How to better protect and secure WordPress

WordPress owners often need to deal with the fact that their websites are constantly bombarded with brute-force requests to either exploit plugin vulnerabilities or gain access to the administrative area of their websites. Let’s look at the various ways to protect sensitive parts of WordPress and the whole website in general.

Change the default username

One of the simplest methods to increase security is to simply modify the default “admin” administrative username to something non-trivial. It’s a good idea to avoid naming the account the same as the domain name itself because that’s another frequent brute-force target. The attacker needs to guess the complete username/password pair to log in, so that alone will make it a lot more difficult to gain access.

Use complicated passwords and don’t reuse them

There are various dictionaries available on the internet compiled from previous data breaches that list the most frequent passwords. Attackers often use these and other frequent words to gain access. Increasing the complexity of passwords is a sure way to make it practically impossible to break into the admin area. 

Using a password manager nowadays is essential for managing account passwords and it will also help to stop password reuse. Credential stuffing attacks (stealing passwords from one site then trying the same account password elsewhere) succeed when users use the same password to log in to different services. 

Protect your e-mail account

WordPress makes it possible to recover passwords by simply entering the username or the e-mail address of the administrator using the “forgot password” functionality of the admin area. This means that anyone having access to your e-mail account will also gain access to all the WordPress sites connected to it. Use a strong password to protect it and enable 2FA. You can read more about multi-factor authentication and how it helps to increase security here.

Enable two-factor authentication (2FA)

Adding a second security measure to logins is the best way to protect your website from brute-force password guessing attacks. Unfortunately, the stock WordPress installation doesn’t support multi-factor authentication (2FA or MFA) however there are various plugins that enable this functionality for free. Some examples:

• WP-2FA: https://wordpress.org/plugins/wp-2fa/
• Wordfence: https://www.wordfence.com
• Duo 2FA: https://wordpress.org/plugins/duo-wordpress/

Keep everything updated

It is essential to keep the core WordPress system and its plugins updated at all times. Vulnerabilities are often found daily and quickly patched daily so these patches should be installed as soon as possible. Simply enabling auto-updates (it’s on by default since 3.7) in the administrative area should take care of this automatically. 

Reduce the number of plugins

WordPress has a bad reputation for security however most of the time it’s not the core system that is vulnerable to hacking attempts but some of the plugins installed. Anyone can upload their unvetted plugins that will run on your server after installation so depending on the skill of the developer, they can introduce various security problems to your website. The bottom line is that the fewer plugins, the better. 

Allow logins from your own IP only

Each internet-connected computer has a dedicated IP address that identifies it over the internet. Limiting access to your specific IP address means that no one else but you (or your home network) can connect to it.

Most WordPress admins log-in from the same location all the time so it’s useful to limit access from those places. This will need file (FTP or SFTP) access to your installation. There is a file called “.htaccess” that can tell the web server (Apache) that some files should only be accessible from a specific IP address. Corrupting this .htaccess file will render your whole website useless so be careful to make a backup of it before editing. 

Now edit your .htaccess file in the main folder of the website and add this to the top of it:

<Files wp-login.php>
order deny,allow
deny from all
allow from 11.22.33.44
</Files>

11.22.33.44 should be your IP address – you can find it by simply Googling “what is my ip”. Make sure you back-up the original file and restore it if it doesn’t work. This file may or may not exist, if it doesn’t you can simply create a new one with these lines in it and upload it to the main folder of the website. 

It’s possible to add multiple IP addresses by simply duplicating the “allow from” line as many times as needed. You can simply test it by changing the IP address to some other number and testing log in. It should give you an access forbidden error instead of the usual login screen. Now change it back to your IP and you’re done.

Use HTTPS for everything

Browsing the web without HTTPS means that an adversary can listen to the website traffic and hijack your browser session or steal your user credentials. Search engines also rank websites with HTTPS enabled higher nowadays so it’s essential to set it up. You can verify that your connection to your website is secure by looking for the little padlock icon in the browser address bar next to the site URL or making sure that your URL starts with https:// .

Enabling HTTPS requires a certificate that used to cost money and had to be bought separately from various certificate authorities, however, ever since Letsencrypt (https://letsencrypt.org) exists, it’s trivial to acquire a secure certificate. Securing your website with HTTPS will need to be done on the server level, so contact your web host or administrator to set it up. Most providers offer this feature by default.  In your WP admin area, it’s a good idea to verify that the website URL starts with https, it will redirect all insecure connections automatically to the secure location. Change this only AFTER YOU VERIFY that the site works with https to avoid locking yourself out from the admin area. It’s best to set this up at installation time to avoid having to relocate all old links to https manually.