WordPress security can seem like a daunting task! Fortunately, managing your security strategy is simple with Solid Security. This post covers five Solid Security tips to help secure your WordPress website.
Harden User Authentication
Brute Force login attacks are very common. Brute force attacks occur when an intruder attempts to log into a WordPress site by guessing user credentials. Bots will test thousands of combinations of usernames, email addresses, and passwords until they find a pair that works. Commonly used and even stolen login credentials fuel the success of brute force attacks engaged in password stuffing. A bot may be able to scrape your site to detect your content authors’ usernames, too. If they find a valid username, they can try guessing commonly reused passwords to gain access to the WordPress admin. Bots often try the default User 1 account, which has a username of “admin” unless you change it.
Most people don’t follow the best practices for WordPress password security. Often, they reuse username and password combinations on many sites. Or, their credentials may exist among billions of compromised accounts known to hackers. So, an intruder can now run the username against a database to see if they can find the matching password. Over time, their attack strategy went from randomly guessing WordPress usernames and passwords to a process of elimination.
WordPress Password Requirements
Well, guess what bot, we are ready for you! Solid Security Pro uses the haveibeenpwned API to prevent users from creating accounts with known compromised passwords. If a password exists in the haveibeenpwned database, you shouldn’t use it because the bad guys are.
With Solid Security’s Refuse Compromised Passwords feature, you can block passwords that have appeared in a data breach. If a user tries to create a password that haveibeenpwned.com has seen, Solid Security won’t allow it. You can also apply this restriction selectively to certain users or User Groups, including custom groups you create with Solid Security.
That’s not all! We aren’t done yet. We have made it harder for nasty bots to succeed in a brute-force login attempt, but we can do more. Using Solid Security Pro’s Strong Passwords feature, you can require site users to adopt passwords that are not easy to guess.
On top of that, you can activate the Password Age feature, which will require users to choose a new password after a certain time passes.
With these settings activated, you can protect your site and users by enforcing a security policy.
Enable WordPress Two-Factor Authentication
There’s still more you can do. Brute force attacks and all other illicit login attempts can be halted by adding a step to the WordPress login or “user authentication” process. Two-factor authentication (2FA) adds a solid layer of security to any WordPress site, especially when the authentication method is token-based and requires a physical device to log in, like a phone.
With Solid Security Pro’s two-factor authentication setting, you can quickly enable the mobile app method of two-factor authentication on your WordPress site. Here’s more on how to set up two-factor using Google Authenticator with Solid Security.
Once the mobile app method is activated, intrusive bots will give up and move on. No matter how persistent they are, bots will never have access to your phone to see the required token needed to log in.
Download our FREE eBook guide: Getting Started with Passwordless Logins.
Go beyond 2FA to Passkeys and Passwordless logins. Get started with passwordless logins today!
WordPress Version Management
Along with insecure user accounts, running outdated software is one of the most common reasons a WordPress site or blog gets hacked. Keeping your WordPress website up to date is easy.
Running outdated software is another reason WordPress sites get hacked.
Bots will scour the internet looking for WordPress sites running outdated software with known WordPress vulnerabilities. When you leave software out of date, you are giving a would-be hacker the blueprint to bypass all other security measures you have added to the site. It is easier, cheaper, and less time-consuming to update than it is to deal with cleaning up a WordPress hack that should have been prevented.
Automatic WordPress Updates
Enabling the Solid Security Pro WordPress Version Management feature will automate updates of WordPress core, plugins, and themes. This means your site will have the most recent security patches without your required effort. Automating WordPress Security is so cool!
Scan Hosting Account for Old/Outdated WordPress Sites
Bots will also try to find abandoned, forgotten, and incomplete WordPress installs that they can easily exploit. Solid Security’s WordPress Version Management feature will perform a daily scan of your entire hosting account and alert you if it finds additional WordPress installs that are outdated.
3. Review WordPress Security Logging
Keeping track of the activity on a WordPress site is another great security tool. These logs can answer the when, what, and how something was changed or added to the site.
WordPress User Logs
The Solid Security WordPress User Logging feature lets you track what users are doing on your site. The security logs will record when a user logs in and out and the IP they use. It also documents any WordPress plugin or theme changes made by the user. Installing, deleting, activating, de-activating, and updating events are logged so you know who took those actions. The Security logs will also monitor content changes like adding or editing new posts or pages.
If a bot can somehow log in and add tons of pharma spam to your site, you can quickly ban the bot and remove all the junk content quickly. If the bot created new users, you could also use the WordPress Security logs to discover this and remove the users. However, this should never happen with adequate user login security like 2FA or passkeys.
Get simple tips for better WordPress security!
Download our free eBook: WordPress Security Pocket Guide.
Activate Magic Links
Magic Links is a feature that allows legitimate WordPress users to bypass Solid Security lockouts and log in when someone has been tampering with their account. If an attacker is trying to guess the password for a known username, Solid Security will lock out that user but leave the option to send a “Magic” login link to the email address of the legitimate account user.
Manage Solid Security Settings from Solid Central
Solid Central allows you to manage multiple WordPress sites from one location. This means you can perform many security tasks from Solid Central without logging into dozens of websites.
From the Security tab in your Solid Central dashboard, you can import/export Solid Security settings from one site and then import those settings to a new site, release Solid Security lockouts, temporarily override Solid Security Two-Factor authentication, and even temporarily whitelist your IP.
Now, go and use these tips to harden the security of your WordPress sites!
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Join us for the next Solid Academy Webinar!
Free weekly webinars that will help you master WordPress and increase your business's bottom line.
What is a WordPress Phishing Attack?
Learn how to identify and prevent phishing attacks on WordPress websites.
Kiki SheldonWebsite Protection: 5 Ways to Keep Your Website Safe
Robust website protection is the shield that stands between your business and relentless cyber attacks. Prioritizing website protection enables businesses to fortify defenses to safeguard their online presence and preserve the trust of their customers in the face of ever-evolving cybersecurity threats.
Kiki Sheldon23 Ideas To Grow Your WordPress Business in 2023
WordPress is the most popular website-building platform worldwide, trusted by numerous brands. WordPress enables you to build a user-friendly and highly reliable site, together with tools and plugins to enhance your marketing and work like a lead magnet. All these features make WordPress the platform chosen by more than 43% of businesses globally.
SolidWP Editorial TeamSign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed
