WordPress: How to Secure your Website?

Security | WordPress
15th September 2020
WordPress Security

Why should we secure our WordPress sites? Well, the simple answer is, if a hacker gets access to your website, they could change your content which could have ill-effects for your brand, they could remove content or they could even take your site down all-together. Therefore you want it as secure as possible. So the follow-on question is how should we secure our WordPress sites? Well, that is what we’re going to discuss today. There are a variety of different options available to us and we’ll go over some of the main ones and give you our recommendations.

What are our options?

  • Use Obfuscation to Secure WordPress.
  • Secure WordPress by IP Address.
  • Secure WordPress by adding Two-Factor Authentication.

So these are the main options that we’ll discuss. There are many more ways in which we should make our WordPress sites more secure, but we won’t go over them today. We’ll do a more in-depth article soon with all the ways we should look to secure our WordPress sites. As for these options, these are the most common ways to try and secure our /wp-admin pages.

Secure WordPress by Obfuscation

What exactly is securing by obfuscation? Well, the simple answer is, it’s trying to hide our /wp-admin pages to try and make it more secure. In Lehman’s terms, this means changing our /wp-admin pages to be called something else like /admin or /backend. What this achieves, is simply moving the page to another location, therefore the question is, does it make our site more secure? Yes, it does, but not that much. Yes, it stops all those bots that are specifically looking for /wp-admin pages from finding the page and then trying to brute-force their way in, but most newer, more sophisticated bots would try other common names like /admin, but some will also simply scan the site for /wp-admin page based on its contents and locate it anyway.

So, is it worth doing? Yes, but only alongside other methods such as the two we are about to discuss. And it would be our recommendation that you used a name that doesn’t give it away that it is an admin page such as /apple2020 for example.

Secure WordPress by IP Address

So this option is one of the most secure ways of securing your /wp-admin page, however, it has its disadvantages and also some requirements which could stop you from doing it. So why exactly, is one of the most secure ways? Well, the reason that is, is once it is done, you can only access that page if your request is coming from a certain IP Address such as your business IP address.

However, that is where the disadvantages come in. It is only really possible if you only access from a few places otherwise you’ll need a very long list of IP Addresses. Without the use of a VPN to one of your IP Addresses it would rule you out accessing the /wp-admin page from a mobile. You would also need a static IP address otherwise you could find yourself being locked out if your dynamic IP changes. It also wouldn’t really work for certain sites that have a lot of different people writing posts for them as again it would mean too many IP Addresses to allow.

That said, here is how you do this for a WordPress website hosted on an Nginx web server:

location ~ \.php$ {
    location ~ ^/wp-(admin|login).php {
        allow xx.xx.xx.xx;
        deny all;
        fastcgi_intercept_errors on;
        fastcgi_pass examplecombackend;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
    fastcgi_intercept_errors on;
    fastcgi_pass examplecombackend;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    include        fastcgi_params;
}

And this is how you do this on a WordPress website hosted on an Apache webserver:

It’s not as straight forward as Nginx, as you need to edit two different files to secure it with Apache. First of all, you should add the below to your .htaccess file within your WordPress folder.

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
</Files>

You should then also add the below to a new .htaccess file within the /wp-admin folder:

Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx

Secure WordPress by adding Two-Factor Authentication

Now, you may have heard of Two-Factor Authentication, well at least I hope you have, as you should ideally have it enabled wherever it is available. Two-Factor Authentication is the practice of having to enter/use a second device/code to authenticate you as well as your username and password. This is so that if a hacker did get your password, it wouldn’t matter as without them also having your two-factor code or device they still couldn’t get into the website. This could be in the form of a code being texted to your phone, getting a code from an authentication app on your phone, getting a push notification you have to say yes or no to on your phone or using a hardware token or YubiKey to authenticate you.

As you guessed, the way we add this to your WordPress sites is with some handy plugins. We’ll have a look at some of the most common plug-ins available for you to use. For me, this is the best option for the majority of websites as it can be used whether a user is accessing from home, or the office or anywhere in the world and by either mobile or desktop.

Google Authenticator

So this plugin, which you can download here, allows you to add two-factor authentication to your website by enabling you to use Authentication apps such as Google Authenticator or Authy to get a code to login with. Now I look at the advantages and disadvantages of this plugin:

Advantages

  • You can use apps like Google Authenticator and Authy which a lot of you may already have on your phone.
  • You can set it up so that only admins require to use this, whereas less privileged users do not.

Disadvantages

  • The prompt for a code shows regardless of if the user has it enabled or not. (Although this can be fixed with the use of this plugin).
  • There is only one way for the user to get a code to login with.
  • Backup codes can not be generated for if a user loses access to their authentication app.

Google Authenticator – WordPress Two Factor Authentication (2FA) by miniOrange

This plugin, which you can download here, again allows you add two-factor to your website by enabling you to use Authentication apps such as Google Authenticator or Authy to get a code to login with as well as other options such as SMS Code, Email, Hardware Token. Now I look at the advantages and disadvantages of this plugin:

Advantages

  • You can use apps like Google Authenticator and Authy which a lot of you may already have on your phone.
  • You can set it up so that only admins require to use this, whereas less privileged users do not. (However, this feature isn’t in the free version)
  • You can use other options as well as authentication apps. (Again, most of these aren’t available in the free version)

Disadvantages

  • Most of the advanced features require you to have one of the paid plans.

Duo Two-Factor Authentication

This plugin, which you can download here, allows you to enable two-factor on your website, and for us here at ADB Web Designs it is the best of all the plugins available to enable two-factor authentication with it supporting push notification, SMS code, hardware token and two-factor code entry via the Duo Mobile app.

Advantages

  • All of its features are available free for up to 10 Users. Even after that licences are as cheap as 1$ per user per month.
  • You can enable based on a per-role basis, so you can allow your subscribers not to use it.
  • Users are forced to use this and will be prompted to set it up on the first login if it is enabled for their user role.
  • The push notification allows you to authenticate the quickest out of any of the other plugins.

Disadvantages

  • You can’t use the Google Authenticator app, However, this isn’t really a disadvantage as the Duo Mobile app can do everything the Google Authenticator app can but better. This is because it now allows you to backup your codes in case you switch phones saving you from having to reset all your two-factor codes.

Overall Verdict

So, what is the verdict? Well, whilst all of these methods have their uses, the winner for me has to be securing your WordPress website by two-factor authentication. This is due to how versatile it is and the fact that it could be used by practically any website. That said, this could be used alongside both of the other methods if you want the extra security. And as mentioned, out of all the two-factor options available its the Duo Two-Factor Authentication plugin that we would recommend and that is what we use here at ADB Web Designs.

Thanks for reading and I hope that these security tips help you keep your WordPress site secure. Check back soon for our more in-depth security article showing you all the tasks we should be taking to make our sites as secure as possible.

Adam Birds

I am the founder and Director of ADB Web Designs. I am an experienced web designer, systems administrator and server engineer, with experience in the web hosting industry as well as working for several large managed service providers. My passions are technology, web design, football and providing a great service to my clients.

Related Posts

What Software do I use When Designing websites?

What Software do I use When Designing websites?

There are a lot of tools and software that can be used when building/designing websites with WordPress. Here I am going to list the main ones and explain what they do and why I use them? SSH Terminal Software My SSH Terminal software of choice is either Ubuntu for...

Is WordPress a Great CMS for SEO?

Is WordPress a Great CMS for SEO?

Is WordPress SEO friendly? That's the question we're here to answer. That answer is yes. It is the most SEO friendly content management system out there today. It takes care of so much of the search engine optimization stuff just out of the box that you don’t really...

WordPress: What Are The Benefits?

WordPress: What Are The Benefits?

There are countless benefits of using WordPress over other Content Management Systems. I couldn't even list them all if I wanted to. Listing a few of them briefly below: Easy and Intuitive to Use Using WordPress is very easy and involves a very minimal learning curve...

Comments

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *