
Simple WordPress Security Using Strong Usernames and Passwords and Two-Step Authentication
The most common WordPress hacks result from the use of poor usernames and passwords. To protect your site from brute force attacks (forced log in to your administrative account), you can do the following:
1 – Change your admin username.
To do this:
1 – Log in to your site.
2 – Create a new administrative user that does NOT use the word “admin” as the username. You can make this long and use letters and numbers.
3 – Log out of your site.
4 – Log in with the new administrative username.
5 – Delete the old “admin” user but be sure to ASSIGN all posts, pages, etc. to the new user when prompted.
2 – Change your password to something strong (really strong)
Something strong is usually NOT something you can remember. Ideally, you’ll use a random password generator, such as:
- RPG Dashboard Widget for Mac Os: https://www.apple.com/downloads/dashboard/networking_security/rpgwidgetedition_davidkreindler.html
If you use strong passwords, you’ll need something to securely keep track of them. I prefer 1Password: https://agilebits.com/products/1Password
3 – Monitor login activity
Wordfence (https://wordpress.org/extend/plugins/wordfence/) allows you to limit the number of password retrieval requests and will inform you if anyone logs into your site as an administrator (as well as limit login attempts from a particular IP address).
From Matt Mullenweg:
“Most other advice isn’t great – supposedly this botnet has more than 90,000 IP addresses, so an IP-limiting or login-throttling plugin isn’t going to be great (they could try from a different IP [address] a second for 24 hours).”
What the Wordfence plugin can be used for is noting if files are changed on the server and if someone does log in with administrative access. It also blocks “bad” bots. I think these are helpful if not necessarily preventing people from trying to gain access, you will have more information about what is happening on your site.
Wordfence is a really great free security plugin with so many features that it’s hard to not use it. Of all the plugins I’ve tried, I think it provides the most overall functionality that is truly helpful as compared to other security plugins. Better WP Security plugin is good for checking file permissions and changing your WordPress tables — which only need to be done once. It’s a good plugin for getting set up, but I don’t think it provides as much useful functionality as an ongoing monitoring tool. Bulletproof Security tightens down your site with .htaccess files, but it can also conflict a lot with other things on your site and really cause problems if you don’t spend quite a bit of time tweaking it. Definitely not a plugin you can just set and go. Read this article which compares Wordfence to other security plugins, and you’ll see what I mean.
4 – Enable Two-Step Authentication
The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.
If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail/Dropbox/Lastpass/Amazon etc.
The two-factor authentication requirement can be enabled on a per-user basis for your WordPress site. You could enable it for your administrator account, but log in as usual with less privileged accounts (such as Contributor or Editor).
To set up two-step authentication:
- Make sure your web hosting is capable of providing accurate time information for PHP/WordPress, ie. make sure a NTP daemon is running on the server.
- Install and activate the Google Authenticator plugin.
- Go to Users and click the user you want to enable authentication for to edit that user’s profile.
- Enter a description that will display in the Google Authenticator app on your phone. This is to differentiate Google Authentication for different WordPress installs you may be using this on.
- Download the Google Authenticator app to your phone.
- Scan the generated QR code on the user page with your phone, or enter the secret manually in the Google Authenticator app on your phone, remember to pick the time based one.
You may also want to write down the secret on a piece of paper and store it in a safe place. - Remember to hit the Update profile button at the bottom of the page before leaving the Personal options page.
- That’s it, your WordPress blog is now a little more secure.
Log out, and you will now notice that you must have a Google Authentication code to log back in.
Note: This feature will soon be released in Jetpack for those of you using Jetpack. Two-step authentication is already built in to blogs on WordPress.com and just needs to be turned on. For instructions to enable this on your WordPress.com account: https://en.blog.wordpress.com/2013/04/05/two-step-authentication/
5 – Limit Who Has Administrative Privileges
It might be a good idea to assign the author of posts and pages to non-administrators to avoid “giving up” the administrator login name via the author archive URL. To do this, set up a user who is a contributor or editor and when you do create posts or pages, assign those to that person. Also, limiting administrative privileges helps control the security (password and authentication above) for that critical user. Don’t forget to delete old users!
6 – Backup your data NOW!
There is no time to waste. You must have a good back up of your site, because that is your ONLY true safe guard. Some options:
- Backup Buddy (great plugin that you can use to do a backup right now as well as schedule): https://askwpgirl.com/go/backupbuddy.php (affiliate link)
- WP DB Backup (use it to do a quick database backup, but you will also need to use the web host’s File Manager or FTP to download a copy of your wp-content folder): https://wordpress.org/extend/plugins/wp-db-backup/
- Back WP Up: https://wordpress.org/extend/plugins/backwpup/
- VaultPress.com – Backup, one-click restore, and site monitoring ($)
- Snapshot of your site via your web host’s control panel — this would be the quickest, simplest thing you could do to grab a complete snapshot of your site and download it to your computer
Note: When backing up your site, you have two things to pay attention to:
- The database: absolutely critical – this is the content of ALL your posts, pages, and WP Dashboard options
- The wp-content folder: this contains your theme, installed plugins, and all your uploaded images and files
7 – Delete unused plugins and themes and UPDATE everything
While not related to this particular attack, staying up to date is critical and deleting an unused themes or plugins is always a good idea to limit vulnerability. If you have a theme that uses TimThumb scrip for image resizing, install a plugin to keep your TimThumb script up to date.
8 – If you get hacked
- You may not know it for a long time or until your site is blacklisted by Google. Hence, a plugin like Wordfence may alert you if malicious code is found in any files.
- Immediately log in to your site and change your password. Also, change your email, hosting, and FTP passwords.
- Find someone who can help you restore from your back up or clean up your files. Usually your web host can restore from a recent backup if available very quickly. I sometimes can help people with this or you can contact the good folks at Sucuri.net.
Summary
Back-to-basics security measures in the form of strong passwords, unique usernames, staying up to date, and keeping your site backed up are really the only truly effective things you can do at any given point in time. If you are using vulnerable plugins or themes, you are at risk. Use plugins and themes with caution and keep them up to date. Hackers go after low-hanging fruit, typically, so be smart.
We’re an agency known for our no-nonsense approach.
Just straight talking and smart thinking, delivered by a person who cares about the success of your business. We are proud to be an affordable internet marketing agency. Please give us a call for more information. 303-448-8841
WE HELP OUR CLIENTS GET MORE CUSTOMERS