Day 4. WordPress Secure Administration

Yes, yes… passwords matter

It was said about more than thousand times and I want to mention it one more time. It is really important because the most protected systems are crushed because of the user’s weak passwords.

It is not even required to use the suggested one, which can not be remembered.

The suggested strong passwords in WordPress.

It will be good enough just to make it «green strong» and to exclude usage of login, email and website URL in it.

You can create your own strong password easy to remember in WordPress.

I just want to say that it will be much better if you will use the second password and remember it, than use first password and store it in unsafe places.

WordPress Login Page

Change login error messages

If you go to your website login page and try to type something random instead of your correct username, you will see the following error message.

Login errors in WordPress: Incorrect Username.

On the other side, if you type in the correct username (or the email) with the incorrect password, the error will look like this.

Login errors in WordPress: The password you entered for the username (email) is incorrect.

This simplifies the process of finding out your email or username a lot, that we tried to hide before. Fortunately, it is very simple to replace these login error messages – just copy the below code to your theme functions.php.


/*
 * Replace WP default login error messages
 */
add_filter('login_errors','misha_custom_login_err_messages');

function misha_custom_login_err_messages( $error ){
    
	// we will override only the above errors and not anything else
	if ( is_int( strpos( $error, 'The password you entered for') ) || is_int( strpos( $error, 'Invalid username' ) ) )
		$error = 'ERROR: Oops. Wrong login information.
Lost your password?'; return $error; }

That’s how it should look after you insert the code.

Custom Login Error Messages in WordPress.

Login Lockdown or 2FA authentication

Login Lockdown plugins block the ability to login for a certain IP address if the password was entered wrong multiple times.

You may use Login LockDown by Michael VanDeMar or Simple Login Lockdown by Christopher Davis – the second is really much more simple, that’s why I like it the most.

Simple Login Lockdown plugin adds its options to the Settings > Reading page.
Simple Login Lockdown options in Settings > Reading.

2FA auth is much more strict way because nobody can login even if he knows the correct password unless he has an authorized smartphone near.

There are so much plugins that allows you to implement 2FA authentication, but I decided to use Google Authenticator by Henrik Schack. In this case it is not enough to install this plugin, you should also install the same named app on your smartphone.

When done, activate the plugin and go to Users > Your Profile to configure it.

Google Authenticator setting in Your Profile. Scan the QR code with your smartphone to configure it.
Open the app on your smartphone and enter the secret key or scan QR-code. That’s it, 2FA auth is configured. Click Save Settings on this page.

When you login next time, you should enter the google authentication code which will appear on your smartphone (in app).

So, what to use – Login Lockdown or 2FA auth? Well, it depends on your level of paranoia. I prefer Simple Login Lockdown and wp-admin protection in .htaccess.

The Simplest Tips about Plugins and Themes

So, the tip is: if you can replace a plugin with a simple code – do it, and remove all inactive plugins and themes from your admin area.

But why? Because potentially each plugin or theme could have a vulnerability inside its code.

So your plugins page should look something like this:

Please remove all inactive plugins because each plugin could potentially have a vulnerability.
I’m sure you know about WooCommerce but if you’re interested in first two plugins, these are my plugins, you can find them here.

I think it is not necessary to take screenshot of the themes page – there are should be only one theme there, that is active (or two themes – if you use a child theme).

And the second tip: never install premium plugins or themes for free! – infected code can be inside.

If someone got your admin area – how to tie his hands?

Do you use Appearance > Editor or Plugins > Editor? If yes, you know that it allows you to edit PHP files in themes and plugins. It means if someone got your admin password, he can do everything he wants using this editor.

Built-in plugin and theme editor in WordPress.

To disable it, insert to your wp-config.php the line below:


define('DISALLOW_FILE_EDIT', true);

The result:

Disable editor in WordPress admin area.

Ok… but what if that guy uploads a malicious plugin on your website? A plugin that can infect any file of your website.

The most strict way is:


define('DISALLOW_FILE_MODS', true);

It doesn’t just disable your editor but also:

Many do not like updates.

Not without a reason.

I think you can always safely update your WordPress core (if you didn’t make changes directly inside it of course, but I hope you didn’t). Well, if you haven’t updated your WordPress core for years, it is also not recommended without at least a backup or a good WP specialist.

To be updated = to be secured.

But when you have a very large functionality website and lots of plugins in it, it is hard to diagnose the problem which could appear after a single plugin update.

What to advice?

Always look at the update notes. If it is a security release – make a backup and update immediately! And once a month or so run an overall update procedure.

Backups

It also can be described in a one simple sentence – if you do not have a backup, after an attack you may lose your website.

Do not trust to hosting backups. Always make it yourself. With a plugin or manually.

Misha Rudrastyh

Misha Rudrastyh

I develop websites since 2008, so it is total of 13 years of experience, oh my gosh. Most of all I love love love to create websites with WordPress and Gutenberg, some ideas and thoughts I share throughout my blog.

Need some developer help? Contact me