2.6 Securing WP Admin
If hackers gain access to your WP Admin area, they can do considerable damage. In this lesson, learn some key ways to help keep your admin area safe and secure.
WordPress security should be taken seriously. This course includes references to third party plugins which may not be updated to meet current requirements. This is an older course and we strongly recommend doing further research on the plugins mentioned before using them. We do not recommend using untested, outdated plugins for security.
1.Introduction1 lesson, 00:34
2.Wordpress Secure Setup Guide13 lessons, 1:29:18
3.Conclusion1 lesson, 03:01
2.6 Securing WP Admin
Hey, welcome back to the WordPress Secure Setup Guide. In this lesson, we're gonna go through some ways that you can help to secure your admin area. And the first thing that we're gonna look at is if you have an SSL certificate set up for your site, which you should have. If you don't have one set up, have a talk to your host and they can guide you through what you need to do. And when you have that certificate set up and running on your site. The URL that you're gonna use for your site will go from HTTP to HTTPS. S stands for secure, and when you see that HTTPS, you know that you're browsing in a secure connection. Now one thing that you can do is activate a feature in WordPress that will enforce that HTTPS, that secure connection. Whenever somebody is logging in and whenever they're in the admin area. So there's no other way to access these things. And the way to activate this feature is by grabbing this little snippet of code. And I'll give you the link to where you can get this. Copying it, going into your wp-config file, scrolling all the way down to the bottom. And then after the WP_DEBUG line here, pasting that code snippet. And once you do that, that's gonna make sure the only way you're getting into the admin area is through a secure connection. The next thing that we're gonna do is change the location of the login page. So if you look in the URL bar, you can see this login page is at wp-login.php. And you remember that I was telling you about how brute force attacks can be used to try and essentially guess their way into your admin area. Well, part of the way that that happens is an automated process will look at your domain name. And then it would just add this wp-login.php onto the end of it. Then it knows exactly where your login form is, and it can start trying to brute force it. So something that can help is just changing the URL of this login page to something non-default. So we're gonna log back in, and the way that we're gonna do this is with a plugin. So we're gonna go Plugins > Add New. And then we're gonna search for rename wp-login. And there are actually several different plugins that you can use to rename the login area. So feel free to have a browse through and choose a different one if you prefer. Or if not, you can just go with this one. So we're gonna install that and activate it. And now that's taken us straight to the page where we can rename our login area. So we can just leave that as login if we want. Or you can come up with something a bit more obscure. And if you do go with something a bit more obscure. Then make sure you bookmark your new login page so that you don't accidentally lose it. And on that note, if you ever install a plugin for security and then you accidentally lock yourself out with it. What you can do is go to your File Manager or FTP client. Go into the Plugins folder in your WordPress installation. And then just rename the folder for that plugin. That will deactivate the plugin, which will in turn remove whatever mechanism is locking you out. And then you can get yourself back in. All right, for this, we're just gonna leave this as login, and we'll save changes. So now if we log out, you can see that the URL now says login, not wp-login.php. So we'll just jump back in. The next thing that we're gonna do is limit the number of unsuccessful login attempts a person can make. Generally speaking, a valid user is only going to forget their password a couple of times before they reset it or they remember it or something else. But if there's an IP address that's making 6, 7, 8, 10, 20, 50 login attempts. Then you can be pretty certain that that's somebody trying to hack their way into your site. And the way that you can deal with that is by setting a maximum number of login attempts. So if you set it to five, then after five incorrect attempts to log in, a user would just be temporarily locked out. And you can set how long you wanna lock them out for. Might be 5 minutes, might be 20 minutes. But it'd be enough to interrupt that brute force process. Now, once again, there are a couple of different plugins that you can use for this. But we're gonna be going with the functionality that is included in one of the most popular security plugins for WordPress. And that is Wordfence. So install that one, And activate it. And then down on the left here is the Wordfence menu. And we're gonna go into Options. Wordfence does a lot of stuff, and we're gonna talk about some of its other functionality in the next lesson. But for now, we're just focusing on limiting those login attempts. So we scroll down, Until we reach the Login Security Options section. So here, you can configure how many login attempts a person can make. How many times you allow them to forget their password. The period of time that you'll allow those attempts to occur within. And how long you wanna have that person locked out. Well, I say a person, but hopefully, this is not gonna actually affect people as much as it is automatic attempts to try to get in. Generally speaking, you can probably leave these settings at the default. But what you wanna do is watch the activity on your site to try to see if there are brute force attacks being made on your site. And the settings that you can put in here may depend on what kind of site that you have. Now if you're the only person using your site, you can set these rules to be as strict as you want. However, if you have a business website, where you have customers as members on your site. Then you're also gonna have to think about the customer service side of things. For example, I had a website where all of my customers needed to be able to log into the backend in order to access products that they had purchased from me. However, at the same time, I experienced a relentless series of brute force attacks that went on for years, nonstop, 24/7. So in order to protect the data of my customers, I had to make the call to make these rules very strict. One of the things that I activated was this option here to immediately lock out invalid usernames. Because my logic was, sometimes, you forget your password. But generally speaking, you're less likely to forget your own username. Now if you do find yourself in a situation where you have to do this, just have some type of customer service process ready. Because when people get locked out, they do get a bit irritated. But just make sure that you provide an easy way for them to contact you and let you know that they've been locked out. And then just explain to them that the reason that you're doing it is to protect their information. And once they know that, they'll always be happy. The irritation will disappear. And if anything, you have an opportunity to build greater trust with your customers. Because they know that you're looking out for their privacy and security. Now one great feature that this area also includes is you can see here. It says prevent users registering admin username if it doesn't exist. And you already know why you don't wanna have an admin username on your site. But you can also add extra usernames here as well that you don't want to allow on your site. So you might add wp-admin. You might add your full name to make sure that nobody can use that. And that just gives you extra ways to try to prevent these brute force login attempts. Another thing that you should be aware of. If you have customers that need to log in to your site and you limited the number of login attempts that they can make. Is the Alerts section at the top of these options. So here, you can get an alert whenever somebody's IP address is blocked. Now, of course, you get to know your customers over time. So if you see that someone who's been locked out is a trusted member, then you can be a bit proactive. You can go ahead and unblock them and let them know that they're good to log in again. And then if somebody contacts you who has been locked out and they are legitimate user. Then what you wanna do is go ahead into the Wordfence menu, go to Blocked IPs. And here, you'll see IPs that are logged out from login. And then you should be able to identify the person who's been logged out and remove that block. Or you can just choose Clear all locked out IP addresses if you feel that it's safe to do so. The next thing that we're gonna talk about is the option of only allowing specific IPs to have access to your admin area. And this is something you can do if only you and a handful of other people are accessing the site. And you would all need to have static IP addresses. As in IP addresses that don't change over time, they stay the same. Now if you do have these circumstances, then you can follow the instructions you see on the screen here, to modify the htaccess file that's in the root folder of your site. So that it only allows your IP address to access the admin area. Now I'm not going through exactly what you have to do here because this does get a little technical. You're gonna need to know whether your server is an Apache server or an Nginx server. So if you don't feel confident with that, then you probably don't want to attempt this technique. But if you do, then you'll find a link in the notes below this video on the process to follow. Now another similar technique that you can do is to create an extra layer of password protection on your login page. And this is also done by editing the htaccess file in the root folder of your website. Now what this will do is when you go to your login page. It will create a popup that prompts for username and password. And this functionality is completely separate to WordPress. Only once you successfully log in through this popup can you even access the login page. So if you're dealing with brute force attacks, and you don't have to allow public access to the admin area for your customers. Then this is a really great option. So once again, this is a little technical. So what I'll do is just provide you the link for the instructions that you can follow to use this technique. Just a quick note, though. If you have renamed the login area, make sure that you don't leave this in here, which is the default address of your login area. Make sure you update that so that it's protecting the correct location for your login page. Now the next technique that we're going to use is adding a captcha code to your login forms. So we'll be doing this with a plugin again. So we'll go to Plugins > Add New. And there are several different captcha plugins. And you can really use any one that you like. One of my personal favorites, though, is SI CAPTCHA Anti-Spam. So we'll go ahead and install that, and activate it. Go into the Settings, scroll down. And by default, you can see that this is gonna set up a captcha code for the registration form, for the lost password form, and on the comment form. But you do have the option to activate it on the login form, too. And that’s not enabled by default. Just because if you have one of these public sites where you need members to be able to log in. The plugin assumes that that might be a little bit too annoying for your members. However, once again, if you are having trouble and you really need to clamp down on brute force attacks. Then you can enable this. So we'll just save that, now I'll show you the effect. So now, we have this captcha code here. And we can't log in without getting that code correct. The last technique that we're gonna talk about that you can use to protect your admin area is two-factor authentication or two-step authentication. Now you're probably familiar with this from your own personal use of this security technique. But the two-step basically refers to needing two things in order to get in. So you have your username and password like normal. But you also might need to input a code that you've had SMS'ed out to your mobile. Now Wordfence does have functionality built in for this. If you go to Wordfence > Cellphone Sign-in. However, this is something that you will need to pay for Wordfence in order to access. Alternatively, there are other plugins that you can use. So what I'll do is I'll include a link below to a page on the WordPress codecs where you can read more about two-step authentication. That page provides a link of other plugins. So you can have a look through those and see if you feel that the security measure is right for your site. And then if so determine which plugin you wanna use. All right, so that wraps up the techniques that we're looking at for how to secure your admin area. We've done quite a lot so far to secure your site, but there are still more that we can do. So in the next lesson, we're gonna go through some additional security methods that you can implement. I'll see you there.