I have seen many websites are built using open-source CMS like WordPress, Joomla etc. The most common mistake they have made was leaving their admin login panel unrestrictedly. In the worst case, the default username and the simple password are used.
Until the website was uploaded with unwanted software sending spam emails, unknown redirection, undesired content etc. But I have updated my website and plugins regularly, why my website is hacked?
This is a common mistake made by many users. Yes, the admin login URL is known to anybody. Please remember you are using an open-source CMS, anyone can download and install. Basically, the login URL is made known to everyone as well as the default username, and sometimes even the password.
Hence, to protect your admin login is important. Since the admin login URL is the same, I just need an application to guess the username and password. Leaving the username like admin or administrator will make the guess easier.
This type of attack is very common, and we called it ‘brute-force’ attacks. If you are one of them mentioned, It is about time to consider to restrict your admin login. Apart from the admin login, the open-source plugins and components may become vulnerable too.
This open-source plugins and components require updates from the authors to reduce the risks of being hacked. There are a few methods to restrict login and protect your website at the same time. The common method like using .htaccess is free on an Apache webserver.
Recently, the use of WAF is common too. WAF is likely a paid solution. You can create rules to allow access to the certain IP addresses, a Recaptcha allows only a human to key in the username and password, another layer of a password is the two-factor authentication. WAF is best for people do not update the open-source website promptly.
Some WAF scans your website content, it makes sure your website does not contain suspicious files and malware. Also, most WAF coupled with CDN that speed up your website, keep it closer to the audience.
Whether you are using a .htaccess, a WAF or a server protection solution like Imunify360, the most important thing is to protect your admin login, and this is within your control.