In previous posts we have examined some solid WordPress security fundamentals such as keeping software up to date and using strong passwords at all times. However, for those who are especially security-minded there are some advanced techniques that can significantly amplify your security posture.
Two Factor Authentication
Two Factor Authentication (2FA) is increasingly becoming a common technique to vastly reduce the odds of unauthorized access. While we preach the use of strong passwords wherever possible, there are some circumstances when you have little control over your users’ passwords. What 2FA does is consider the username/password combo as only one key to login, analogous to having a front door with a deadbolt with a key separate from the door knob. If someone were to gain one key (i.e. was able to correctly guess a username/password combination), they still cannot get in to the site.
One popular 2FA system for WordPress is Google Authenticator. It is a plugin that works in conjunction with the free Google Authenticator app that can be installed on any smartphone. When an admin attempts to login to the site, they will be first prompted for a username/password combo as normal. Once this has been accepted, then a second factor will appear on the screen, either in the form of a QR code or another field to enter a text code. To scan the QR code or find the text code, the admin must consult their Google Authenticator app on their phone.
This technique makes it impossible for anyone without a registered Google Authenticator account on their smartphone linked to the site to login to the admin area, making unauthorized logins virtually impossible. The downside is that there is an added inconvenience of consulting a phone each time the admin needs to login to the admin area, and the setup can be tricky as the admin has to download an app as well as install and configure a plugin.
Limit Admin Access By IP
Another way to restrict access to the WordPress admin is through the use of IP access lists. This means that only users coming from a specific IP address (or set of IP addresses) can even view the WordPress login screen. This is another very secure way to limit admin access. Compared to 2FA the setup is quite simple, but it requires modifying some core files and should only be undertaken by an experienced developer. The biggest advantage over 2FA is that it is doesn’t modify the login process at all and is quite simple.
The downside is that you have to have a stable IP address in order for this to be useful. If you need to access the WordPress admin while traveling, you won’t be able to access to admin unless you add the new IP address to the core file. Another factor to consider is the number of people using your IP address. If you work out of a small office or your home, it won’t be an issue. However, if you work out of a large campus or a shared office space with multiple unknown users on the same IP address, it may not be very effective. Research and consideration should be applied prior to using IP access lists.
Web Application Firewall
A third technique to limit site access is through the use of a Web Application Firewall (WAF). There are multiple vendors for WAFs, some requiring a paid subscription and others offering a “freemium” service that gives you a basic WAF for free and then charges for more advanced features. Some of the larger WAF vendors for WordPress are Sucuri and Wordfence. The WAF will examine all incoming traffic to determine if the intent is malicious or not. They usually offer admin protection as well by blocking suspicious login attempts.
The main advantage of a WAF is that they protect the entire site and not just the admin login, offering a much larger scope of protection than the previously-mentioned techniques. A WAF can prevent more advanced malicious attacks such as cross site scripting and code injections. A potential major disadvantage is that they can flag legitimate customer actions as an attack, greatly ruining a customer’s experience on the site. They also have a myriad of settings that needs to be carefully considered prior to deployment, and each website/hosting combination will have a different set of optimal settings.
With all the press about compromised websites and IT systems, it is imperative to be very security-minded when setting up a new site, or hardening an existing one. Fortunately for WordPress admins the tools available to combat hackers are constantly improving. The techniques discussed here should go a long way to make your WordPress site more secure.