5 Tips to Toughen Up Your WordPress Login Security
No matter the size of your website, losing your site data or not being able to access your own website can be a nerve-wracking experience. WordPress, which powers more than 25% of the Web, is one of the most targeted websites for hackers.
If you are running a WordPress-powered website, its security should be your primary concern. In most cases, WordPress…Read more
In our previous posts, we have shown you a number of tips and tricks which already covered almost everything to secure your WordPress website. Still, there is always room for improvement. In this post we will be looking at a few more tips to help you make your WordPress site harder to breach.
1. Bcrypt Password Hashing
WordPress was started in 2003 when PHP and the Web in general were still in their early days. Facebook was not around yet, PHP did not even have OOP (Object-oriented Programming) architecture built-in; hence, WordPress inherited legacies that are no longer ideal today – including how it encrypts the password.
What the Dropbox Hack Can Teach You About the State of Web Security
In the past week, Dropbox had been making headlines over a hack which saw the email addresses and…Read more
WordPress to this day still uses MD5 hashing. Basically, what it does is to turn your 123456 password into something like e10adc3949ba59abbe56e057f20f883e.
However, since computers are now more sophisticated than 10 years ago this hashed password can now be easily reversed into its bare form almost instantly.
PHP has native encrypting since 5.5 and If your WordPress is running in PHP5.5 or above, there is handy plugin called wp-password-bcrypt that allows you to embrace this native utility in PHP.
Install and activate the plugin through Composer or through MU-Plugins. Re-save your password and you are all set.
2. Enable WordPress.com Protect
Brute-force is a common hacking attempt where attackers try logging in to your website by guessing numerous possible passwords, typically words found in the dictionary. This is the reason why you should set a hard-to-guess password.
Automattic, the people behind WordPress.com, has acquired one of the most popular WordPress plugins that can counter brute-force attacks. It is called BruteProtect, and it is integrated with Jetpack.
Based on our experience, it has tremendously helped us combat brute-force attacks more than close to a million times.
To get it, you need to install Jetpack’s latest version and connect your website to WordPress.com. Then enable the “Protect” module, and white-listing your own IP address as well.
Now you should feel a bit more safer.
3. Hide Your Login URL
WordPress is very well-known for the login page, wp-login.php. Hence hackers know which exact page to direct their brute-force attacks. You can make it harder for them by disguising your WordPress login URL.
Fortunately, there are a few plugins that provide this utility:
The “Forget Password” utility in the login form is a way in for attackers, who usually go through an SQL injection to get your login credentials. If there are only a few people who have access to the admin area, it might be better to switch it off.
To do so, create a new file upload – name it forget-password.php.
HTTPS gives your site an extra layer of security with data transmission. It may also give you a boost in Google search rankings. And now you can get valid HTTPS cert for free through the communal initiative Let’s Encrypt.
For WordPress websites you can easily obtain a Let’s Encrypt certificate with WP Encrypt. So there is no reason why you should not deploy HTTPS in your website today.
I just like to leave you with the reminder that in spite of all these attempts, our websites could still be subject to attacks, hacks and to being compromised by hackers through means beyond our comprehension. Even large companies like Dropbox and LinkedIn have fallen prey to security threats.
As a last resort, remember to regularly back up your website’s files and database whenever you can.