Website security is essential. I don’t know if you pay attention to tech news, but there have been a number of WordPress security breaches over the last year. If your website is hacked, you may not lose information (if you have backups), but you will undoubtedly end up spending your valuable time cleaning up the mess or paying someone to do it for you.
There are some quick and easy things that you can do to make your WordPress website more secure. Taking these steps can make it a lot more difficult for hackers to break into your website. I’m going to walk you through five of them.
STEP 1— Update WordPress and WordPress Plugins
Keeping your WordPress installation up to date is most important. These days keeping the WordPress core files up to date is easier because most updates happen automatically. WordPress plugins are another story. Be sure to login to your website every week or so and update your plugins. Plugin updates often address security issues or bugs that have been found in that plugin. You can even receive updates when a plugin is out of date which leads me to step two.
STEP 2— Install a Free Security Plugin Like Wordfence
Having a security plugin like Wordfence installed will help you in a number of ways. First, Wordfence can send you email notifications if something happens (like if someone logs in with your user account, your core WordPress files are changed, or a plugin needs updating – check your settings if you want those emails). Wordfence will also block what are called “brute force attacks.” This is when someone sends a barrage of login attempts trying to break into your website by trying different passwords. The plugin limits the amount of login attempts a user can make. It will even allow you to block particular users or countries.
If you are using “Managed WordPress Hosting” this step may not apply to you. Managed WordPress hosts like Flywheel or WPEngine manage security for you. They do not recommend installing security plugins that duplicate what they are already doing because they may cause conflicts. Be aware of this and check with your host.
STEP 3— Use Cryptic Usernames and Strong Passwords
When you’re setting up your user accounts, create somewhat cryptic usernames. NEVER use “admin” as the username for your “Administrator” account or any account for that matter. “Admin” is the first username that hackers will try when attempting to break into your website.
If you have a number of people who need to login to your website, only give them the amount of access that they need. Limit the number of people who have “Administrator” access to only those who need it and who you truly trust that they know what they’re doing.
TIP: Set up 2 User Accounts – Primarily use an “Editor” account for Content Updates
When I’m setting up my user accounts for a client’s website, I have one account that has “Administrator” privileges and I have a second account that has “Editor” privileges. (NOTE: you will need to use a different email address for each account.) The “Administrator” account allows access to change ANYTHING on your website. It should only be used when you need administrator access to build the site or when you need to install plugins, change layouts/code, etc. If you are just making content updates (adding blog posts, editing text, adding pages and images), use the “Editor” account instead. This will keep you from accidentally breaking something.
I can’t say this enough. Don’t use the same password for multiples accounts. Make sure your passwords are long (at least 16 characters) and use both lowercase and uppercase letters, numbers, and special characters too OR let WordPress generate a password for you.
Use a Password Manager if you have a “Plethora” of Passwords
Use a password manager if you have a lot of passwords to track. I like KeePass – it is a program that you can use to store your passwords. You can put the little database file for your KeePass passwords in your Dropbox folder so that you can access it on different devices. No worries – it will be encrypted so no one else can open it. Use a strong password for sure for your KeePass database. Also, don’t open your KeePass file (.kdbx) on two devices at the same time and edit information or it will cause conflicted copy errors.
Many people like LastPass – it is another password manager that stores your passwords online. If you are logged in to LastPass, it will log you in to your other website accounts automatically which can save time.
TIP: Force Strong Passwords for your websites with multiple Administrators/Editors
If you are running a website that has multiple users who are logging in and editing content, you can’t count on them picking strong passwords. You may want to install a plugin like “Force Strong Passwords.” It will force any users who have higher access (usually Author, Editor, or Administrator) to choose a strong password.
STEP 4— Add Two-Factor Authentication to your WordPress Website
Two factor authentication (2FA) is one of the easiest things that you can add to your WordPress website to make it more secure. When two factor authentication is set up on a person’s account, the user has to enter a second 6-digit code to login to the WordPress Dashboard. The code is either sent to them in a text on their phone, or they have to go and look it up in an app like Google Authenticator.
Within Google Authenticator, the code/number changes every minute – there is a little clock icon that counts down the minute so that you know how much time you have left until it changes.
There are some two factor authentication plugins for WordPress that you can use for free. We are going to install the free “Two Factor Authentication” plugin in this mini tutorial.
Install the “Two Factor Authentication” Plugin
First, login to your WordPress website on your computer. Go to “Plugins,” click “Add New,” and search for the “Two Factor Authentication” plugin. Install it and activate it.
Install the Google Authenticator App
Next, grab your phone and install the “Google Authenticator” app and activate it if you don’t already have it.
How to Add your User account to the Google Authenticator app and Turn On Two Factor Authentication
- Login to your WordPress website Dashboard on a computer/device other than your phone
- Look in the left side menu of the Dashboard for the tab titled, “Two Factor Auth,” and click it
- Scroll down until you see a barcode (square design with blocks)
- Install/open the Google Authenticator app on your smart phone (download it and activate it from the Google Play Store/Apple Store)
- Click the little “+” icon in a red circle
- Click “Scan a barcode“
- Hold your phone’s camera up so that it “sees” the barcode on your computer screen – it will save it to your phone
- Look for the “Privacy key(s)” – copy and paste them somewhere safe (YOU WILL NEED THEM if you lose or damage your phone or you will be locked out of your account – I put them with my login information for that account in the “notes” section of KeePass)
- Don’t forget to ENABLE – Above the barcode on your computer screen, click the “Enable” button and then click, “Save”
- The next time you login to your WordPress Dashboard, you will be required to enter the code that shows up with your account in the Google Authenticator app
Go through the above steps for each of your own user accounts and ask anyone else who has a login for your website to do this as well. (The free version of the plugin does not allow you to force your users to do this – if you want to require 2FA you will need to buy the pro version of the plugin.) You can copy and paste the instructions above into an email to your users. You’re welcome!
TIP: Alphabetize your accounts in Google Authenticator
If you’re using Google Authenticator and have a number of accounts for different websites, you CAN alphabetize your list of accounts. Click and hold to select an account entry. Then, click and drag that account up or down in the list. I haven’t found anything in the settings that will allow me to alphabetize the list automatically, but at least it’s possible to reorder the list manually.
Step 5— Move/Rename your Login page
(NOTE: Since writing this post I’ve had some discussions with my programmer friends and I’m thinking that this step is not as important as I’d thought. It still wouldn’t hurt, but steps 1-4 are definitely more important. Updated: 2018-05-18)
You can install a plugin that will allow you to move your login page to a different location. Kind of like attempting to login using “admin” as a username, hackers will target “https://mysite.com/wp-admin” to break into WordPress websites since that is the default location for the login page.
I have used the plugin, “Rename wp-login.php” to move my login page to a different location. Once you’ve installed and activated the plugin, go to “Settings > Permalinks” and scroll down to the bottom of the page. There you will see that the login page has been changed to “https://mysite.com/login” – you can change “login” to whatever word you would like.
Be Kind to Future You!
I hope that you never have to deal with a hacked website. Implementing the above steps will drastically reduce the chances of that happening. Be kind to future you and take these steps today!
Photo credit: Autumn Mott