Simple WordPress Security Using Strong Usernames and Passwords and Two-Step Authentication
The most common WordPress hacks result from the use of poor usernames and passwords. To protect your site from brute force attacks (forced log in to your administrative account), you can do the following:
1 – Change your admin username.
To do this:
1 – Log in to your site.
2 – Create a new administrative user that does NOT use the word “admin” as the username. You can make this long and use letters and numbers.
3 – Log out of your site.
4 – Log in with the new administrative username.
5 – Delete the old “admin” user but be sure to ASSIGN all posts, pages, etc. to the new user when prompted.
2 – Change your password to something strong (really strong)
Something strong is usually NOT something you can remember. Ideally, you’ll use a random password generator, such as:
- Online Generator: http://www.pctools.com/guides/password/
- RPG Dashboard Widget for Mac Os: http://www.apple.com/downloads/dashboard/networking_security/rpgwidgetedition_davidkreindler.html
If you use strong passwords, you’ll need something to securely keep track of them. I prefer 1Password: http://agilebits.com/products/1Password
3 – Limit login activity
From Matt Mullenweg:
“Most other advice isn’t great – supposedly this botnet has more than 90,000 IP addresses, so an IP-limiting or login-throttling plugin isn’t going to be great (they could try from a different IP [address] a second for 24 hours).”
4 – Enable Two-Step Authentication
Two-factor authentication means that in addition to your password, you must have to pass a second test to prove that you really are who you say you are. This might be in the form of a code that is sent to your phone or via email. You enter this code into your login page in addition to your username and password. Since only YOU have access to this secondary authentication method via your phone or email account, it’s a fool-proof way to prevent anyone who may have stolen your password from ever being able to log in.
The Simple Security Firewall plugin offers two-factor authentication via email-based authentication or Yubikey. Clef is a two-factor authentication system that does not rely on passwords or tokens but uses magical animated bars to authenticate your login. It’s cool. But, I’m a number person, so I prefer Google Authenticator.
The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.
If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail/Dropbox/Lastpass/Amazon etc.
The two-factor authentication requirement can be enabled on a per-user basis for your WordPress site. You could enable it for your administrator account, but log in as usual with less privileged accounts (such as Contributor or Editor).
To set up two-step authentication:
- Make sure your webhost is capable of providing accurate time information for PHP/WordPress, ie. make sure a NTP daemon is running on the server.
- Install and activate the Google Authenticator plugin.
- Go to Users and click the user you want to enable authentication for to edit that user’s profile.
- Enter a description that will display in the Google Authenticator app on your phone. This is to differentiate Google Authentication for different WordPress installs you may be using this on.
- Download the Google Authenticator app to your phone.
- Scan the generated QR code on the user page with your phone, or enter the secret manually in the Google Authenticator app on your phone, remember to pick the time based one.
You may also want to write down the secret on a piece of paper and store it in a safe place.
- Remember to hit the Update profile button at the bottom of the page before leaving the Personal options page.
- That’s it, your WordPress blog is now a little more secure.
Log out, and you will now notice that you must have a Google Authentication code to log back in.
Note: This feature will soon be released in Jetpack for those of you using Jetpack. Two-step authentication is already built in to blogs on WordPress.com and just needs to be turned on. For instructions to enable this on your WordPress.com account: http://en.blog.wordpress.com/2013/04/05/two-step-authentication/
5 – Limit Who Has Administrative Privileges
It might be a good idea to assign the author of posts and pages to non-administrators to avoid “giving up” the administrator login name via the author archive URL. To do this, set up a user who is a contributor or editor and when you do create posts or pages, assign those to that person. Also, limiting administrative privileges helps control the security (password and authentication above) for that critical user.
6 – Delete unused plugins and themes and UPDATE everything
While not related to this particular attack, staying up to date is critical and deleting an unused themes or plugins is always a good idea to limit vulnerability. Updating and not running old and outdated versions of WordPress or other software on your hosting account is a huge part of not being hacked. If you haven’t updated in a while, read my post on Updating WordPress Themes and Plugins Safely.
7 – If you get hacked
- You may not know it for a long time or until your site is blacklisted by Google. Hence, a plugin like Wordfence may alert you if malicious code is found in any files.
- Immediately log in to your site and change your password. Also, change your email, hosting, and FTP passwords.
- Find someone who can help you restore from your back up or clean up your files. Usually your web host can restore from a recent backup if available very quickly. I sometimes can help people with this or you can contact the good folks at Sucuri.net.
- Please read my Nuke it From Orbit post for detailed instructions on completely cleaning your site by starting from scratch (yet retaining your post and page content). This is a slash and burn technique, and you can modify as needed depending on the severity of the hack.
Back-to-basics security measures in the form of strong passwords, unique usernames, two-factor authentication, staying up to date, and keeping your site clean and tidy up are really the only truly effective things you can do at any given point in time. If you are using vulnerable plugins or themes, you are at risk. Use plugins and themes with caution and keep them up to date. Hackers go after low-hanging fruit, typically, so be smart.