Let’s talk about website security.
You may be thinking, “I use WordPress, one of the most popular platforms available. I’m sure they’ve got me covered.” And you’re right: the WordPress development team is doing a stellar job employing the latest security techniques to keep your site safe.
However, the software behind WordPress is only one piece of the security puzzle. You also need to consider other parts, like the login page, username, and password for your site’s admin account. Logins are often the most vulnerable piece of a site’s security armor. If you don’t have a secure login, there isn’t much that WordPress developers or security experts can do for you.
In this article, we’ll explore the ways that you can build a secure login for your site, from using a smart password to some of Jetpack’s security features.
Longer, stronger passwords equal better security
You may have heard this before, but it bears repeating: choosing a good password is the first step towards good security.
Contrary to popular belief, most websites’ password creation prompts, and every “baby’s first password” tutorial, the best passwords do not contain cryptic characters, a capital letter, and a number. The most secure passwords are simply long. Security experts agree that longer passwords are harder to crack, according to The Guardian.
Adding punctuation and typographical nuances are great additions to a password, but length should come first. It’s helpful to use a password management tool such as LastPass or 1Password that will generate passwords for you, in addition to keeping track of them and auto-filling them into sites you trust. That way, you will have the most secure passwords possible without needing to remember them all. This has the additional advantage of meaning you can logout without needing to check the site’s own “remember me” box, or worrying about not being able to log back in again – your password management tool has you covered.
Only remember one password with Secure Sign On (SSO) services
An alternative to a password manager is a secure sign on (SSO) service. You might already be using SSO services and not even realize it!
If you’ve visited sites that allow you to log in with your Google, Facebook, Yahoo!, or WordPress credentials, you are already using SSO. With SSO, you only need to remember a single password that works across multiple sites, even if those sites are managed by different companies.
Using Jetpack, you can enable Secure Sign On on your own website. Visitors will be able to use their WordPress.com logins when visiting, making it easier to complete a purchase on your site, access members-only content, or connect with millions of WordPress users in the comments. This will also give your site or online store some “backed by WordPress” credibility that will ease their minds if they need to give you personal information, such as their address or credit card data.
Enable 2FA on your logins for an extra layer of security
Your login page becomes twice as secure when you need to input something in addition to a password to log in.
This practice is known as Two Factor Authentication (2FA), and is based around the principle of using multiple secure “factors” – something you know, something you are, or something you have. It therefore usually involves inputting both a password (something you know) and another piece of information, usually a code sent to your mobile device (something you have). Jetpack has a built-in Two Factor Authentication option that you can toggle on in just a few seconds.
Once enabled, you’ll be prompted to enter a numeric code sent to your mobile device (or retrieved from your authenticator app such as Google Authenticator, Duo, or Authy) right after inputting your password. This added step provides a level of security that is roughly ten times stronger than a password alone.
In addition, with this option enabled, if you see any login attempts you didn’t authorize, you can reject them immediately. This will keep your site — and your data — safe.
Don’t let hackers batter down the door
Every day, thousands of hackers scan the internet looking for sites to break into. When they find one of interest, they go for its login page. Hackers typically launch an age-old method of hacking known as the brute force attack.
Brute force attacks pummel your login page with incessant attempts at cracking your password. Essentially, the hackers continuously ask, “is this it? Is this it?” much like a toddler asking if they can have a snack every five seconds while you make dinner. Eventually, the hackers get their malware into your site and walk away with all the cookies.
Will an extra-strong password prevent this from occurring? It’s a great start, but while brute force attacks attempt to guess that un-guessable password, they’re slowing down your site in the process. When you’re continuously having to tell a toddler “no,” dinner ends up taking longer and longer to make. This means that your site visitors will be waiting far too long to check out your site, content, or eCommerce products.
By default WordPress allows an unlimited number of login attempts, which allows brute force attacks. This is where brute force protection comes in. Jetpack adds brute force protection to limit login attempts to your site for free. As long as you have Jetpack installed, you’ll be sheltered from any brute force attacks that come your way, keeping your site secure and preventing it from slowing down. Jetpack Protect checks login attempts against a blacklist of malicious IP addresses, and will lock out any IP addresses that make too many failed login attempts.
Some plugins allow you to change the address of your site’s WordPress login page. Because of the standardized nature of WordPress websites, by default this will usually be something like yoursite.com/wp-admin, which makes it easy for attackers to find and start their Brute Force attempt against your site’s backend. By creating a unique login URl for your site’s WordPress admin area you can stymie most Brute Force attacks before they even get going.
Jetpack keeps an extensive database of the best WordPress plugins, and rates them according to their security. Remember to check out the list before installing any additional WordPress security plugins – or you might find you’re inadvertently undoing the one thing you were hoping to fix!
Keep the attackers away with Jetpack
Hacking happens every day, even if you’re not aware of it. Although your website might not be specifically targeted by hackers, it’s best to be prepared just in case.
By employing the methods listed above, you’ll maintain secure passwords and a more protected site that will keep these hackers at bay. Employ Jetpack’s security features, lengthen your passwords, enable 2FA, and increase your site security today.
Remember that, regardless of the security features you put in place, not all hosting providers are created equal. Different hosting companies will have different approaches to WordPress installation, security, firewalls, SSL certificates, and so on, particularly if they host sites using many different platforms. Shop around, read reviews, and take time to understand which web host cares the most about WordPress security specifically. Luckily for you we’ve compiled some of the best WordPress hosts into one handy list – why not check it out?
What tips do you have to keep your site safer? We’d love to hear from you in the comments below.