WordPress is an approachable and versatile open-source software, making it one of the more popular options for creating website content. Over 800 million websites use WordPress, or 43.2% of all websites on the internet. With this level of popularity, it's also a frequent target for malicious attacks. Fortunately, many ways to protect your website are pretty approachable, too!

Topics in this guide:

  1. Create Strong Passwords
  2. Use an Online Password Manager
  3. Set Up a Locally Hosted Password Manger
  4. Configuring All In One WP Security & Firewall


Create Strong Passwords

A huge portion of keeping any login page secure is having a strong password. Hackers and cybercriminals use a variety of methods to try to crack passwords, including:

  • Brute-force attacks: This involves trying every possible combination of characters until the correct password is found.
  • Dictionary attacks: This involves trying words and phrases from a dictionary or list of common passwords.
  • Hybrid attacks: Hybrid attacks combine elements of brute force and dictionary attacks. For example, a hybrid attack might use a dictionary to generate a list of possible passwords and then use a brute force attack to try all of the passwords on the list.
  • Rule-based attacks: Rule-based attacks use a set of rules to generate possible passwords. For example, a rule-based attack might try passwords that are based on a user's name, birthday, or address.

Here are some tips for creating strong passwords:

  • Use a combination of upper and lowercase letters, numbers, and symbols.
  • Avoid using personal information in your password.
  • Make your password at least 12 characters long.
  • Use a password manager to help you create and store strong passwords.
  • Don't use the same password for multiple accounts.
  • Change your passwords regularly.


Use an Online Password Manager

Creating strong passwords is a great place to start. However, the hard part is remembering all the passwords and using a different one for each account or device. Following password "best practices" gets infinitely easier with the help of a password manager. This option isn't entirely without risk, since a password manager that is hosted online is still connected to the internet. The password manager itself could be hacked, or the service could go offline and be inaccessible when you need it. However, a reputable password manager far outweighs the risk of reusing the same password for everything! 

1Password

1Password is a reputable, paid password manager option that we'd recommend using. It allows you to auto-generate, add, or update passwords within your password "vault". It's available for Desktop, iPhone, and Android, so you can add it to all your important devices and have access when you need it. Adding website links to the manager also makes sure you'll be using the correct, secure pages to log into your accounts and not accidentally using scam or phishing sites. Once you're all set up and have "autofill" doing the password heavy lifting, you may never wanna go back!




Set Up a Locally Hosted Password Manger

KeePassXC

If you're more technically savvy and looking for a free, open-source option, KeepPassXC is a reliable password manager. KeepPassXC holds your passwords offline, on your local computer in an encrypted file, reducing exposure to the internet making it more secure. You can backup this file easily by copying it to an external storage device. For more information, see their "Getting Started Guide". 




Configuring All In One WP Security & Firewall

All In One WP Security & Firewall

All In One WP Security & Firewall (AIOS) is a recommended WordPress plugin that provides a suite of login and content security features as well as a Web Application Firewall (WAF). Below are some of the key features and settings that we recommend for most WordPress sites. 


Firewall:

These are some recommended settings that you should apply to your firewall plugin. These features are available on most firewall plugins for WordPress.

If you haven't already, click "Set Up Now", this will guarantee firewall rules are ran before any other code.



In the firewall section, select all the security options here that you can without breaking functionality of your website.  If you aren't sure about an option, feel free to ask our SysOps team.

Some of these options include:

  • Enable basic firewall protection.
  • Completely block access to XMLRPC.
  • Disable index views.
  • Disable trace and track.
  • Deny bad query strings.
  • Block fake Googlebots


User Login:

Basic website security isn't complete without rate limiting, which is one of the more important things to implement. Rate limiting is used to limit the number of requests that a user or IP address can make to a WordPress website within a given period of time. What you set these options to will depend on the amount of traffic you move through your site. Monitor your website traffic in order to calibrate these settings.



Brute Force:

Under the "Brute Force" section, there is an option to change the login URL; this is a simple but effective way to improve the security of your WordPress website. 



Reasons to change login URL:

  • It makes it more difficult for attackers to find the login page. The default WordPress login page is located at /wp-login.php. This is a well-known fact to attackers, so they often scan websites for this URL. By changing the URL, you make it more difficult for them to find the login page.
  • It reduces the likelihood of brute-force attacks. Brute-force attacks are a type of attack where an attacker tries to guess a user's password by trying a large number of different combinations of characters. If the login page is located at the default URL, attackers can easily automate brute-force attacks using scripts. By changing the URL, you make it more difficult for attackers to automate brute-force attacks.
  • It can help to protect against certain types of malware. Some types of malware can inject malicious code into the WordPress login page. If the login page is located at the default URL, this malicious code can be easily added to your site by attackers.
  • It can make it easier to track unauthorized login attempts. If you have a security plugin that logs unauthorized login attempts, changing the login URL can make it easier to track these attempts. This is because the login attempts will be logged with the new URL.


Two-Factor Auth:

Two-factor authentication (2FA) makes it harder for attackers to get into your accounts. Even if an attacker steals your password, they won't be able to log in without also having your phone.



First, you'll want to navigate to the "Two Factor Auth" section in WP Security, then select "Enabled (Current code: 470302)" and save changes.You will need to download an application capable of scanning a QR code, Google Authenticator is one such application. This will give you your temporary code, that adds an additional layer of authentication when you log in. Take note of the private key that can be used instead of the temporary code generated.


While this is a strong foundation for setting up basic security, we must recognize that cybersecurity is an ongoing process. Additionally, tasks like keeping your software up to date will always be crucial. It's important to recognize that the realm of cybersecurity is a shared responsibility. Your commitment to safeguarding your WordPress login page not only protects your website but also contributes to a safer online environment for everyone. Continual vigilance, education, and adaptability are your strongest allies in the ongoing battle against cyber threats.

By starting with the basics and remaining proactive, you're well on your way to maintaining a secure and resilient WordPress website. Your dedication to security will help ensure the long-term success of your online presence in this ever-changing digital landscape.


If you need help making any of these changes to protect your WordPress login page, please get in touch with our Support team.