Protecting your users is a point sometimes forgotten in the securing a Website flow, and it’s not good at all.
Plugins, themes and users are the 3 entry doors from the outside on your Website, this is why it’s important to protect at the same time the login page and your users or customers accounts.
Securing a WordPress Website need to follow these few steps, here come some done by the SecuPress plugin.
Add a Recovery E-Mail Address
Adding another e-mail address as a recovery one is an already known system used by Google for example. It allows in case of hacking to get security instructions on this recovery e-mail.
Adding this address is a non negligible point of security that SecuPress has done for you.
Add a Limit of Login Attempts
By default WordPress let the possibility to try any number of login attempts, this allows bots to force your password to find it, taking their time.
My tip is to limit these attempts to about 10, because 3 is a little too low, we can be wrong, but not 10 times in a row!
Ban these Bad Tentatives
Once the 10 attempts have been done, what should you do? Ban the IP address of this bot, this person for about 5 minutes. If it continues, try to ban few hours or days to discourage him.
Ban Attempts with Unknown Login Names
If someone if trying to log in with an unknown login name, admin for example, why do we even let him try one time? Useless, if a bot is trying different names to find one, ban his IP address like the previous tip.
Avoid Logins when you’re Sleeping
You know that you go to bed at 11pm, and wake up at 7am? So why let the possibility to log in during this time. Close the door to avoid anyone to connect in your WordPress dashboard when you’re not supposed to be up.
The 4 previous rules, in 1 option in a SecuPress module
Avoid Doubles Connections
When you’re already logged in on your admin account, why let someone else to login again with this account? Useless, avoid any attempt to use your account when you’re already using it, even if this person got your password.
Anti-Double Connection module in SecuPress
Delete Multiples Sessions of your Users
Do you got doubts about a member connected 5 or 10 times with his account? Do you have doubt about someone connected on your account? Cut the users’ sessions or yours to force them to reconnect using a password.
Users Sessions Control module from SecuPress
Don’t Type Any Password Again
Let’s imagine that you don’t have to remember and type your password to log in. It’s possible with the double authentication method called PasswordLess.
SecuPress includes this module allowing you to only use your login or e-mail (or recovery e-mail), then you’ll receive by mail a special link, only valid once which will allow you to be logged in.
Even if someone got your password, he won’t have the ability to log in.
Double Authentication module in SecuPress
Let Bots at the Door
Using a captcha on the login page, you’ll disallow the usage of the form to bots on your Website is know botproof.
CAPTCHA module in SecuPress
Don’t let Password Be Old
A password should always be young, what a chance! I strongly recommend to reset it from time to time. Limit the lifetime of a password is a good solution to do this.
Passwords Lifetime module in SecuPress
Use a Strong Password
We already talked about that, a password should resist to attacks when bots will come at your door (or is it closed?) Read our post again, then force the usage of a strong password to your members.
Force Strong Passwords module in SecuPress
Ask for Old Password
When you’re changing your password, WordPress won’t ask you the actual one. For us, it’s a lack of security.
This is why SecuPress adds a “Old Password” field, filling this will let you continue. This disallow anyone near you to modify your password if you go for a little moment, or if your session has been stolen.
Password Changement module in SecuPress
Forbid the Usage of Strange Login Names
By default WordPress allow any possible name as login. But it could be good to avoid names like “www”, “admin”, “administrator” etc These names could be used to usurp a staff member of your Website, or fake the system if the login name is used as a subdomain (image www…).
Forbid Usernames module in SecuPress
Block the usage and creation of user with strange names is a good security point for your WordPress site.
Move the Login Page
Bots already knows where to hit to find the login page of a WordPress Website. This is why you should move it using the SecuPress module “Move Login”.
You got the possibility to hide it from bots, but also from humans (you should have a good memory!).
The Move Login module in SecuPress
14 tips to apply, 14 security rules to protect your users and your Website. SecuPress can do this for you in a few clicks.
