One of the weak points for WordPress security is the WordPress login page - many times bots and hackers will target this using brute-force methods to try and gain access to your website. Once they are in the admin panel, there are many ways they can wreak havoc with your site, from installing spyware to place nefarious links, even hijacking your affiliate commissions and gaining access to your customer base if you use an eCommerce plugin. It makes sense to ensure that this area is as protected as possible, from simple techniques like not using "admin" as your main username, to installing plugins to provide an extra layer of security - that is the subject of today's post.
I am going to be taking a look at a free service called Rublon which will make sure that you can only login to the WordPress admin panel from devices you authorize, even if a hacker gets your password, they still can't login to your site. We reviewed the plugin when it first arrived last year, they have now updated the service so you no longer require a mobile phone to access your login.
How Does Rublon Work
Rublon uses something called "Two factor Authentification" to protect your WordPress login, you can setup trusted devices from which you can access the admin area such as your home PC, Work PC, phone and so on and it will deny logins from any other devices not on your "Trusted" list. You can update these devices at any time - it will email your designated email account to confirm the new device. You can then proceed to login as usual using your username and password - that's why it is called "Two Factor" as it adds an extra layer of security to the login process. You can read more about the security features of the service here.
Installation and Setup
After you have downloaded and activated the plugin you will see a new menu added called "Rublon" where you can visit the "General Settings" link to set up default protection levels for different types of site users.
For each user level on your site you are able to choose between email, mobile app and none for the protection level. Choose your required levels and logout and then visit your login screen you will see the rublon logo has been added to the login form:
Log in as usual and you will then come to a screen which requires you to download the Rublon app for your phone, choose the appropriate app store and add it to your phone.
Once you have the app - enter your email address and register and Rublon will send you an email to activate the account.
Now if you login to your site, you will see the Rublon plugin verifying it on login and you can then visit the "Trusted Devices" menu and see your computer listed.
If you add new devices such as your phone or login from new browsers you will need to authenticate yourself again and these new devices will then be listed under the "Trusted Devices", you will also receive emails notifiying you of sign-ins from new devices so you can monitor your site logins.
If you have mobile authentication enabled and try to login from a new browser you will see the QR code appear on the screen:
You must then use the Rublon app on your phone to scan the screen to verify yourself.
This is a great plugin - very easy to use and completely free to use, I did look on their site to see why it was free and whether there would be any future fees for usage and found this :
Why is Rublon Free ? Our mission is to create a security layer for the Internet. We want to protect people from all over the world from attacks on their accounts. Greater confidence in the Internet will make everyone more willing to use it, which will result in the creation of more services that will make our lifes better. We know that creating a barrier in form of fees will significantly impede us in achieving this goal.
If you are looking to add an extra layer of security to your WordPress site then Rublon is well worth taking a look at - I can see this being great for eCommerce site and other websites which store sensitive data.