Speed and security are our primary focus here at Synthesis.
We mentioned this last Thursday in our post about something that everyone should be doing to maximize page load times, and we’ll surely mention it again in the future.
Since we talked speed in our last post, it’s time to discuss security.
Specifically, let’s discuss how to lock down your WP-admin section so you can keep out unwanted influences.
1. Use Complex Passwords
If your current admin password is “password123″ or something remotely similar in its simplicity, then you have a serious issue. You might as well have a flashing neon Welcome! sign for hackers hanging in your website’s front window.
To understand why having a simple password attached to your WordPress admin user is so dangerous, consider the following:
- It’s not terribly difficult to determine if a site is run on WordPress or not.
- If a site is run on WordPress, appending the domain with wp-login.php will almost always take you to the login page (even if it’s not linked anywhere on the site).
- Because “admin” is the default first user name, most WordPress-powered sites use it and that user name has full administrator access.
- Thus, for most WordPress websites, the security of the entire site is literally only as strong as the admin password.
A little frightening, no?
So you need to have a complex password attached to any user account on your site with administrator access, especially the admin user because it’s a hacker’s starting point.
Here’s a terrific article on passwords by Eric Griffith for PCMag.
Read it, then act on it. I just did.
Seriously. I stopped in the middle of writing this post and used several of the tips in the article to create a new set of passwords.
Each of my new passwords has the same base to make it easy for me to remember, but then a different appendage based on the website to ensure that they are all different. It also includes lower case letters, capital letters, and numbers.
I just entered my password here and was told it would take “a million years” for a desktop PC to crack it. That’ll work.
(Just for fun, I checked to see how long my previous password would have taken to crack. The response: 19 seconds. Whoa. Glad I decided to switch!)
Please, please, please make sure you are using complex passwords. The security and peace of mind is well worth the small bit of extra mental energy it takes at first to switch and memorize it.
2. “Ixnay ethay adminyay…”
All of this password complexity talk has me thinking in code now.
This heading is, of course, pig latin for “Nix the admin.”
You’d be wise to do so.
As mentioned above, admin is the first user name on many WordPress websites, and it has administrator access. This is because it is the one suggested during the installation process.
There is a simple solution to this: don’t have an admin user named “admin.” When you first set up your WordPress install, define a different username.
Or, if you have an admin user right now, do one of the following:
- Make it a non-administrator account.
- Go into your database and edit the record.
At the very least, you give anyone with nefarious intentions one more hurdle to jump before they can get into your site and wreak havoc.
Another way to accomplish the same objective is to change the login page. I’ve not found any plugins I particularly like for this though, so make sure you know what you’re doing if you choose to attempt it.
3. Require a Yubikey
If you really want to get serious about locking down your dashboard, Yubico is an option. (And there is a plugin for easy integration.)
Yubico allows you to set certain usernames to require a literal key, called a Yubikey. The key is a small USB doohickey (technical term) that must be installed on the computer being used to log in. Without it, that username cannot be logged in with even knowing the password.
The key fits easily on a set of keys, so it is very convenient.
This is an especially good option on sites with only one or a few administrators but many users at the contributor, author, or even editor level. Not all users have to have the key, just those designated. So if you want to lock down just your account, with administrator access, you can do so without affecting the login process for anyone else.
If security is really important to you, then this is a great option. And proving once again that we walk the walk, we use it here at Synthesis for certain users.
4. Limit Login Attempts
One more way to add an extra layer of security to your WordPress website is to limit the number of times someone can try to login.
This obviously places a premium on knowing the website attached to a username, and can thwart guessing or, even more dangerous, the use of a complex hacking script.
I have not personally used this plugin on any sites, but Limit Login Attempts seems solid. It was updated in June and has a 5-Star rating, so I feel comfortable passing it along if you want to add this functionality to your site.
The words going through my head as I come to the end of this post are: better safe than sorry.
It’s a cliche because it’s true.
Sometimes it can be difficult to get motivated to take extra security precautions in the absence of an immediate threat. But the last thing you want to do is wait too late to act.
A hacker could be trying to get into your WordPress website right now. Just assume that they are, and spend a few minutes setting up one or all of the precautions described here to make that hacker’s job much harder.
It might cost you a little bit of time in the short term, but that’s okay. The payoff will be worth it.
Because peace of mind is priceless.