In a previous post on WordPress security best practices, we discussed 'Security by obscurity', which means that you should obscure the most commonly known paths to gain control of your website. For example, everyone knows that before WordPress 3.0 the default username was admin, and a lot of website owners didn’t bother to change it or delete it after the installation. This made it easier for hackers to guess username and then they only had to crack the password. Later on, WordPress implemented a new installation process which allowed users to choose a username for the first user. Still thousands of websites that were created before WordPress 3.0 has a user 'admin' with all control.
Another example of obscurity could be removing WordPress Version information from theme’s header. It lets hackers guess your version and if that version had some known or unknown exploit they could gain control of your website.
In this post we are going to discuss some ways to strengthen the security of login page by obscuring access to it. Strengthening your login page protects you from some very common exploits and hacks. Consider your website a fortress and the login page its largest and most popular gate. The hackers know where it is and they have tools to break it down.
Password Protect Access to wp-login.php
The most common path to gain access to a WordPress powered website is by brute forcing into wp-login.php the default login page for most WordPress websites. The purpose of this article is to secure this entrance. To do that lets start by adding an extra security layer to your wp-login.php page.
AskApache Password Protect is a powerful WordPress plugin that allows you to set password on your login page. This means that hackers will have to break into this username and password first before they can access wp-login.php.
Upon first installation, you might notice that it is a complicated plugin, which is understandable since it adds layers of security without changing your database.Make sure that you have made backup of your website. One most common problem with any plugins using Apache .htaccess to do things on your website is that they can lock you out of wp-admin area if something goes wrong.
After the installation and activation you reach the plugin page under Settings > AA Pass Pro page. The plugin author uses the first page to let you know what the plugin does and how to get it working. After this you press the 'Inititate tests' button at the bottom of the page.
The plugin then tests that require modules are available on your webserver. After that tests you can click the button at the bottom of the test results to continue set up.
The final set up page allows you to set an email address, username and password. The email address will be used to send you password incase you forget it. choose strong username and password. Please do not use the same username and password as your WordPress login.
Once you are done with setup, you will have to activate the desired security module. In this case we would activate password protection for wp-login.php and wp-admin.
Set Limit On Login Attempts to WordPress Admin Area
We are talking about securing the login page of a WordPress powered website from brute force attacks, and hacking attempts. As mentioned earlier, that in a brute force attack, the inflitrators try to gain access to your website by running automated bots on your login page. This can be made difficult by limiting the number of times a user can attempt to login. Limit Login Attempts is a simple plugin that allows you to set the number of times a user can try to login on the website.
- On a failed login attempt it informs user how many tries they have left.
- Keeps a log of ip addresses of failed login attempts.
- Blocks ip address when login limit is reached.
- It also uses auth cookies to force lockout
- Changing the IP address and Clearing the cookies a user can retry login.
Please note that many hacking attempts these days are way too advance. These attempts use multiple ips from a variety of ip pools, they also discard login cookies so the plugin will not be able to detect them. Still this plugin can save you from a lot of less advanced hacking attempts on your website.
Add Google’s 2 Step Authentication to WordPress
Google highly recommends using 2-step verification for all Google Account holders. Using Google Authenticator API any web based application can also take advantage of Google’s 2-step authenticator. WordPress and all websites powered by WordPress are also a web application and so you can use it on your sites as well.
Important: This plugin only works with Smart Phones like iPhone, Android, or Blackberry devices.
- Download and install Google 2-step authenticator
- Go to Users > Your Profile and there you will find Google 2-step authenticator set up.
- Provide a description, this could be anything that identifies your website, example “NewDemoWebsite”. Make sure you don’t use spaces in the description.
- Download and install Google Authenticator for your iphone, android, or blackberry.
- Add New Account in the app you downloaded on your phone.
- Scan the QR code shown under Google Authenticator Setup on your website.
- Provide the Secret key from Google Authenticator Setup on your website.
Now when you sign in on your WordPress website, you generate a code on your smartphone and enter it along with your password. If you face trouble signing in then please look at the plugin FAQs.
Restrict Users to Choose Strong Passwords in WordPress
The first step in any online account safety book is choosing strong passwords. If you are running a multi-author website on WordPress, there is a chance that users may not feel as responsible when choosing passwords as you would like them to be.
Using Enforce Strong Password plugin you can make sure that users choose strong passwords. It is a very simple plugin and it uses the same password strength checker as WordPress. However, WordPress would let users create an account even if their password is weak, but this plugin will not allow users to set up an account with weak or medium password.
I wish I could tell you that there is one plugin that will make you forget everything about security. But I can’t, because there is no such tool and there will never be such a tool. Your website’s security can be strengthened and all security measures need to be updated on a timely basis. However, taking multiple security precautions you can make it very difficult for hackers to gain control of your website.