WordPress security is one of those very important topics that many people talk about but few actually take seriously.
I understand why, most users just can’t visualise things enough in order to comprehend the value of taking the necessary steps to secure their site.
I’m saying that folks find it inconceivable to leave the door to their house open, but then do it with their web presence. This becomes serious when that web presence is a substantial asset of your business.
So I’m going to try and be practical and illustrate just one aspect of WordPress security. Hopefully this will help you see the value in certain security practices and properly locking down your WP installation.
Imagine you go to a cafe or co-working space and start working on your website. You login to the dashboard and start writing articles or modifying stuff on your site. Just a couple of tables away, someone is sniffing all the network’s traffic using Wireshark. He then packs up and goes back home. You do the same a few hours later.
Pause. Now’s the time to ask an important question. Have you protected your WordPress login?
If not, let’s see what might happen next.
The hacker (he doesn’t necessarily need to be very knowledgeable) observes the collected data from earlier on in the day. He searches for the WordPress login URL and finds a couple of instances, one of them being yours. A few more keypresses in Wireshark and he gets the following information, neatly presented for him to use.
Those are your login credentials right there. Yes, including your password in clear text. The strong password won’t provide any protection here.
What happened? The hacker simply intercepted the request for login originating from your laptop. He now has your username and password and can login at will. Since you were logging in with an account with full admin rights, the hacker can wreak total havoc on your site. That includes injecting malicious code in your theme or plugins, deleting all your posts, changing your password, and much more.
How do you feel now? Not good I suppose.
Do I have any good news for you today?
Luckily, yes, there are some easy steps you can take to avoid this type of security breach.
Here are my recommendations:
- Buy an SSL certificate and force SSL admin logins
- Add two-step authentication
Buy an SSL Certificate and Set UP SSL Logins
There’s a whole range of prices for SSL certificates, starting from $10 and going up to $1000. For protecting your login page you will be fine with a cheap SSL certificate from GoDaddy. Once you’ve purchased the certificate you should contact your hosting provider’s support staff so they can install it for you. Note that not all hosts allow you to use SSL. On my favourite host WP Engine it’s just a matter of opening a support ticket and they’ll set up everything for you. They’ll also offer guidance on purchasing an SSL certificate if needed.
Adding Two-Step Authentication
Two-step authentication means that not only will you use your username and password to login, but you will also use a number generated by the Google Authenticator app for Android or iPhone.
Google Authenticator is an open-source software based two-step authentication token developed by Google. The Authenticator provides a six digit number users must provide in addition to their username and password to log into Google services
There is a handy Google Authenticator plugin that you can use for setting this up in your WordPress login. Since the number is newly generated every time and is tied to just your mobile device, a hacker won’t be able to login to your site even if he has your username’s username and password. He would have to take the extra step and steal your phone too!
For a final bonus tip, I suggest that you don’t login with an administrator user on your website unless you want to make changes to the theme, plugins or other actions tied to admin roles. In other words, if you just want to write a few posts, you don’t need admin rights. You can also make it a personal rule to never login with admin rights from public Wi-Fi networks for extra security.
Hopefully this post has opened your eyes to the value of protecting your WordPress dashboard and to the value of WordPress security in general.
At WP Mayor we offer WordPress Security Audit and WordPress Security Lockdown services in which we take care of many aspects of WordPress security for you.
Questions? Fire away in the comments section!
If you enjoyed this post, make sure to subscribe to WP Mayor’s RSS feed.
6 Responses
consider also, someone could have temporarily had admin access at any wordpress site on your server / cpanel installation, then used php glob(“../*”) to find your other sites and inject password sniffers at site-level so your password could be compromised on any of the sites on your server without even needing to be on a network with other hackers. btw, i’ve done this before and it’s amazing how often it works.
I’ve found that Yubikey (or similar) – which is a very simple physical device that emulates a USB keyboard and generates a one time password – is a great way to circumvent this threat.
Yubikey offer a WordPress plugin and you can configure it so only the admin user needs to use it, other users with lower access levels can login with just username/password.
One thing to note would be that if you do not have a SSL connection but you use two-step authentication it will still be possible to get hacked by someone sniffing your login data, as they can also see the authenticator token you enter.
This is only possible if the hacker is really quick, as the token expires quickly, but it is possible.
Unfortunately, this is a really nasty issue. Thanks, Jean, for bringing attention to it! Speaking of security, WordPress just released an important security update — WordPress 3.6.1 — that people should also upgrade to.
It’s also worth mentioning that our team over at ManageWP takes WordPress security very seriously. We help protect against these types of attacks. We use a secure SSL connection on our site, and we also utilize OpenSSL (as opposed to a weaker XML-RPC that WordPress utilizes) for communicating with our worker plugin that connects ManageWP to each individual WordPress site. This ensures the highest level of protection possible, and could be an easy solution that handles the above situations.
Still, if you’re out and about on a public network, definitely use a VPN, as Rudd suggested, as it will protect all your work. Personally, I use Private Internet Access — I haven’t had any issues with them and they have servers all around the world; they also work with mobile devices.
Most importantly, always keep your sites updated! 🙂
The plugin ‘Semisecure Login Reimagined’ does a bit of javascript encryption to stop the login details being sent in plain text. No longer maintained sadly but still works.
Good point, never login to any public network without using safe connection. Well, alternatively you could use VPN to make sure you’ve a secure connection public network.