An important part of WordPress security has to do with your user accounts & passwords. We’ll discuss some of the basic guidelines to keep your WordPress site secure, as well as go over some security plugins that can help.
A Quick Note About Brute-force Attacks
Insecure user accounts and/or passwords can lead to what are called brute-force attacks. These are attempts by people (more often, computer programs & robots) to guess the username & password combination of one of your WordPress users. These automated programs seek out your WordPress login & administration pages (
/wp-admin/), and then try to login using common username & password combinations. If they guess right, they’ll gain access to your WordPress site, and be able to do all kinds of bad things (hijack pages, inject malware, add hidden links).
How Do You Prevent Brute-force Attacks?
Now that you have an idea why you need to secure your WordPress site, let’s take a look at some ways you can achieve this with better security on your user accounts.
Never Use “admin” For Your Username
“Admin” is the default username on new WordPress installations. You should always create a new admin user with a unique username, and delete the “admin” username, as it is the most common in brute-force attacks.
WordPress usernames you should avoid:
- admin / Admin
- administrator / Administrator
- root / Root
- yourdomainname / yourdomainnamecom (You can use a variation of your domain, but don’t use it in its entirety)
We recommend using something unique—a variation of your name/initials, street address, favorite food, etc.
Selectively Choosing User Roles
If you are building sites for your client, or your organization will have multiple people with access to the site, think about the permissions they need. Do you need to be able to install plugins & edit settings? Create new posts? Edit others posts? Moderate comments? Create drafts, but not publish them live?
Don’t give a user admin privileges if they don’t need them. The WordPress Codex has a table that shows you which functions a user can perform, based on the role they are assigned. If your user only needs to be an “Author,” don’t give them “Administrator” access. If someone should hack into one of these accounts, they will not be able to do the same amount of damage as an Administrator account would.
Talk To Administrators About Security
On the same note, make sure all Administrators understand the importance of security. They should always have unique usernames & maintain a strong password.
Logging Into Admin on an Open Wireless Connection
If you like to work at a local coffee shop, or anywhere you’d be accessing a public (non-secure) wireless network, take extra precaution when logging into the WordPress admin. If your login page is not served up over https, other people on that network could be able to access your login credentials, and use them to login to your site. I’ll be writing a separate article that talks about securing your login & admin pages using an SSL certificate.
To be on the safe side, just don’t do it. Wait until you have access to a secure connection. Or talk to your site administrator about installing an SSL certificate on your server.
Use a Strong Password
This is an obvious one, but everyone should use a strong password. As of version 3.7, WordPress uses a better password strength meter to provide feedback on how secure it is. Please listen to it, and adjust your password accordingly.
Force Strong Passwords Plugin
There’s a great plugin called Force Strong Passwords that will require users to pick a secure password. By default, it only requires one for users who have certain, high-level capabilities (publish posts, upload files, etc.), but you can modify it using a filter to require ALL users to have a strong password. It’s well documented & maintained, and even used by some managed WordPress hosting companies like WP Engine.
Limit Consecutive Login Attempts
When attackers attempt brute-force attacks, they will continually try their username/password combinations on your login page, who knows how many times in a row. Any real user—even one whom is notorious for forgetting his password—shouldn’t need 20+ tries to login to the site. Especially since there’s a simple “Forgot password” form they can use to reset it.
The Limit Login Attempts plugin limits the number of consecutive login attempts that can be made by an IP address. It has some options for you to customize, and will log the IP addresses that get locked out. You can also reset the lockout, in case one of your clients gets amnesia, and really needs to get into their site. You’ll see what username the offender was using, and you have the option to be notified by email.
What other login & user-related security measures do you use to protect your WordPress site? Let us know in the comments.