Securing your WordPress Admin
The world’s most secure website is the one that doesn’t exist. What it implies is that attacks are imminent. It is likely that a hacker half-way across the globe is trying to get to your site right now. That is why security is the most important concern today. As per the latest Forbes report, 30,000 websites get hacked every day. Yes, you read that right. A vast majority of these attacks are hackers using brute force techniques to get into websites and wreak havoc. Being cautious about security is everyone’s responsibility, irrespective of whether you use WordPress or not.
The following are 12 tips which will go a long way in securing your WordPress Admin against hackers.
Picking Strong Passwords
This is the most basic step towards securing any site. Are you brushing it off as a trivial thing already? Well, not so fast. Brute force attacks are most common on the Internet and what could be easier than ‘guessing’ a password such as “password123”? WordPress provides a strength indicator for your passwords, so make sure it always tends towards the stronger side. Some tips to keep in mind while configuring passwords are:
Pick a different password for each site.
Ensure that your password is at least 12 characters long.
Avoid using real words in your passwords.
Don’t use your name, family member’s name, or even your pet’s name in the password.
Avoid using keyboard patterns such as 12345678 in your passwords.
It is best to use a combination of lowercase and uppercase letters, numbers, and special characters in your passwords.
Use the Strong Password Generator if you can’t come up with one on your own.
Once you have strong passwords set up for all your sites, don’t write it down! Instead, try to remember it or use a password manager.
Changing Admin username
Change the most commonly used name for your WordPress login – admin. Having such a username makes it easy for hackers to guess half your login right away. Most brute-force attacks are automated and usernames such as ‘admin’ or ‘administrator’ don’t do much in protecting your account. Always use your own username backed by a strong password using the guidelines we’ve already covered in the earlier section.
Using Google Authenticator
Once a hacker gets access to one account, he can wreak havoc in your digital life in a matter of few minutes. It is a common practice today to have multiple accounts such as Gmail, Facebook, Twitter, etc daisy-chained together. Getting into one account can compromise all others too. Along with a strong password, you can add another layer to the login process known as the 2-step authentication. This method of authentication requires you not only to know a password but also possess something that only you have access to. The benefit of this approach is that along with knowing your password, a hacker must also steal this possession to access your account.
WordPress offers 2-step authentication for smartphones using the Google Authenticator. To enable 2-step authentication using Google Authenticator on your WordPress:
Install and activate the plugin.
Go to the Google Authenticator section in the Users-> Profile page.
Check Active in order to activate the 2-step authentication for the specific user. This is a very useful aspect of this plugin as you can enable this option only for your admin account but login as usual for the rest.
Enter a suitable description.
Scan the generated QR code with your phone or enter the key manually. This code is valid for very short intervals making every login secure.
Remember to hit the Update profile button at the bottom of the page before leaving the Personal options page.
Hiding your Login
WordPress’s login URL is wp-login.php. You can also type in wp-admin and WordPress will redirect you to the login page. But who doesn’t know this? What you might not know is that this can become a vulnerability for your site. It is very easy to tell if you are using WordPress to run your site by viewing the page source. Once this is confirmed, the first thing an attacker will do is to access your wp-login.php file. In case you are still using the default ‘admin’ username, the hacker only needs to guess your password to access your site.
An easy way of preventing such attacks is to hide your login URL. This can be achieved by using the various WordPress plugins that are available such as Hide Login+, Lock WP Admin, Secure Hidden Login. The Hide Login plugin, for example, not only helps you in hiding the login URL but also the logout, forgot the password, and admin URLs.
Using HTTP Based Authentication
The security mechanisms so far were related to the logic of your site. Wouldn’t it be good to have a password for your content too? For e.g. you can have a password for your entire wp-admin folder. Whenever a browser tries to access this section, the server kick starts an authentication process and requests for the password. The browser, in turn, will prompt the user for the password and then forward this information back to the server for authentication. This server-client exchange is known as HTTP authentication or 401 Authentication as the HTTP status code 401 is used here. There are many plugins that you can use to enable HTTP authentication for your WordPress, the common ones being AskApache Password Protect and HTTP Authentication.
Logging the Logins
Most sites have at least a few hundred unauthorized login attempts each day. How do we know this? A good way is to use a logging mechanism. By logging every login attempt to your site, you will have all the information you need such as username, time of login, IP address, etc. There are many WordPress plugins for this purpose – WP Security Log, Simple Login Log, Login Security Solution, etc.
Limiting the Failed Login Attempts
So you have a mechanism in place to log all the login attempts. But wouldn’t it be nice to go one step further and limit the number of failed login attempts to your site? This way you can stop someone from guessing your password right in their tracks. You can use a plugin such as Limit Login Attempts to impose this limit.
Using Secure HTTP
You might already know that HTTP is the protocol that’s used to transfer data over the Web. But did you know that all the data is transferred as plain text? If a hacker on the prowl sniffs your packet, valuable data such as credit card details will be compromised. If you are using plain HTTP while logging into your Admin dashboard, you might just be publicizing your login details. Imagine the havoc it would cause if someone got hold of your Admin login.
To prevent such attacks, it is best to always a secure version of this protocol, HTTPS, while sending sensitive information over the Internet. HTTP protects the information by encrypting all the data sent and received with SSL.
To enable HTTPS for your website, you need to obtain an SSL certificate from a provider. Your web host will then set up this certificate on your site such that every time an https:// page is requested, it is forwarded to a secure server. Once it is set up on the server, you can proceed with activating it on your WordPress site. You can use a plugin like WordPress HTTPS (SSL) to select the pages of your site that will use https and the others that would use plain text HTTP.
Hackers most often use automated tools to attack sites. The common attacks are comment spams, bulk website registrations, flooding online polls etc. Hence it is very important to have a mechanism in place that can tell the humans and machines apart. It is likely that you may have used many of these already while filling various web forms. These are the obscure texts that you are asked to type in before hitting the Go button. For example, Such a piece of text is known as CAPTCHA, which is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. A CAPTCHA service provided by Google, known as reCAPTCHA is freely available for your use.
The Internet can be a big, bad world sometimes and you must take all measures to safeguard your site from evil-doers. In some cases such as comment spam or login attacks, you may observe that they originate from the same IP(s). It is best to give a resounding slap to these troublemakers by blacklisting the IP(s) for good. Many WordPress plugins such as IP Blacklist Cloud, WP-Spam Blacklister, WP-Blacklister, etc are available for your use.
Creating Secret Keys
WordPress secures cookies using secret keys. It is strongly recommended that you add secret keys to your wp-config.php instead of relying on WordPress to generate them. If your site is hacked, changing the secret keys will invalidate cookies, thereby forcing all users to re-login into your site. Click here to read about WordPress Security Keys.
Though this point appears at the end of the list, it is no less important. Regular backups, on the other hand, will make your site safer than using any of the steps above. There are several free and paid plugins available for this purpose. Click here to register for a WordPress backup service.
These were some of the ways in which you can secure the login to your WordPress site. Be sure to use multiple methods so that you get the best possible safeguarding solution for your site.
Akshat is the Founder and CEO of BlogVault, MalCare, and WP Remote. These WordPress plugins, designed for complete website management, allows 100,000+ customers to build and manage high-performance websites with ease.