As you should know by now, making WordPress security easy and stressing it’s importance is something of a passion of ours here at Showcase. So, here are 5 quick fire tips to improving your website security that non-techies can implement in less than 5 minutes. In this article I will talk you through the points and explain the logic behind them, then at the end of the article I’ll provide you the tool necessary to make all this happen without writing a single line of code.
Let’s get started:
- NEVER use ‘admin’ as your username. Because some website hosts and many web developers years ago used to use this as the default username, it’s the first thing that hackers (or their bots) try during a Brute Force attack. If they work out that this username is correct, that’s half the puzzle solved for them! Now, WordPress doesn’t actually allow you to change the username on your website – so you have to install a plugin to do it. The plugin we use is “Username Changer” which you can download here.
- Upgrade your password. It’s very easy to get into a routine of using simple, easy-to-remember passwords for multiple sites. However, if you think about it that’s exactly what a hacker would like and totally defeats the purpose of a password. We know that passwords are a necessary evil for many people, which is why we recommend managing your passwords via Lastpass as it can help you not only create really strong passwords, but also stores them securely so you don’t have to remember them. Remember, passwords are graded on 3 elements:
- Length – you’re looking to have passwords over 12 characters long ideally. Anything shorter than this dramatically reduces the time required to guess the password by an automated machine (or bot).
- Characters – ensure you use both upper case and lower case letters, numbers and at least one special character in your password. Also, remember, just because we use capitals at the beginning of sentences in normal text, doesn’t mean you have to in your password. The same can be said for brackets, just because you open a bracket, doesn’t mean you have to close it. Doesn’t an opening bracket look a little like a “C”….?
- Readability – Something many are unaware of, but passwords are graded on their readability – so if you were to write it out on a piece of paper, would someone be able to read it? If so, then it’s susceptible to what’s called a ‘dictionary attack’ where a bot would work through the dictionary with some variations of numbers instead of the letters in the word.
- Move your login page. In order to try and hack your website via ‘brute force’ (multiple attempts trying random – or not so random – combinations of characters for the username and password), first a hacker must find your login page. WordPress by default uses ‘/wp-admin’ and ‘/wp-login’ urls to access your login page and we suggest that you move it. By doing this, it’s extremely difficult for a hacker to ‘find the door’ to attack. It’s another layer of complexity that could make all the difference in persuading hackers to look elsewhere for something to break into. Not sure how to do this….don’t worry, read on and I’ll give you a free tool to help you!
- Restrict (throttle) the number of login attempts in a certain time period. A brute force attack relies on being able to try a huge amount of combinations of characters in a short space of time. We’re literally talking 1000’s an hour, so they can get through an unbelievable number of combinations. So, if you restrict the number of attempts in say, 5 minutes, then you dramatically extend the time it would take in order to crack the username and password. We tend to stick to 3 attempts in 5 minutes and we’ll lock people out for an hour if they still don’t get it right. Can you imagine how much slower an attack would be based on this?
- Add a CAPTCHA to your login page (and other pages). We’ve all seen these ‘annoying’ tests designed to prove you’re human. Solve this maths question, or decipher the letters from this blob, or select all images with a storefront -type questions. Well, throughout this article we’ve discussed the concept of a ‘brute force attack’ and generally, these (and most other types of hack) are carried out by ‘bots’ – automated programs designed to try thousands of attempts quickly – something that a human would struggle to do. So, adding a CAPTCHA to your login page is designed to mitigate this so that only humans can access the site.
So, we recommend a single plugin that can do all of this for you, and it literally can be done in less than 5 minutes. You can find out how, along with a follow-along tutorial that I created on our AIOWPS page.