Brute force attacks are so often that both WordPress and Drupal have pages dedicated to this specific aspect of website security. Two common alternatives for handling these are hiding the login page and using a VPN. Which is safer? How much does each cost? And how much extra time does it take, and how steep is the learning curve?
Hiding your login page
Hiding your login page means using a new, secret login page instead of the default login page: for WordPress (wp-login), Drupal (/user/login), or Joomla (/administrator). You basically disable these pages and use a new page instead. There are plugins or module to help you do that.
Is it safe?
Academically, no. This type of defense relies on secrecy, a practice known as security through obscurity. However, most brute-force attackers are opportunistic and aren’t sophisticated enough to try to identify alternate login pages. It’s also quick to set up, and easy to use.
How much does it cost?
Implementation cost depends on your choice of content management system. There are usually free plugins available for most popular CMS.
How much more admin time does it take and how steep is the learning curve?
Nearly none. The only difference between what you do now is that you log in to a different URL: Instead of going to http://www.example.org/wp-login you go to http://www.example.org/secretURL . Everything else is the same.
VPN (Virtual Private Network)
A VPN is a security protocol: you connect to a server and your connection to the server is secured. To the outside world, you look like you are connected from the VPN server instead of your current location.
In practice, you need a dedicated VPN server you manage or to sign up for a VPN service. For this use case, you’ll need a service that provides a dedicated IP. Examples are PureVPN and NordVPN.
A VPN has additional security benefits, so we recommend one regardless.
How much does it cost
If you choose a VPN service, expect to pay about $25-150/year/person. This estimate includes a dedicated IP, which you need to lock down your website admin pages.
However, your organization’s IT department may already have set up a VPN to help staff work remotely. Talk to your IT department first, since there may be no additional cost.
How much more admin time does it take and how steep is the learning curve?
There is minimal additional admin time. Once it’s set up, logging in the VPN takes less than a minute.
Initial setup can take a little longer. YOu’ll need to identify a VPN provider, download some software, establish a static IP. You’ll also have to configure your website to limit access to the administrative and login pages only to your IP addresses.
Next steps
VPN is a much safer alternative but it takes a little longer to configure. Hiding your login page works on the chicken soup theory: Can’t hurt! It also gives you different approaches to security, and since there is never only one single security threat, having separate approaches can be helpful. For the cost, I’d say do both. Both these solutions work very well along site a Web Application Firewall.
If you’re not sure how to set this up, get in touch and we’ll help guide you through securing your data.