There are many settings, code tweaks and security solutions that can go a long way to making a WordPress site as secure as possible.
BUT… if users on a WordPress site are using simple passwords it really doesn’t matter how secure you make the site.
Let’s all take a quiz together:
- Does your WordPress user password contain uppercase and lowercase letters, numbers, and symbols?
- Does your WordPress user password not contain any real words that can be found in the dictionary?
- Is your WordPress user password unique and not used on ANY other website or login?
- Do you have different passwords for your web host control panel login, for your FTP access (or SSH access), your login password to your domain registrar (and any place that might also handle your DNS information), and for your email address that might be linked to that WordPress website?
1. Strong Passwords are the Best WordPress Security
If you answered YES to all four of these questions… congratulations, you are using strong passwords in the best possible manner in which to enhance your WordPress security.
In the most recent update to WordPress, strong passwords are now a requirement for WordPress security. But the problem with this new update is that WordPress STILL provides the option of overriding the requirement of a strong password.
To make sure you and the users of any WordPress site that you manage use strong passwords, you may need to use a feature found in the iThemes Security plugin that forces ONLY strong passwords to be used … without exception. With iThemes Security Pro, you can also add password expirations and a strong password generator to user profiles.
2. Enhance WordPress Security by Preventing Brute Force Attacks
For many years the biggest lack of WordPress security could be found in the WordPress login process. By default, WordPress will allow any user to try as many times as they want until they find a valid login username and password combination.
Anyone wanting to force their way into your WordPress website could simply run a script that tries the 1000+ most common passwords over and over in an attempt to find a match. When we prevent these types of brute force attacks on the login area of WordPress, we boost WordPress security.
The iThemes Security plugin has multiple options that allow WordPress site owners to block certain users and or usernames from being able to access the site after a certain number of failed login attempts.
A favorite feature of the iThemes Security plugin’s brute force protection is the ability to immediately ban an IP address that attempts to login with the username ‘admin’. In the early days of WordPress, the default installation automatically created an Administrator account with the username ‘admin’.
Many WordPress sites (especially if they have been around for a long time) have never bothered to remove that user, or even worse, that ‘admin’ user account is still being used. If you look at the log files of almost every WordPress site you will find login attempts using the username ‘admin’. These login attempts have no reason to be done and should therefore be immediately banned.
3. WordPress Security Means Nothing Without Good Backups
There is a saying that in order to make a 100% perfectly secure website, you simply need to unplug the computer running the site from the internet and never let anyone visit or use the site. Now obviously this is not a very “usable” website.
WordPress security is always a balancing act between security vs. usability. The more open and easy you make the site to access, the less secure that site becomes.
All this is stated so that we can understand that even if we do everything we need to do to provide better WordPress security, sometimes life happens.
Sometimes a WordPress website is compromised through no fault of the site owner. (Example: a WordPress website is on a shared hosting account and ANOTHER WordPress website on the same shared hosting account never updates and thus becomes compromised to the level of the violator gains access to the server…. which can then attack other “secure” WordPress websites.) So what can be done about this issue?
WordPress Backups are the Best WordPress Security
Having regularly scheduled WordPress backups are the best antidote against things happening to a WordPress website. Whether the issue is an actual compromised site or just a server issue with faulty hardware, if a backup is available, a WordPress site owner can always restore to a valid, working and secure version of their WordPress site.
Check out BackupBuddy to easily backup, restore, move, clone or deploy your WordPress sites in just a few steps.
4. Take Advantage of Two Factor Authentication for Better WordPress Security
In today’s fast paced techno-friendly world, anyone and everyone COULD be tracking what you type into your browser. Visit a local coffee shop and you never know who else may simply be recording all the traffic that takes place on the public wifi connection.
Today, many banks and financial institutions as well as forward-thinking security websites offer the ability to secure your login account with two factor authentication. At its core, two factor authentication is just what it appears to be … a request for two different forms of proving that the user actually is the owner of the account.
When pairing strong passwords with two factor authentication, the WordPress security ranking of any website goes through the roof and prevents a large majority of login attacks from even occurring.
Two factor authentication can also be very helpful because it can provide an expiring and one-time use password that means it no longer matters if someone is “listening or tracking” users on a network. Why? Because the moment a two factor authentication code is used, it expires and cannot be used again.
The iThemes Security Pro plugin offers an amazing assortment of two factor authentication systems to enhance your WordPress security. A WordPress site owner could pair up an external authentication system like Google Authenticator or Authy to generate the necessary two factor authentication code. You can also choose to have a one-time use code mailed to your user account’s email address, or even pre-generate a few one-time use codes that could be used when there is no access to other forms of authentication code generation.
Check out these posts for more info on setting up two factor authentication on your WordPress site:
- Introduction to Two Factor Authentication
- How to Set Up Two-Factor Authentication for Your WordPress Site with Google Authenticator
- How to Use Authy to Manage Google Authenticator Keys for WordPress
- Two-Factor Authentication Updates for iThemes Security Pro
5. WordPress Security Starts and Ends with Keeping Everything Updated
One of the easiest ways to create an unsafe and unsecured WordPress environment is to simply not update WordPress core or any of the WordPress plugins and themes. A majority of all updates for are security patches and code fixes.
One of the benefits of being involved in an open-source project like WordPress is that anyone and everyone can look at the source code and provide fixes, patches, modifications and even enhancements that make the project more usable and more secure. Yet, this same benefit can also be one of the more dangerous areas in regards to security.
Because WordPress code can be seen by anyone and everyone, it also means that if a security patch comes out for core WordPress anyone who desires to do nefarious actions now knows about a potential security vulnerability existing. And if someone chooses NOT to update their WordPress installations then they are essentially providing a welcome sign to anyone wishing to exploit such a security vulnerability.
If a WordPress site is out of date, then all the previous WordPress security suggestions are essentially useless. A few versions ago, WordPress created the ability to auto-update WordPress core, plugins, and themes.
If a site owner does not manage their WordPress websites on a daily basis they should absolutely be taking advantage of this functionality. As long as you make regularly scheduled WordPress backups a site owner should also not fear these auto-updates occurring.
Finally, all WordPress site owners should take advantage of remote management solutions, like iThemes Sync, to get a snapshot of the health and update status of ALL of their WordPress websites. With iThemes Sync, you can manage updates and more for all your WordPress sites from one dashboard. Grab your 10 free Sync sites here.
Protect Your WP Sites Now with iThemes Security Pro
iThemes Security Pro offers 30+ ways to secure and protect your WordPress sites. Get scheduled malware scanning, two factor authentication, Google reCAPTCHA integration and more.