WordPress runs over 40% of the Internet, which makes it a target for attackers for many reasons.
Fortunately, WordPress is incredibly flexible and has an incredible amount of community support, so there are several ways to make it more robust and secure using free plugins.
Here are two simple WordPress security methods you should be using on your website to prevent it from being compromised. This isn’t everything you should be doing, but these methods are very simple and very effective.
Use Two-Factor Login WordPress Security
Two-Factor authentication has become far more common in the last several years. This method of security involves an additional and different authentication method after the initial username and password authentication step.
Typically, this is a text message to a phone number or a code you enter from an app. Either is a solid method of adding a second layer of security to your website.
To use this method in WordPress, I recommend using the Wordfence Login Security plugin, a free lightweight solution by the makers of the Wordfence application firewall.
Simply install it from the plugin directory inside your WordPress website, and then activate it. From there, you’ll click on the plugin from the side menu, and follow the prompts to download a 2FA app, scan the supplied QR code, and begin generating your 2FA codes.
Make sure to save the backup access tokens as well in case you lose access to your device. This will keep you from getting locked out of your website.
From there, you can configure several options on the plugin, but I recommend at a minimum to set that all Admin users and even Editors are required to use 2FA authentication. This does a great job at preventing scripted break-in attempts to your website.
Honorable mention: The full Wordfence plugin is great as well if you want far more security options, however it’s a bit of a bear to configure if you’re a novice. Feel free to ask us for help with this.
Hide Your Default Login URL
Another simple security method is to hide your default login URL. All WordPress websites have a default login URL which is known to anyone that wants to access it. This plugin allows you to take advantage of rewrite rules to change that URL to something more secure.
For example, instead of example.com/wp-admin, I could use example.com/admin-login-url, or something more difficult to guess.
This simple step goes a long way because most brute-force login attempts will just move onto the next site if they can’t access the default URL.
To use this method, I recommend the free WPS Hide Login plugin, which is incredibly light and very widely used.
Again, just download it from the plugin directory, and configure the options to use whatever URL you want. Make sure to save this URL somewhere safe, as your default URL will no longer work.
Need Help With Your WordPress Website?
You’re welcome to set these up yourself by following the instructions above, or contact Louisville Web Nerds for assistance with your website. We’ll be happy to implement these techniques and keep an eye on your website for you with our widely popular monthly WordPress support packages. With these packages, we aim to take all of the technical work out of your hands so you can focus on growing your business.