7 days of WordPress plugins, themes & templates - for free!* Unlimited asset downloads! Start 7-Day Free Trial
FREELessons: 10Length: 37 minutes

Next lesson playing in 5 seconds

  • Overview
  • Transcript

2.1 Secure the Admin User and Login

Hello everyone, I am Reggie Dawson. Welcome to the WordPress Security Tips course for Tuts+. Individual user accounts and their login and password combinations are the weakest link in an effort to secure a WordPress site. Unlike hacks, which utilize some sort of exploit, attacks on WordPress are typically of the brute force variety. This attack requires little technical skill, and simply tries repeated log-ins with different passwords. Fortunately, there's a lot that we can do to limit the effectiveness of these brute force attacks. First of all, you notice I mentioned that brute force attacks use different passwords. This is working off the fact that the attackers have the username they want to go after. Therefore, it makes sense to try and obscure your WordPress username as much as possible. This is also the reason that you should never use admin as the username for the administrator account. This used to be default on WordPress, but now you are prompted to enter your own username. But some one-click installers may still use admin. Now, this is easy to handle with a fresh install of WordPress. But what if you already have a site with lots of content? This is not a problem, all you have to do is create a new administrator account with a different name. Then you can log in with the new administrator account and delete the old one. If you have any content that was attributed to the old admin account, assign it to the new account. Another solution to help prevent brute force attacks is the use of strong passwords. Strong passwords are not enforced in WordPress, and this remains the easiest way for intruders to get in. For end users, it is a good idea to use a randomly generated password. You can do this yourself in your profile, or the administrator can do this for you when the account is created by going to the user in the Dashboard. Now, another solution for administrators could be a plugin such as Force Strong Passwords. This plugin will enforce the use of strong passwords on your end users. Now they will have no choice besides using a password that will be strong enough. Now, another security measure is to regularly change your password. This is as simple as logging in and going to your user profile. Here, you can generate a password the same way the administrator can. Now, there is nothing in WordPress that forces users to change their password regularly. But a plugin such as Expire Passwords will allow you to set an amount of time before a password needs to be reset. Now, these are just a few of the ways that we can lessen the risk of intrusion from our user log-ins. Another layer of protection can be achieved by using two-factor authentication. In addition to the password, you will also need some sort of code that will give you access to the WordPress site. This can be achieved through the use of a plugin. In the next video, we will learn about two-factor authentication and some of the plugins that we can use to set this up.

Back to the top