One of the reasons that WordPress is such a popular website management platform is the built in administration tools, a.k.a. the “Dashboard”. Everything from editing pages and posts, to managing plugins and themes, is handled from this area. Because it’s all-powerful, protecting access to this area is critical to the well being of your website.
Unfortunately, there’s good reason to be slightly paranoid about keeping intruders out of your website. Because of its popularity, WordPress is a common target for an army of bots seeking out vulnerable websites to hack. And keeping them out is much easier than getting rid of them once they’re inside. Here are a few common sense steps that you can take, plus a few that might not be as obvious.
Use a strong password. The evil bots will use brute force password guessing algorithms to try and gain access. If you’re using a short (less than 10 characters), easy to guess password, they will probably succeed. WordPress will generate a strong password suggestion when a new user is created or a password changed. Use that or generate your own using password manager software.
Get rid of admin. The first user created by WordPress on installation is “admin”. This will also be the first user that bots will try to use when trying to break in. To get rid of “admin”, create another user with the role of administrator, log in as that user and delete admin. Any posts or pages belonging to admin can be transferred to the user that you just created.
Limit the number of bites at the apple. There are several plugins that limit the number of login attempts before locking a user out for a period of time. I set my sites to allow 5 tries, with a 30 minute lock out time. To do this, I use WordFence, a multi function security plugin, which also limits the number of password retrieval attempts and immediately locks out any user trying to use “admin”.
Don’t share your login. WordPress makes it so easy to create new users, that there’s no reason to give anyone else your username and password. Create a new user with the appropriate role (administrator, editor, contributor, etc.) to do what they need to do on the site. If you are allowing someone in for tech support, they will probably need to be in the administrator role and their account can be disabled or deleted when the work is complete. (Read more about WordPress Roles and Capabilities.)
Consider 2FA. Two Factor Authentication (a.k.a. Two Step Authentication) adds another layer of protection by sending a code to a device that you own (usually your phone), to use in addition to your username and password. Most systems will remember a device for up to 30 days, before requiring another code. While WordPress doesn’t support 2FA natively, several plugins, including WordFence, will enable it on your website. Depending on the nature of your site and need for security, the extra step of entering a code for each new device may be worth the peace of mind.
While these items are just the low hanging fruit of website security, implementing them will move you several steps above the average website. For more good password advice, see the WordFence blog post, Ten Password Mistakes That Could Get Your WordPress Site Hacked.