Your website is like your home, you have information that you want to share, and there is information that you don’t want to share. But most important, your WordPress website is there for a reason, maybe business, share personal information with your family and friends, tell the world want you think, and so on.
In any case, it is yours, so you might want to lock it down preventing users from being able to access. In this article, I am going to show you how you can do just that.
The first part of my article “WordPress Essentials” covers pretty much what you need to do regarding your WordPress installation.
Next you need to secure some other parts of your site.
First and more important! Your WordPress login.
Softaculous give you the chance to install a limit login attempts at the same time you install WordPress, do it, always, no matter what you do later, install it.
That will ban the user trying to login after 2, 3, 5 (the number you want) failed attempts.
Also, there is a good chance if you work on public networks that you information may be compromised, the following is an extract of an article from WpMayor by Jean Galea that you may want to read.
Imagine you go to a cafe or co-working space and start working on your website. You login to the dashboard and start writing articles or modifying stuff on your site. Just a couple of tables away, someone is sniffing all the network’s traffic using Wireshark. He then packs up and goes back home. You do the same a few hours later.
Pause. Now’s the time to ask an important question. Have you protected your WordPress login?
If not, let’s see what might happen next.
The hacker (he doesn’t necessarily need to be very knowledgeable) observes the collected data from earlier on in the day. He searches for the WordPress login URL and finds a couple of instances, one of them being yours. A few more keypresses in Wireshark and he gets the following information, neatly presented for him to use.
Those are your login credentials right there. Yes, including your password in clear text. The strong password won’t provide any protection here.
What happened? The hacker simply intercepted the request for login originating from your laptop. He now has your username and password and can login at will. Since you were logging in with an account with full admin rights, the hacker can wreak total havoc on your site. That includes injecting malicious code in your theme or plugins, deleting all your posts, changing your password, and much more.
It is obvious that you will need at least a two step verification, Google Authenticator is a pretty good option and you have a mobile app to use it, I keep mine in the front page of my device. To work on your site you will need the Two-Factor Authentication ( Google Authenticator ) plugin for WordPress, or similar (I choose that one based on reviews and updates.)
Other plugin I use is Wordfence, you can use any other security plugin, test them, read about them, iThemes it is another popular plugin that can help you, as always, there are a lot of users in favor for every plugin, you decide based on the features you need, many of this plugins have a free and paid option.
Other well know secure practice is to update core and plugins to the latest version, always, unless if its a security update that you need to update that same day (or night actually when your site has less traffic) you can wait until Friday o Saturday night so if there is any fail, you can work on that on Sunday before the site has high traffic again on monday.