Day 4. WordPress Secure Administration
Yes, yes… passwords matter
It was said about more than thousand times and I want to mention it one more time. It is really important because the most protected systems are crushed because of the user’s weak passwords.
It is not even required to use the suggested one, which can not be remembered.
It will be good enough just to make it «green strong» and to exclude usage of login, email and website URL in it.
I just want to say that it will be much better if you will use the second password and remember it, than use first password and store it in unsafe places.
WordPress Login Page
Change login error messages
If you go to your website login page and try to type something random instead of your correct username, you will see the following error message.
On the other side, if you type in the correct username (or the email) with the incorrect password, the error will look like this.
This simplifies the process of finding out your email or username a lot, that we tried to hide before. Fortunately, it is very simple to replace these login error messages – just copy the below code to your theme functions.php.
/*
* Replace WP default login error messages
*/
add_filter('login_errors','misha_custom_login_err_messages');
function misha_custom_login_err_messages( $error ){
// we will override only the above errors and not anything else
if ( is_int( strpos( $error, 'The password you entered for') ) || is_int( strpos( $error, 'Invalid username' ) ) )
$error = 'ERROR: Oops. Wrong login information.
Lost your password?';
return $error;
}
That’s how it should look after you insert the code.
Login Lockdown or 2FA authentication
Login Lockdown plugins block the ability to login for a certain IP address if the password was entered wrong multiple times.
You may use Login LockDown by Michael VanDeMar or Simple Login Lockdown by Christopher Davis – the second is really much more simple, that’s why I like it the most.
2FA auth is much more strict way because nobody can login even if he knows the correct password unless he has an authorized smartphone near.
There are so much plugins that allows you to implement 2FA authentication, but I decided to use Google Authenticator by Henrik Schack. In this case it is not enough to install this plugin, you should also install the same named app on your smartphone.
When done, activate the plugin and go to Users > Your Profile to configure it.
When you login next time, you should enter the google authentication code which will appear on your smartphone (in app).
So, what to use – Login Lockdown or 2FA auth? Well, it depends on your level of paranoia. I prefer Simple Login Lockdown and wp-admin protection in .htaccess.
The Simplest Tips about Plugins and Themes
So, the tip is: if you can replace a plugin with a simple code – do it, and remove all inactive plugins and themes from your admin area.
But why? Because potentially each plugin or theme could have a vulnerability inside its code.
So your plugins page should look something like this:
I think it is not necessary to take screenshot of the themes page – there are should be only one theme there, that is active (or two themes – if you use a child theme).
And the second tip: never install premium plugins or themes for free! – infected code can be inside.
If someone got your admin area – how to tie his hands?
Do you use Appearance > Editor or Plugins > Editor? If yes, you know that it allows you to edit PHP files in themes and plugins. It means if someone got your admin password, he can do everything he wants using this editor.
To disable it, insert to your wp-config.php the line below:
define('DISALLOW_FILE_EDIT', true);
The result:
Ok… but what if that guy uploads a malicious plugin on your website? A plugin that can infect any file of your website.
The most strict way is:
define('DISALLOW_FILE_MODS', true);
It doesn’t just disable your editor but also:
- new plugins can not be added,
- new themes can not be added,
- but unfortunately it also disallows all existing plugin/theme/core updates.
Many do not like updates.
Not without a reason.
I think you can always safely update your WordPress core (if you didn’t make changes directly inside it of course, but I hope you didn’t). Well, if you haven’t updated your WordPress core for years, it is also not recommended without at least a backup or a good WP specialist.
To be updated = to be secured.
But when you have a very large functionality website and lots of plugins in it, it is hard to diagnose the problem which could appear after a single plugin update.
What to advice?
Always look at the update notes. If it is a security release – make a backup and update immediately! And once a month or so run an overall update procedure.
Backups
It also can be described in a one simple sentence – if you do not have a backup, after an attack you may lose your website.
Do not trust to hosting backups. Always make it yourself. With a plugin or manually.
Misha Rudrastyh
Hey guys and welcome to my website. For more than 10 years I've been doing my best to share with you some superb WordPress guides and tips for free.
Need some developer help? Contact me
As simple as your tips on WP securities are, they are a treasure to me. Thanks Misha
Could you do a full tutorial on how to restrict a customer from buying more than one product in woocommerce and put a restricted sign on the product image and add to cart button (both on the shop and single product page)?
This means once the customer makes the order, he cannot order that product for the lifetime of that product on the site.
Thanks for your great works.
Hey Kuddis,
Ok, sure, I will publish this tutorial next week, on 27th of September.
Always welcome 🙃