If you’re running a small blog or website for your small business, you probably think that your site won’t be targeted by hackers and that you don’t have to take measures to secure your sites. The bad thing is most of the attacks online are automated botnets, and they don’t really care if you are running a small or big business.
In this article we will show you some of the security measures you can take to secure your WordPress login page.
1. Integrate Two-Factor Authentication
Two-step or two-factor authentication has now become an inevitable step to secure any online account. Users mainly use this security layer for their most important online accounts. It’s time you enable it for your WordPress site.
The plugin we recommend is Google Authenticator because it’s frequently updated, and it’s easy to set up. Before getting started, make sure you download the Authenticator App on your mobile device. It’s available on Android, iOS, and Blackberry.
1. Install the Google Authenticator plugin and activate it.
2. Go to “Users -> Your Profile” and scroll down to Google Authenticator Settings.
3. Click the box beside “Active,” and add a small description in the Description field. The description will help you identify your website on the mobile app if you have set up multiple codes.
4. Click on the “Scan QR” button to make the pattern visible. Open the mobile app and scan this QR pattern. This will generate a six-digit code that you can now add during your login.
This code changes every ten seconds, so you have to add it in that time period. Whenever you log in to your WordPress site, keep the Authenticator app open on your device. Keep in mind you only have ten seconds for entering the code and hitting the Login button.
2. Make Use of Security Plugins
There are plenty of security plugins out there, but the list below contains those that are meant for protecting the Login Page.
- WPS Hide Login: the default WordPress page is “wp-login.php.” With this plugin, you can change the login page to a custom URL of your choice.
- WP Limit Login Attempts: This plugin works as a defense against brute force attacks. It lets you set the number of login attempts for a user. If the user fails to log in in the given number of attempts, then the user’s IP will be temporarily blocked from the site. Apart from that, it also adds a captcha verification to get rid of the bots.
- Loginizer: This is an all-in-one plugin to protect your login page from brute force and other attacks. It has Two Factor Auth, reCAPTCHA, PasswordLess Login and many other security features specifically for login.
3. Allow Only Certain IP Address to Access the Login page
If there are only a few users for your site, you can add a whitelist of IP addresses that can access the login page. To do so, you just have to create a “.htaccess” file in your “wp-admin” folder (using the cPanel of your web host).
Add the following code to the newly created “.htaccess” file:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # Ab's IP address allow from xx.xx.xx.xxx # Ketul's IP address allow from xx.xx.xx.xxx # John's IP address allow from xx.xx.xx.xxx </LIMIT>
Just change the “xx” with the IP address that you want to whitelist. Also, you can add comments above them to specify a user. This will allow only the mentioned IP addresses to access the “wp-admin” page. It will show a 403 error if accessed from another IP address. This way you can limit the access to your login page and increase your site security.
4. Switch to HTTPS
If you really care about the security of your WordPress site or blog, then HTTPS is the protocol you should definitely upgrade to. HTTPS basically encrypts the connection between your web browser and the web server, making it difficult for an attacker to spoof over the data that is being transferred. It can protect you from a malicious script hidden on your computing device, a script that can steal data from login forms and other input fields.
Apart from security, you also get an advantage over other non-HTTPS sites on Google search results. Moreover, the SSL certificates required for an HTTPS connection have become much cheaper than they were before.
Protecting your WordPress login page is the first step to ensuring your site is secured. With the steps mentioned above, you will have a sturdy login page that can withstand a brute force attack and most of the hacks out there.