Posted on September 30, 2019 at 4:10 PM
The success of WordPress stems in part from its ability to make web design easy. With WordPress, just about anyone can create a website. Its strength, which is its accessibility and ease-of-use, also comes with some downsides. One of the major downsides is predictability. Anyone who has built a WordPress site or who has worked with WordPress knows that it is easy to make site changes via the WP – admin area. All you need is the domain name and then add WP – admin to the end and you are at the login page. If you don’t change it, the URL is the same for each and every WordPress site. This predictability increases the ease with which nefarious individuals can attack a WordPress site.
When you couple this predictability with some of the weak passwords that people use, it becomes clear to see why WordPress sites are thought of as less secure than other sites. In a 2018 report by Hosting Canada, researcher Gary Stevens found that over 1/3 of all successful attacks on WordPress based blogs and businesses originated from weak passwords on the common /wp-admin login URL. This highlights the fact that a few simple steps to secure your login can effectively mitigate the vast majority of attacks. In this article we are going to look at five DIY methods for setting this up.
1. Use Strong Passwords
Strong passwords are a key component of your WordPress login security. A good password is going to have a number of unique characteristics. The first one is length. A good password is going to be at least eight characters long.
The second characteristic is going to be a variety of characters. This means that your password should include uppercase letters, lowercase letters, numerals, and special symbols.
The third feature is randomness. Randomness is essential if you want your WordPress password to be secure. Do not use your name, your children’s names, pet’s names, or other information that people commonly associate with you. It’s better for you to choose a combination of letters, words, and symbols that do not appear in the dictionary.
You’ve made your password secure, so keep it secure. Do not write it down where everyone can see it.
2. Use a Unique Password for Each Account
If you have created a strong password, it is difficult for hackers to decipher it, but it is not impossible. Depending on the amount of CPU energy they are willing to dedicate to it, most passwords can eventually be cracked.
It is estimated that most people have upward of 25 unique online accounts that require usernames and passwords. Remembering 25 usernames and passwords can be a challenge, so what people often do is use the same username and password on multiple sites. This is dangerous because once a person gets access to one of your accounts, they have the information needed to break into all of your accounts. Even if you have multiple WordPress sites, the username and password for each one should be unique. That way, if one of them is compromised, the rest will remain safe.
3. Limit Failed Login Attempts
Brute force attacks are successful because they repeatedly try username and password combinations until the right one is identified. WordPress does not by default limit failed login attempts. Since this limit does not exist, WordPress sites are an easy target for brute force attacks. However, there are a number of plug-ins that you can use to limit the number of times an individual can attempt to login to your site with the improper credentials. Once that limit has been reached, WordPress will automatically time out, preventing future login attempts.
When setting the limit for your login attempts, take in to consideration who is going to be logging into your WordPress site. If it is someone who is not tech savvy or if it is someone who often forgets passwords, you may want to slightly raise the limit so that they don’t constantly get locked out.
4. Use Two Factor Authentication
Most of us are familiar with two factor authentication. This is where you will require two sets of usernames and passwords, or a username and password plus a token, or a username and password plus a biometric identifier to gain access to something. If you have ever tried to change your email password, you were likely given the option to receive a phone call or have a text message sent to your phone.
This is two factor authentication. With WordPress, two factor authentication may mean that you will need to enter your username and password. Then a message is sent to your cell phone with a token or a password that you will then have to enter into WordPress in order to gain access to your site. The benefits of this form of security are clear to see. In order to gain access to your WordPress site, a person would need to know your username and login, and they would also need to have access to your cell phone. An added plus is that they would also need to know the password to get into your cell phone.
5. Limit outside Authentication Attempts
Although the login screen is the primary way that people log into WordPress, there are other ways to gain access to the site outside of using the login form. You can protect your site by minimizing the number of username and password attempts to one for every XML – RPC request. This is going to go a long way in keeping your WordPress login secure.
Along the same lines, you should use plug-ins to limit the amount of time your WordPress site can stay open yet inactive. If someone is not actively using the back end of your WordPress site for one minute, WordPress should be set to automatically log out. This will prevent unauthorized individuals from gaining access to your site.
In this brief review, we have looked at a few ways that you can keep your WordPress site secure. Do you have other tips that have worked for you? If so, share these with us in the comments section below.