Your WordPress security strategy starts with having strong WordPress login security
WordPress’ strength is that it allows you to create a website and access it from just about anywhere. Anyone with experience working with WordPress knows that you can make changes to the backside of WordPress by adding WP – admin to the end of your domain name.
WordPress has the same login URL for every site that is made using the platform. Owing to this, brute force attacks against WordPress sites are common. You can protect yourself only if you have formidable WordPress login security in place. For example, over 30 percent of hacked WordPress sites can be mitigated by changing the login URL. This easily stops most brute force campaigns.
The following are five simple yet effective tips that can help you keep your WordPress login secure.
Create a Strong Password
This seems like a common sense piece of advice. However, there is a lot of misconception about what a strong WordPress password truly is. Many voices offer conflicting ideas when it comes to strong password creation.
The first thing to consider when creating a new password is its length. The longer the password, theoretically, the longer it will take to break. If your password has seven characters and a hacker is using a quad core i5 processor, they will be able to break your password in .29 ms. Eight character passwords will take around five hours to crack. Twelve character password will take more than 200 years to crack.
In addition to being long, you want your password to be random. Good passwords rely on password entropy. Entropy refers to the randomness of the password or how predictable a password is. “ABCDEFGHIJKL” is a 12 character password. However, it is going to easy to crack that password because of its sequential nature as opposed to a “!D3^6E7&0K1M”.
A strong password is going to have alpha numeric characters, lowercase and uppercase characters, and symbols.
Limit Login Attempts
WordPress lacks a default mechanism that limits the amount of failed login attempts a person can make. Nefarious individuals could try an endless number of combinations of usernames and passwords until they find ones that work.
You can increase the security of your WordPress login by using security plug-ins designed to limit the number of failed login attempts. You have the ability to set the number of allowed failed login attempts before a particular IP address username is locked out. With most plug-ins, the lockout is temporary. However, if the same username or the same IP address gets locked out multiple times, the user will be banned from even viewing the site.
Here’s a word of caution when setting the limit on the login attempts. It’s good for you to know who is using your WordPress account. If you are working with people who are not tech savvy or if you are working with people who are forgetful, being too restrictive with login limits could mean that you inadvertently lock out people who have the right to access to your WordPress site.
Require an Additional Username and Password
You are going to handpick who you give access to your dashboard. An additional step that you can take is to require a second set of credentials before the dashboard loads. With this, you are creating an extra login step that is in no way connected to WordPress but is connected to your hosting panel.
You might think that this extra step is redundant. It is not. The reason why we say this is:
- If your WordPress account gets compromised, your dashboard stays safe. A hacker will still need to figure out an additional set of credentials before getting access to your site.
- You can periodically change passwords. If you really want to take your security seriously, you can change the passwords connected to your team member’s dashboard credentials on a bimonthly basis. Remind your team members that they should never share those passwords.
Require Two Factor Authentication
Two factor authentication is different than having two sets of credentials required to access the site. Two factor authentication uses a separate device to give you a code that you will input alongside your WordPress login username and password.
For example, some two factor authentication plug-ins for your WordPress login will ask you to use your smartphone and scan a QR code that appears on the screen. When you scan the QR code, you are given a six digit token that you can input along with your login and password information to gain access to your site.
Two factor authentication is more secure than just using a password. Hackers will need to have physical access to your secondary device in order to access your WordPress dashboard.
Two factor authentication’s popularity is due to the fact that there are a variety of tools that can be used to authenticate your identity. For example, you can use your voice, your retina, your fingerprints, your DNA, keychain fobs, smartphones, SMS messages, and other hardware.
White List Your IP Addresses
You can specify what IP addresses will have access to your dashboard. White listing is an effective technique. Here’s why:
- You can select who has access to your dashboard. Unique IP addresses are required. If you work with a team of people and everyone has static IP addresses, you can dictate that only those individuals with a specific IP address can access your dashboard.
- IP addresses are a challenge to replicate. Someone would need to get access to one of your team member’s physical devices in order to gain access to your site.
- Implementing IP white listing is relatively easy. Simply add a couple of lines of code to your .htaccess file. This is something that is pretty easy and straightforward to do.
We have discussed some simple yet effective ways to secure your WordPress login. We would love to hear from you. Are there other tips and techniques that you have found to be effective? If so, tell us about them in the comments section below.