User Tools
linux:wordpress_secure
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
linux:wordpress_secure [2018/03/28 05:44] admin |
linux:wordpress_secure [2018/03/28 05:53] (current) admin |
||
|---|---|---|---|
| Line 25: | Line 25: | ||
| Password by rank in terms of usage. | Password by rank in terms of usage. | ||
| - | 123456 | + | * 123456 |
| - | password | + | * password |
| - | 12345 | + | * 12345 |
| - | 12345678 | + | * 12345678 |
| - | qwerty | + | * qwerty |
| - | 123456789 | + | * 123456789 |
| - | 1234 | + | * 1234 |
| - | baseball | + | * baseball |
| - | dragon | + | * dragon |
| - | football | + | * football |
| If you use one of those passwords and your website receives any traffic at all, your website will almost certainly be taken down sooner or later. | If you use one of those passwords and your website receives any traffic at all, your website will almost certainly be taken down sooner or later. | ||
| Line 45: | Line 45: | ||
| If you have difficulty remembering your passwords, you can use KeePass Password Safe or Dashlane’s password manager. | If you have difficulty remembering your passwords, you can use KeePass Password Safe or Dashlane’s password manager. | ||
| + | ===== Hide The Login Page and Wp-Admin Page ===== | ||
| + | A hacker needs to find your login page, if he or she intends to brute force the login page to gain access. You can prevent this by employing what some call security through obscurity, the idea that hiding your login page will protect you, seeing as the attacker cannot identify a potential point of entry. Your website would be the equivalent of a bank without a door or any other public access point. | ||
| + | |||
| + | Most WordPress websites have the login entry point at yourwebsite.com/login.php. | ||
| + | |||
| + | Try typing webhostingsecretrevealed.net/login.php into your browser’s address bar. Doesn’t work, does it ? Because it doesn’t exist. The login entry for WHSR is located on a different URL. Similarly, you can change the access point on your website to something else. Essentially we change the login page URL. | ||
| + | |||
| + | {{ :linux:protectyouradmin.png |}} | ||
| + | |||
| + | Similar to the login.php page, there is the wp-admin directory which also needs to be protected. It is fairly easy to do with either of the two plugins – WPS Hide Login and Protect Your Admin. | ||
| + | |||
| + | ===== SSL ===== | ||
| + | |||
| + | SSL or Secure Socket Layer is an extra layer of security which makes any information that you send and receive between your browser and server unreadable. If someone were to intercept the information, they wouldn’t be able to read it and it wouldn’t make any sense. | ||
| + | |||
| + | SSL is always used for financial transaction portals and whenever any sensitive information is shared. Websites store a great deal of information about users and SSL helps keep that information safe. Similarly, SSL operates on Login Pages by making the browser to server communication process a lot more secure. | ||
| + | |||
| + | {{ :linux:simplessl.png |}} | ||
| + | |||
| + | You will need an SSL certificate which can be purchased from your web host, or sometimes you also get it free with the most basic of shared hosting plans. Really Simple SSL and WP Force SSL both help you setup SSL on your website, once you’ve purchased the SSL certificate. | ||
| + | |||
| + | ===== Limiting Number Of Login Attempts ===== | ||
| + | |||
| + | This is one incredibly simple technique to stop brute force attacks on your login page right in their tracks. A brute force attack works by attempting to get your username and password right by trying multiple combinations over and over. | ||
| + | |||
| + | If the particular IP which is perpetrating the attack is tracked, then you can block out the repeated brute forcing attempts and keep your site secure. This is also why global DDOS attacks occur with multiple IP addresses with different origins of attack, to throw hosting services and website security off guard. | ||
| + | |||
| + | {{ :linux:loginlockdown.png |}} | ||
| + | Login LockDown and Login Security Solution both offer great solutions to protect your website’s login pages. They track IP addresses and limit the number of login attempts to protect your website. | ||
| + | |||
| + | |||
| + | ===== Two Factor Authentication ===== | ||
| + | |||
| + | Google Authenticator is a WordPress plugin that operates via an app installed on your Android/iPhone/Blackberry. The plugin generates a QR code which you can scan with your mobile device or you can enter the secret code manually. | ||
| + | |||
| + | {{ :linux:authcode.png |}} | ||
| + | |||
| + | Your login will require an authentication code which is generated on your mobile device for login. The plugin can be used on a user by user basis and isn’t recommended for users will less privileges. Given that it is highly unlikely that the hacker has any physical access to your mobile device, your website’s login page will be very secure indeed (assuming there are no other vulnerabilities). | ||
| + | |||
| + | ===== Additional Security ===== | ||
| + | |||
| + | We’ve discussed hiding/renaming the login page and wp-admin directory, enabling SSL on login pages, using two factor authentication, limiting login attempts and using strong passwords and unusual usernames. You should also be aware that some web hosts mandate some of these security practices on their users. | ||
| + | |||
| + | If you’d like to, you can also use a full fledged security plugin like iThemes Security or Wordfence which offer many login protection features in addition to overall WordPress site security measures. | ||
| + | |||
| + | No WordPress security article is complete without mentioning that security can always be compromised. Plan ahead and back up your website with a free tool like Updraft Plus or a premium solution provider like VaultPress or BackUp Buddy. | ||
| + | |||
| + | I hope the article was helpful and made your website a bit safer. | ||
linux/wordpress_secure.1522208667.txt.gz · Last modified: 2018/03/28 05:44 by admin
Page Tools
