Just as the quality of the code on the site matters, the level of security does, as well.
Without further ado, here’s how to make brute force WordPress attacks less scary:
- don’t use the admin username, and instead:
- make a new account and transfer all the posts there while changing the status to a subscriber;
- change the username;
- password protect the wp-login page;
- change the address of wp-login page into a custom one;
- use good passwords with the help of:
- Force Strong Password plugin;
- LastPass generator;
- restrict server access – for Apache, for example, you can limit the wp-admin access with .htaccess (head on to WordPress Codex for detailed instructions);
- deny access to no referrer requests;
- limit login attempts (either using a WordPress plugin or on server);
- use cloud and proxy services, as long as they don’t slow down the performance.
Take care of that, and you’ve got the base covered. The base. There are plenty of other, more advanced solutions on the market, but that’s another story.
Use 2-factor authentification
You should go and enable the 2-factor authentification not only on your WordPress, but also inside the private Gmail account, on Facebook, LinkedIn, and everywhere you can. Here’s a handy list.
A two-factor authentification (2FA, which can also be considered a multi-factor authentification), is a simple method of confirming a user’s identity by using a combination of two different components. For example, if you try and login into LinkedIn using your password, the 2FA will ask you for an additional code that is going to be delivered via text.
Banks have been doing this for a while now. Some institutions ask you for a similar confirmation when concluding online payments.
What does it all have to do with WordPress?
Making sure that you use a complex password, and changing it regularly, is just the first step. Another one – implementing 2FA.
Install Clef, Duo, Authy, Rublon, or WordFence. Or any other you find suitable. These plugins will ensure that you benefit from a much stronger authentification method.
There are some drawbacks, obviously. First of all, the login process will take longer. You have to not only type in your password but also provide an additional login method. Second – if you choose to authenticate with your mobile phone, and forget to take the device from home, you end up… Well, not logged in.
Let’s say you want to buy a lightbulb. You just saw a beautiful one, like the most stylish light bulb ever. It’s amazing.
And you want to buy it online. The first thing you should do, is to make sure that the transaction will be secure – and that’s where SSL and HTTPS come in.
HTTPS encrypts the connection between your browser and the server of the shop that sells the lightbulbs.
SSL, on the other hand, is a cryptographic protocol for identification purposes. Each site is issued a different one. The main idea here is to have HTTPS and SSL “talk” to each other.
This is especially important for e-commerce businesses – not only due to requirements of payment providers but for the clients, as well. It even matters to Google concerning SEO/SERP results.
When it comes to setting up WordPress to use SSL and HTTPS, there’s a great tutorial on WPBeginner.
Use plugins from official resources
Seriously, stop installing pirated premium plugins.
And stop using the ones that came from strange sources.
WordPress’s core is lean, simple, and lightweight. Plugins enhance its capabilities, make it more versatile, and more suited to your and your client’s needs.
While a process of installing a plugin is simple enough, the real challenge is choosing the right ones and updating them regularly. Don’t go for plugins that are not looked after.
It’s also really smart to choose only the plugins that you know the origins of – and especially smart not to use pirated plugins. Here’s why:
- you’ll significantly decrease chances of getting hacked;
- you won’t become an intellectual property thief.
Sucuri conducted a highly useful WordPress-oriented report on pirated plugins. Here’s an excerpt: