The WordPress login is the gateway to your website. As a WordPress admin, after logging into your website you are now able to access crucial sections of your site: personal information, blog posts, website settings, and a host of other options. It’s incredibly important to keep your website secure from brute-force attacks.
First off…
What is a Brute Force Attack?
Simply put, a brute force attack is when hackers try to access your website by repeatedly guessing your login credentials. They do this by using automated scripts. Sounds messy, right?
So, how can we easily prevent this problem from happening? There are 2 easy steps to take to mitigate the risk of brute force attacks on your small business website.
Step #1: Your admin login credentials should be pretty hard for hackers to guess…
Just because WordPress sets up your default username as “admin” doesn’t mean you should just roll with it. Change this as soon as you can. With “admin” being the most common WordPress username, it makes it even easier for hackers to brute force their way into your website. It’ll be the very first username that they try. From there, all they’d need is your password then, BOOM!; they’ve got access to your website. Ugh…
Let’s go ahead and fix this problem NOW:
- Login to your WordPress website.
- In your WordPress Dashboard, click the “Users” tab.
- Find the Admin account with the pesky “admin” username. Go ahead and check out the email address that’s set for this account. Change this to something that you can access but not an email address that you’d want this account to associate with. We’ll be changing this in a bit.
- Create a new user: User –> Add New
- Create a detailed username and enter the desired email address that you want to be linked to this account. It should not be the same one from step #3.
- Set an air-tight password. Something that only you can remember. You can also use a password generator tool like 1Password Strong Generator. Whatever option you go with, write down your new password and store it somewhere safe where ONLY YOU can easily access it.
- Set this new profile to “administrator” and click the “Add New” button.
- Log out and log back in with your shiny new admin account.
- Go back to Users –> All Users. Find that yucky account with the default “admin” username, and click delete; be sure to attribute all original posts and content to the new user profile that you just created. Easy day!
Now onto Step #2…
Step #2: Setup Two-Factor Authentication. You’ll thank me later!
First off, let quickly go over what Two-Factor Authentication is before setting this up.
Two-Factor Authentication, (2FA) adds a warm and fuzzy blanket of security to your WordPress login page. With 2FA enabled on your website, it’s pretty much impossible for hackers to login to your site, even if they somehow guess your password.
There are a bunch of different 2FA plugins for WordPress websites. A great option to use would be the Google Authenticator by miniOrange. It’s pretty straightforward to set-up:
- Install the plugin onto your WordPress website. You can do this straight from the WordPress dashboard (Plugins –> Add New –> Search “miniOrange 2 Factor Authentication” –> click “Install” –> click “Activate”.
- Click “miniOrange 2-Factor” from the left menu and follow the configuration instructions.
- Once completed, log out of your WordPress website.
- Enter your admin username and password. You should then be prompted to use the 2-factor method that you’ve setup from the plugin configuration.
- Validate your login with the 2FA method. Now you’re in! 🙂