Due to the popularity of WordPress many hackers and bots will scan for sites to compromise. It is advisable to follow best security practice and ensure that your site is kept secure. This article covers basic, and advanced steps that can be taken to make your WordPress site a significantly tougher target for attackers.
Basic Protection
Admin Passwords
Strong passwords are essential to prevent unauthorized access to accounts. One of the most common attack vectors for WordPress is a “Brute force” attack, where logins are attempted on your site using common usernames (e.g. Admin) and passwords (e.g. Password). Your administrator account passwords should be sufficiently long, and generally use a mix of letters, numbers, and special characters. Rotating the password frequently isn’t usually necessary. The Administrator password shouldn’t be reused on other accounts.
A strong password is one of the most important defenses against “Brute force” attacks.
Restricting Account Permissions
Ensure that users only have the permissions that they require, this restricts the damage that can occur if an account is compromised. It’s also good practice as it prevents users from accidentally changing settings mistakenly modifying your site.
Account Cleanup
Ensure that accounts from users who don’t need access to your site are deleted (e.g. employees who are no longer with your organization). This reduces the number of accounts that may be compromised, and also prevents a former user from performing some malicious action.
Regular Updates
Regularly updating your website is important to prevent vulnerabilities in WordPress and in plugins from being exploited by hackers.
If you use CPanel, there are options to enable automatic updates to WordPress and Plugins. WordPress also offers automatic updates to new versions on the updates page.
Advanced Protection
Limiting Login Attempts
Limiting login attempts is an excellent additional layer of protection against “Brute Force” attacks.
There are multiple plugins that are able to limit login attempts to your site, and block IP addresses for some period of time following multiple failed logins. One such example is Limit Login Attempts Reloaded.
The free version of the plugin will be adequate for many small websites, and offers settings for number of failed logins before a lockout occurs. You may also specify the length of the first lockout and subsequent lockouts.
Login Captcha
By default WordPress doesn’t offer a login Captcha. A Captcha is a very useful tool to deter bot activity, though may not prevent it all together. It provides another layer in the protection of your website.
A very simple Captcha plugin is Simple Login Captcha, though there are many more advanced plugins that offer more protection. Simple Login Captcha is free and very simple and easy to setup.
Once installed, a Security Code will be required to login to your website
Country Blocking
Another layer of security is blocking IPs from certain countries, a large percentage of bot activity generally originates from a few countries. This solution is not best for all websites however, and generally requires more management. But it may provide extra protection if your site is receiving many failed login attempts (100+/day).
A caveat of country blocking is that it may not always work well with caching plugins, and depending on the plugin and your settings legitimate users may be blocked from accessing your site. However, some plugins allow specifying front-end and back-end blocking separately.
IP2Location, is one such country blocking plugin. It requires a free account to download the GeoIP database. You may consider limiting only the back-end of your site to your country and neighboring countries to reduce your sites attack surface. IP2Location provides statistics (if enabled) so the effectiveness of the plugin can be audited.
Leave a Reply
You must be logged in to post a comment.