Why should we secure our WordPress sites? Well, the simple answer is, if a hacker gets access to your website, they could change your content which could have ill-effects for your brand, they could remove content or they could even take your site down all-together. Therefore you want it as secure as possible. So the follow-on question is how should we secure our WordPress sites? Well, that is what we’re going to discuss today. There are a variety of different options available to us and we’ll go over some of the main ones and give you our recommendations. What are our options?
- Use Obfuscation to Secure WordPress.
- Secure WordPress by IP Address.
- Secure WordPress by adding Two-Factor Authentication.
So these are the main options that we’ll discuss. There are many more ways in which we should make our WordPress sites more secure, but we won’t go over them today. We’ll do a more in-depth article soon with all the ways we should look to secure our WordPress sites. As for these options, these are the most common ways to try and secure our /wp-admin pages.
Secure WordPress by Obfuscation
What exactly is securing by obfuscation? Well, the simple answer is, it’s trying to hide our /wp-admin pages to try and make it more secure. In Lehman’s terms, this means changing our /wp-admin pages to be called something else like /admin or /backend. What this achieves, is simply moving the page to another location, therefore the question is, does it make our site more secure? Yes, it does, but not that much. Yes, it stops all those bots that are specifically looking for /wp-admin pages from finding the page and then trying to brute-force their way in, but most newer, more sophisticated bots would try other common names like /admin, but some will also simply scan the site for /wp-admin page based on its contents and locate it anyway.
So, is it worth doing? Yes, but only alongside other methods such as the two we are about to discuss. And it would be our recommendation that you used a name that doesn’t give it away that it is an admin page such as /apple2020 for example.
Secure WordPress by IP Address
So this option is one of the most secure ways of securing your /wp-admin page, however, it has its disadvantages and also some requirements which could stop you from doing it. So why exactly, is one of the most secure ways? Well, the reason that is, is once it is done, you can only access that page if your request is coming from a certain IP Address such as your business IP address.
However, that is where the disadvantages come in. It is only really possible if you only access from a few places otherwise you’ll need a very long list of IP Addresses. Without the use of a VPN to one of your IP Addresses it would rule you out accessing the /wp-admin page from a mobile. You would also need a static IP address otherwise you could find yourself being locked out if your dynamic IP changes. It also wouldn’t really work for certain sites that have a lot of different people writing posts for them as again it would mean too many IP Addresses to allow. That said, here is how you do this for a WordPress website hosted on an Nginx web server:
location ~ .php$ {
location ~ ^/wp-(admin|login).php {
allow xx.xx.xx.xx;
deny all;
fastcgi_intercept_errors on;
fastcgi_pass examplecombackend;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
fastcgi_intercept_errors on;
fastcgi_pass examplecombackend;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
And this is how you do this on a WordPress website hosted on an Apache webserver: It’s not as straight forward as Nginx, as you need to edit two different files to secure it with Apache. First of all, you should add the below to your .htaccess file within your WordPress folder.
Order Deny,Allow Deny from all Allow from xx.xx.xx.xx
You should then also add the below to a new .htaccess file within the /wp-admin folder:
Order Deny,Allow Deny from all Allow from xx.xx.xx.xx
Secure WordPress by adding Two-Factor Authentication
Now, you may have heard of Two-Factor Authentication. Well at least I hope you have, as you should ideally have it enabled wherever it is available. Two-Factor Authentication is the practice of having to enter/use a second device/code to authenticate you as well as your username and password. This is so that if a hacker did get your password, it wouldn’t matter as without them also having your two-factor code or device they still couldn’t get into the website.
This could be in the form of a code being texted to your phone. It could also be getting a code from an authentication app on your phone. It could be getting a push notification you have to say yes or no to on your phone. If you wanted, it could even be using a hardware token or YubiKey to authenticate you. As you guessed, the way we add this to your WordPress sites is with some handy plugins. We’ll have a look at some of the most common plug-ins available for you to use. For me, this is the best option for the majority of websites as you can use it whether you are accessing from home, or the office or anywhere in the world and by either mobile or desktop.
Google Authenticator
So this plugin, which you can download here, allows you to add two-factor authentication to your website by enabling you to use Authentication apps such as Google Authenticator or Authy to get a code to login with. Now I look at the advantages and disadvantages of this plugin:
Advantages
- You can use apps like Google Authenticator and Authy which a lot of you may already have on your phone.
- You can set it up so that only admins require to use this, whereas less privileged users do not.
Disadvantages
- The prompt for a code shows regardless of if the user has it enabled or not. (Although this can be fixed with the use of this plugin).
- There is only one way for the user to get a code to login with.
- Backup codes can not be generated for if a user loses access to their authentication app.
Google Authenticator – WordPress Two Factor Authentication (2FA) by miniOrange
This plugin, which you can download here, again allows you add two-factor to your website by enabling you to use Authentication apps such as Google Authenticator or Authy to get a code to login with as well as other options such as SMS Code, Email, Hardware Token. Now I look at the advantages and disadvantages of this plugin:
Advantages
- You can use apps like Google Authenticator and Authy which a lot of you may already have on your phone.
- You can set it up so that only admins require to use this, whereas less privileged users do not. (However, this feature isn’t in the free version)
- You can use other options as well as authentication apps. (Again, most of these aren’t available in the free version)
Disadvantages
- Most of the advanced features require you to have one of the paid plans.
Duo Two-Factor Authentication
This plugin, which you can download here, allows you to enable two-factor on your website, and for us here at ADB Web Designs it is the best of all the plugins available to enable two-factor authentication with it supporting push notification, SMS code, hardware token and two-factor code entry via the Duo Mobile app.
Advantages
- All of its features are available free for up to 10 Users. Even after that licences are as cheap as 1$ per user per month.
- You can enable based on a per-role basis, so you can allow your subscribers not to use it.
- Users are forced to use this and will be prompted to set it up on the first login if it is enabled for their user role.
- The push notification allows you to authenticate the quickest out of any of the other plugins.
Disadvantages
- You can’t use the Google Authenticator app. However, this isn’t really a disadvantage as the Duo Mobile app can do everything the Google Authenticator app can but better. This is because it now allows you to backup your codes. This is useful if you switch phones saving you from having to reset all your two-factor codes.
Overall Verdict
So, what is the verdict? Well, whilst all of these methods have their uses, the winner for me is using two-factor authentication to secure your website. This is due to how versatile it is and the fact that it could be used by practically any website. That said, you could use this alongside both of the other methods if you want the extra security. And as mentioned, out of all the two-factor options available its the Duo Two-Factor Authentication plugin that we would recommend. This is what we use here at ADB Web Designs. Thanks for reading and I hope that these security tips help you keep your WordPress site secure.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?
you are truly a just right webmaster. The site loading speed is incredible. It kind of feels that you’re doing any distinctive trick. In addition, The contents are masterwork. you have done a great activity in this matter!
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.