WordPress security is one of those very important topics that many people talk about but few actually take seriously.
I understand why, most users just can’t visualise things enough in order to comprehend the value of taking the necessary steps to secure their site.
I’m saying that folks find it inconceivable to leave the door to their house open, but then do it with their web presence. This becomes serious when that web presence is a substantial asset of your business.
So I’m going to try and be practical and illustrate just one aspect of WordPress security. Hopefully this will help you see the value in certain security practices and properly locking down your WP installation.
Imagine you go to a cafe or co-working space and start working on your website. You login to the dashboard and start writing articles or modifying stuff on your site. Just a couple of tables away, someone is sniffing all the network’s traffic using Wireshark. He then packs up and goes back home. You do the same a few hours later.
Pause. Now’s the time to ask an important question. Have you protected your WordPress login?
If not, let’s see what might happen next.
The hacker (he doesn’t necessarily need to be very knowledgeable) observes the collected data from earlier on in the day. He searches for the WordPress login URL and finds a couple of instances, one of them being yours. A few more keypresses in Wireshark and he gets the following information, neatly presented for him to use.
Those are your login credentials right there. Yes, including your password in clear text. The strong password won’t provide any protection here.
What happened? The hacker simply intercepted the request for login originating from your laptop. He now has your username and password and can login at will. Since you were logging in with an account with full admin rights, the hacker can wreak total havoc on your site. That includes injecting malicious code in your theme or plugins, deleting all your posts, changing your password, and much more.
How do you feel now? Not good I suppose.
Do I have any good news for you today?
Luckily, yes, there are some easy steps you can take to avoid this type of security breach.
Here are my recommendations:
- Buy an SSL certificate and force SSL admin logins
- Add two-step authentication
Buy an SSL Certificate and Set UP SSL Logins
There’s a whole range of prices for SSL certificates, starting from $10 and going up to $1000. For protecting your login page you will be fine with a cheap SSL certificate from GoDaddy. Once you’ve purchased the certificate you should contact your hosting provider’s support staff so they can install it for you. Note that not all hosts allow you to use SSL. On my favourite host WP Engine it’s just a matter of opening a support ticket and they’ll set up everything for you. They’ll also offer guidance on purchasing an SSL certificate if needed.
Adding Two-Step Authentication
Two-step authentication means that not only will you use your username and password to login, but you will also use a number generated by the Google Authenticator app for Android or iPhone.
Google Authenticator is an open-source software based two-step authentication token developed by Google. The Authenticator provides a six digit number users must provide in addition to their username and password to log into Google services
There is a handy Google Authenticator plugin that you can use for setting this up in your WordPress login. Since the number is newly generated every time and is tied to just your mobile device, a hacker won’t be able to login to your site even if he has your username’s username and password. He would have to take the extra step and steal your phone too!
For a final bonus tip, I suggest that you don’t login with an administrator user on your website unless you want to make changes to the theme, plugins or other actions tied to admin roles. In other words, if you just want to write a few posts, you don’t need admin rights. You can also make it a personal rule to never login with admin rights from public Wi-Fi networks for extra security.
Hopefully this post has opened your eyes to the value of protecting your WordPress dashboard and to the value of WordPress security in general.
At WP Mayor we offer WordPress Security Audit and WordPress Security Lockdown services in which we take care of many aspects of WordPress security for you.
Questions? Fire away in the comments section!
If you enjoyed this post, make sure to subscribe to WP Mayor’s RSS feed.