There are dozens of sites and articles that describe how to make a self-hosted WordPress site more secure. Many of them are so in-depth that they probably scare the living hell out of anyone who just started their very first WordPress site and began to explore this new world. That was the case for me, about 2 years ago, when I started my first self-hosted WordPress.org site… (“Move the entire installation to a different directory? I’m so glad it’s running, I don’t want to mess with that!”)
As I became more familiar with the WordPress.org ecosystem and gained more understanding I did some cherry picking and added a couple of “no geek skills required” measures to my sites that I want to describe here a little bit.
0. Use a strong password for your account
I guess that one goes without saying. I’m using KeePass to manage my passwords, and I let KeePass generate long (>20 characters) passwords for me that consist of random characters, numbers, symbols.
1. Change your login username
This is perhaps the “geekiest” of the bunch, but it’s actually not very difficult – and it makes a lot of sense to do this. Let me explain. WordPress knows no less than three usernames per user account:
- the user_login name that you use to sign in to your account
- the user_nicename that is used in URLs (like the author archives)
- the display_name
Let’s forget about display_name as it is really just that – a display name. user_login and user_nicename are what we want to look at – because by default, they are the same. This means that anyone who sees user_nicename (in a URL like the author archive) immediately knows the user_login that this author uses to log in to your site. And that can be changed.
All you need to do is go to your database administration (most likely phpMyAdmin), find your WordPress database, and click on the wp_users table (and most likely you won’t have too many users on your site anyway).
The first thing you want to do is to change the user_login to anything but “admin”, “administrator”, the name of your site, and other common names. Attackers always try common names to log in to your site. Use a unique login name that is hard or impossible to guess. In phpMyAdmin, double-click on the field that contains your user_login. Type your new login name and press enter. phpMyAdmin will show you something like “1 row affected” as a result. Done! Remember to use your new login name from now on if you want to sign in to your site directly (which you probably don’t want to do… read on!).
The second part is to change the user_nicename to something clean and simple that will show in URLs, and make it different from user_login. I’m using my firstname here. Unsuspicious. 🙂 You do this the same way as above: double-click on the field that contains your user_nicename. Type your new “nice name”. Press enter.
2. Limit and/or block malicious login attempts
UPDATE: BruteProtect is now fully integrated with Jetpack – if you install and activate Jetpack, your site is automatically protected from malicious login attempts. One more reason to use Jetpack! You can skip the rest of this section, the information below is outdated if you’re a Jetpack user.
This is a really simple one. All you need to do is install a plugin. I’ve been using “Limit Login Attempts” for a very long time (in the logs I saw that attackers always try usernames like “admin” etc., as described above).
A while ago, I switched to “BruteProtect” – it requires a bit more after installing the plugin, because you need to register and create an API key, but that’s worth it because you can block malicious login attempts from known attackers immediately, and don’t have to wait for the Limit Login Attempts counter to kick in.
Limit Login Attempts and BruteProtect can co-exist happily (at least they did on my sites), but I removed Limit Login Attempts entirely after installing BruteProtect. In the future, BruteProtect will probably be integrated with Jetpack. Jetpack is a plugin package that equips self-hosted WordPress.org sites with most of the functionality of WordPress.com sites.
3. Use two-factor authentication (2FA)
What is two-factor authentication? A combination of security measures. Normally, you sign in only with “what you know” – your username, and your password. 2FA adds a “what you have” layer to it – you install an app on your phone that generates a security token (which expires every 60 seconds or so), and you need to enter that token when you want to log in. Without the security token generated by your phone (or a backup code, in case your phone is broken) you can not sign in.
And just like on WordPress.com hosted blogs, you can use 2FA for your self-hosted WordPress.org site. It even uses the same technique: Google Authenticator (others exist for self-hosted sites of course, but for the sake of simplicity, lets assume we’re using Google’s Authenticator service for our 2FA). For your self-hosted site, you need to install the “Google Authenticator” plugin for WordPress, activate the site in the Authenticator app on your phone, and enable 2FA in your WordPress user settings. It’s pretty easy to set up, and once activated, no one will be able to sign in to your site without the security token generated by the app on your phone.
4. Use Jetpack Single-Sign-On (SSO)
Keeping the best one until the end. 🙂 If you’re using Jetpack with your self-hosted WordPress site you already have a WordPress.com account (you created it when you connected Jetpack to WordPress.com!). You might as well enable Jetpack’s Single-Sign-On (SSO) module and use your WordPress.com account to sign it (not without using 2FA for that account, of course).
Why is that useful? HTTPS, that’s why. I guess most small self-hosted WordPress installations do not use/have secure connections via HTTPS. Which means that when you sign in to your own site, you’re transmitting your account credentials (username and password) unencrypted and as plain text. Yikes! Over the evil, evil, internet! 😉 Not such a great idea. By comparison, the login to WordPress.com happens over a secure connection.
Enable Jetpack Single-Sign-On in your Dashboard in “Jetpack -> Settings”. Then enable it for your account in “Users -> My Profile” (scroll all the way to the bottom). It’s a one time process.
Once Single-Sign-On is activated, a new button “Log in with WordPress.com” is added to the login screen. Click it, and you’ll be asked for your WordPress.com credentials, then taken back to your site. Hey presto, and never log in insecurely over HTTP again.