WordPress activity logs

WordPress activity logs record user and system activity on your WordPress websites. Benefits include:

• Identifying failed login attempts, along with the IP address
• Knowing who accessed what and when (posts, pages, products, categories, etc.)
• Keeping a record of all logins and logouts
• Tracking file uploads and deletions
• Monitoring changes to third-party applications

WordPress doesn't offer this functionality, so you must install a plugin to enable it.

Using activity log plugins

Activity log plugins enable you to keep detailed logs of WordPress activity. Each log entry typically includes the following:

• Date and time
• IP address
• User
• What changed

This information provides a detailed picture of what's happening on your WordPress website, helps identify suspicious behavior, and enables you to take remedial action when necessary.

Example: using WP Activity Log to detect unauthorized access

Note: This article was originally written by Melapress, a Patchstack partner specializing in WordPress security solutions.

WP Activity Log is a plugin created by our team at Melapress that provides detailed WordPress activity monitoring. Let's look at some practical examples of how this tool can help identify suspicious activities:

When monitoring your site with an activity log, you can see when one user takes over another user's content:

wordpress-activity-log-viewer

In the example above, Editor Franz Kafka took over a post from user Maya (Event ID 2133). He then modified the content and published it (Event ID 2065). You can see exactly what was changed by clicking "View the content changes" in the Message column.

This allows you to detect when someone adds unwanted content, such as spam links:

compare-wordpress-post-revisions-wp-activity-log

The activity log also tracks failed login attempts:

Under Event ID 1002, you can see that Author Maya tried to log in several times with incorrect credentials. This could indicate a legitimate user who forgot their password or a potential unauthorized access attempt. You can investigate by:

• Contacting the user to verify if it was them
• Checking if the IP address matches their known location
• Forcing a password reset as a precaution

Another security concern is multiple active sessions for the same user:

Under Event ID 1005, Administrator Joel logged in while already having an active session. This could indicate account sharing (against best practices) or potentially that someone else is using the administrator's account simultaneously.

With the right activity log plugin, you can implement policies to prevent multiple active sessions for enhanced security.

Preventing unauthorized access

As the old adage goes, prevention is better than cure. This wisdom applies to WordPress security, and it's advice worth heeding. Let's start with the basics.

#1 - The fundamentals

The fundamentals are critical to good security. They form the foundation upon which everything else is built. Without them, regardless of how much you invest, your WordPress security will be nothing but a house of cards.

Choosing the right hosting provider

One of the first decisions many make when setting up a WordPress website is choosing where to host it. Today, there are numerous options, with hosting providers of all types competing for your business.

Before committing to a hosting provider, check their track record. Have they had any security incidents? If so, how did they handle them? Review their blog and forums to get a better picture.

Also, ensure you can easily reach their support. This will indicate how accessible help will be should something happen to your website.

If you're already hosting your website with a provider, make sure basic hosting security measures are in place. Equally, confirm you can reach their support without difficulty.

Important hosting security features include:

• Access management
• Firewall protection
• Security monitoring
• DDoS protection
• TLS certificates (formerly SSL)

TLS certificates

TLS certificates encrypt traffic between your WordPress website and visitors/users. They prevent third parties from reading information as it traverses the internet. Having a TLS certificate is important for:

• Security: Data in transit is encrypted, keeping it safe from interception.
• Compliance: Standards and regulations such as PCI DSS and GDPR require data encryption.

website-tls-certificate

Regular updates

Keeping WordPress, plugins, and themes up to date is a basic security measure that profoundly impacts your security posture. Updates include security enhancements and patches, without which your WordPress site would remain vulnerable to attacks.

The key is to establish a consistent WordPress updates policy. Whether you enable auto-updates, test them in staging, or use another approach, having a strategy that ensures timely updates is crucial.

If you're on a managed WordPress hosting plan, you don't need to worry about server-level updates, such as PHP updates, as the hosting provider handles these. However, WordPress core, plugin, and theme updates remain your responsibility.

#2 - Detecting vulnerabilities & preventing exploits

No software is perfect. WordPress core, plugins, and themes can contain vulnerabilities that bad actors might exploit to gain unauthorized access. Vulnerabilities vary in severity – some are easy to exploit, while others require several conditions to be met. Protecting against these vulnerabilities is essential for site security.

Vulnerability Scanning and Protection with Patchstack

Patchstack provides a comprehensive set of features that help detect and mitigate vulnerabilities in WordPress websites. Rather than manually checking for security issues, Patchstack offers a platform that continuously monitors your WordPress sites, promptly addresses threats, and implements advanced hardening measures.

patchstack-portal-features

By incorporating Patchstack into your security strategy, you can maintain a proactive stance against unauthorized access attempts, making it significantly more difficult for malicious actors to exploit weaknesses and gain entry into your systems.

Monitor your WordPress websites for vulnerabilities

As threats evolve, it's important to stay vigilant. Patchstack continuously checks WordPress core files, themes, and plugins for known vulnerabilities, ensuring your websites remain as secure as possible.

Through proactive monitoring, Patchstack reduces the window of opportunity for bad actors to exploit vulnerabilities. You'll receive real-time alerts about emerging threats rather than discovering a security issue from a blog post or changelog. With up-to-date vulnerability information, you can quickly prevent issues from becoming full-blown breaches.

Patch with virtual patching

Developing fixes for newly discovered vulnerabilities takes time. Although rare, this leaves a window of opportunity during which attackers may attempt to gain access. Patchstack's Virtual Patching is designed to close this gap.

Once a vulnerability is identified, the platform automatically applies a virtual patch to block exploitation attempts. This approach buys valuable time, ensuring critical flaws are effectively neutralized until the original developer releases a permanent update.

OWASP module protection

Security best practices serve as a roadmap for maintaining good WordPress security. Patchstack's OWASP module provides protection rules that safeguard websites from attacks identified in the OWASP Top 10.

By implementing these best practices, you can systematically address common weaknesses that malicious actors frequently exploit, including injection flaws, misconfigurations, and cross-site scripting vulnerabilities. Note that the protection provided by the OWASP module is aggressive and may produce false positives, especially on complex websites.

Advanced hardening features

Patchstack also offers features for advanced WordPress hardening. These additional protection rules include blocking file uploads with .php and .html extensions and blocking requests that contain suspicious strings such as wp-config.php, administrator, users_can_register, and many others.

patchstack-advanced-hardening-features

WordPress hardening is a valuable security practice. By reinforcing WordPress with multiple security layers, you ensure that attackers encounter a series of well-fortified defenses rather than easily accessible entry points.

Communication with developers

It's equally important to contact software developers with vulnerabilities, whether WordPress core, a plugin, or a theme. This ensures awareness and keeps you informed about patch development progress.

The WordPress.org support forum is a good starting point. The WordPress community is helpful, and developers tend to be quite active. You might also contact developers directly through their websites.

#3 - Login security & user role management

Bad actors use various tools and methodologies to gain unauthorized access to websites. Brute-force attacks try different username and password combinations in rapid succession until the right one is found. They rely on unlimited attempts, as the probability of finding the correct combination works against them.

Security policies help counteract risks associated with attacks like brute force attempts. They are enforceable guidelines that ensure security best practices are consistently applied.

Implementing login security with specialized tools

Specialized tools like Melapress Login Security can be valuable for effectively implementing login security policies. This plugin provides features that allow you to enforce security policies for different users and roles.

The free version includes essential login security features such as:

• Limiting login attempts
• Setting password policies
• Adding login GDPR notifications
• Customizing login page security

For enhanced protection, the Premium edition offers additional security tools, including:

• One-click integration with WooCommerce and other popular plugins
• Geo-blocking capabilities
• Security questions for additional verification
• Advanced user management features

These tools make it easier to implement comprehensive login security without requiring extensive technical knowledge.

Limiting login attempts

By limiting login attempts, you can thwart bad actors by restricting the number of tries allowed before an account is locked. Legitimate users typically remember the correct combination after a couple of attempts or request a password reset. Setting a limit on login attempts improves security without significantly impacting user experience.

How to set up failed login policies with Melapress Login Security:

To set up a failed login policy, install Melapress Login Security, then navigate to Login Security > Login Security Policies. Tick the Enable login security policies checkbox and scroll down to the Failed login policies section.

Tick the Activate failed login policies checkbox and enter the number of failed login attempts allowed.

wordpress-failed-login-policies

The policy includes other settings, such as what happens once an account is locked, giving you complete control and freedom over the implementation of policies.

Password policies

Not all passwords are equal. Weak passwords take a few seconds to crack using modern computers. On the other hand, strong passwords are exponentially stronger and much more difficult to crack.

How can we make sure our users are using adequate passwords?

One option is to ask users to use strong passwords. However, what constitutes a strong password can be left up to interpretation. Since strong passwords are also hard to remember, users are more likely to choose the path of least resistance and choose something they can remember.

Using Melapress Login Security, we can set password policies that not only ensure strong passwords but also guide users as they set their passwords. Using the same navigation path we accessed the limit login attempts feature through, we can set granular password policies for all users or by user role.

This ensures adequate protection for all user accounts on our WordPress sites while keeping the experience of setting passwords as frustration-free and seamless as possible.

wordpress-password-policies

Hide the login URL

The WordPress login page URL is well-known, making it an easy target for someone attempting to gain illegitimate access to the WordPress admin dashboard. By hiding your login URL, you implement a form of WordPress admin access control that makes it harder for bad actors to find it.

Note that hiding the login URL doesn't make it invisible. As mentioned earlier, the goal is to make your WordPress sites harder to breach by adding multiple defense layers.

The easiest way to change the login page URL is to use a plugin. Using Melapress Login Security, navigate to Login Security > Login page hardening. Then, enter the new URL in the Login page URL field. If you want to redirect anyone who tries to access /wp-admin/, enter the URL in the Redirect old login page URL to field.

change-wordpress-login-url

Locking inactive user accounts

Inactive user accounts aren't an inherent threat, but they elevate your security risk. The main concern is that if an inactive account is compromised, it might go unnoticed. Disabling inactive accounts removes this unnecessary risk. Locked accounts can always be reactivated if the user returns.

Defining the elapsed time for an account to be considered inactive is a policy decision. There are no universal rules about how much time must pass before an account is deemed inactive.

Geo-blocking and IP restrictions

You can further restrict access to the login page through geo-blocking and IP restrictions.

Using geo-blocking, you can allow or deny access based on the user's country. You can limit access to the login page to specific IP addresses through IP restrictions.

Two-factor authentication (2FA)

Two-factor authentication (2FA) requires users to authenticate again before logging in. 2FA protects accounts from compromised passwords since an intruder would also need access to the secondary authentication method.

One-time passwords (OTP) from authenticator apps are among the most common 2FA methods. They're easy to set up and use, ensuring minimal user disruption.

Plugins such as Melapress' WP 2FA make adding 2FA to your WordPress site easy. It offers several authentication methods, ensuring all your users are catered for. It also offers extensive white-labeling options and the ability to remember devices, among other security settings and features.

#4 - WordPress firewalls

WordPress firewalls are often the first security solution people consider when securing their website. Firewalls sit between the WordPress site and the network, monitoring incoming traffic. Also known as endpoint firewalls, when used directly on the web server, they act as a protection layer for WordPress websites and the network.

Most traditional web application firewalls are ineffective at protecting WordPress sites from sophisticated attacks as they primarily rely on hardcoded rules to stop more generic attacks. This is of no use to vulnerabilities as they are very specific exploits of logic mistakes in installed software. Additionally, requests from hackers trying to exploit vulnerabilities aren’t reliably blocked because they often do look like legitimate requests to such web application firewalls

Patchstack protects you beyond a traditional Web Application Firewall with the help of vPatching (Virtual Patches). Even if a patch doesn’t exist yet, using an approach similar to a “regular” Web Application Firewall – requests can be reliably blocked with very specific rules. At the time of posting this, Patchstack has over 10,000 of these rules to protect every site that uses Patchstack from vulnerabilities. 

Firewalls come in different forms, and features may vary between developers. However, you should generally expect firewalls to:

Monitor traffic in real-time

Firewalls monitor traffic in real-time, allowing you to observe network activity as it happens. This enables a proactive rather than reactive approach, addressing suspicious behavior before it escalates into an attack.

Identify and block malicious traffic

Firewalls use threat signatures to identify malicious traffic early, before it can cause damage. Malicious traffic is blocked as soon as it's detected, making this a proactive security approach.

Block malicious IPs 

Bad actors will certainly try to spoof their IP addresses and use measures to hide their identity. However, automatically blocking malicious IPs allows the firewall to learn from past behavior. In turn, it becomes better at preventing future incidents.

Implement rate limiting

Rate limiting controls how many requests a user or IP can make within a specific timeframe. Through these limits, you effectively prevent brute-force and DoS attacks since attackers cannot make enough requests to succeed.

Conclusion

Numerous tools are available to detect and prevent unauthorized WordPress access. This article covered several recommended tools and practices from Melapress and Patchstack. Implementing the right tools for your situation can significantly improve your WordPress security.

Remember that security is always evolving, and we must evolve with it. As bad actors seek new ways to gain unauthorized access, website owners must stay informed and proactive about WordPress security.