Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken. This article will go through some common forms of vulnerabilities, and the things you can do to help keep your WordPress installation secure.
Specifically, let’s discuss how to lock down your WP-admin section so you can keep out unwanted influences:
- Use Complex Passwords: If your current admin password is “password123″ or something remotely similar in its simplicity, then you has a serious issue. You might as well have flashing neon Welcome! Sign for hackers hanging in your website’s front window. To understand why having a simple password attached to your WordPress admin user is so dangerous, consider the following:
– It’s not terribly difficult to determine if a site is run on WordPress or not.
– If a site is run on WordPress, appending the domain with wp-login.php will almost always take you to the login page (even if it’s not linked anywhere on the site).
– Because “admin” is the default first user name, most WordPress-powered sites use it and that user name has full administrator access.
– Thus, for most WordPress websites, the security of the entire site is literally only as strong as the admin password.
- Secure User Name: As mentioned above, admin is the first user name on many WordPress websites, and it has administrator access. This is because it is the one suggested during the installation process.
There is a simple solution to this: don’t have an admin user named “admin.” When you first set up your WordPress install, define a different username.
Or, if you have an admin user right now, do one of the following:
- Make it a non-administrator account.
- Go into your database and edit the record.
- At the very least, you give anyone with nefarious intentions one more hurdle to jump before they can get into your site and wreak havoc.
- Another way to accomplish the same objective is to change the login page. I’ve not found any plugins I particularly like for this though, so make sure you know what you’re doing if you choose to attempt it.
- Require a Yubikey: If you really want to get serious about locking down your dashboard, Yubico is an option. (And there is a Plugin for easy integration.)Yubico allows you to set certain usernames to require a literal key, called a Yubikey.
The key is a small USB doohickey (technical term) that must be installed on the computer being used to log in.
Without it, that username cannot be logged in with even knowing the password.
The key fits easily on a set of keys, so it is very convenient. This is an especially good option on sites with only one or a few administrators but many users at the contributor, author, or even editor level.
Not all users have to have the key, just those designated. So if you want to lock down your account with administrator access, you can do so without affecting the login process for anyone else. If security is really important to you, then this is a great option. And proving once again we use it here at Business Seo Solution for certain users.
- Secure WP-Includes: A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.