Lock Down Your WordPress Sites – Step 2 of 2
There is a constant, world-wide war being waged against WordPress sites. And in the last post, I gave you one thing you could do right away to help you stay safe: change your WordPress administrator User’s username to something other than “admin.”
You did that, right?
And I promised you one more thing that would finish the bad guys off for good. Here it is.
First, a very brief summary of what’s happening. Then, I’ll give you the plugin you need to get this project finished.
Since Thursday of last week, a group of hackers has been using an automated program to attempt a large number of logins on sites that are identified as using WordPress. This is happening world wide, in an attempt to turn those sites into automated spam servers.
You don’t want your VO actor site turned into an automated spam server. You just don’t.
Here’s an article that gives the tech details, if you want to wade through it.
So, now that you’ve changed the name of your administrator User login from the WordPress default “admin” to something else, let’s finish the job.
(By the way – this will all work a lot easier if you have a smartphone: iPhone, Android, or BlackBerry. If you don’t have one, you can get protected via text message or phone call. Get details on how to do that in this very geeky article.)
First, get the Google Authenticator app for your particular smartphone. If you have an iPhone, like I do, you can get the app, for free, here:
If you have an Android device, go here:
And if you have a BlackBerry, go here (the app at BlackBerry App World is called Authomator, not Google Authenticator, but it does the same thing):
OK. Got your app downloaded and installed? Don’t worry that you can’t use it yet.
Here’s the next step.
Go log in to your WordPress site, go to Plugins, click the Add New button at the top of the page, and then search for the phrase Google Authenticator. It’s usually the first plugin that shows up in the results, and it’s by Henrik Schack.
Install that. And follow the instructions to show the QR code in the plugin that you’ll snap a photo of with the app, to tie the two pieces (the plugin, and the app) together.
Once you do, you’ll be on your way to using world-class, timed authentication access codes, used by the big boys to protect access to their big boy stuff. And you’ll need your phone in front of you to be able to log in to your site (or sites – I have it protecting all of mine now).
Here’s how the plugin and the app work together: the plugin adds a third text box to your login screen – and the app is constantly generating six-digit numbers that change every 20 seconds. When you go to log in to your WordPress site, you enter your non-“admin” username and your password, along with the number that’s currently displayed on your phone’s screen in the app, and if it’s correct, then the plugin allows you to be logged in.
And you don’t have to worry if your phone is not connected to the Net, like when you’re on an airplane – the Google Authenticator keeps creating numbers for you to use as your codes.
It sounds more tricky than it is, but it’s easy and it’s rock solid. All because the bad guys can’t know what’s on your phone’s screen.
And it stops all these brute force attacks on your site – cold.
Hope this helps.
Hi David it’s me in the UK, Linda Nugent, I know lots of people with WordPress sites but I’m wondering how this is affecting the account based ones hosted by WordPress for those who aren’t geeky to understand the geeky article.
If you’re hosted on WordPress.com, not to worry – they’ll take care of this for you.
This is for people who have their own wordpress installs on servers they are responsible for managing.
This looks like a clever fun solution, David.
But alas, our webmaster, my cowriter, hates smart phone technology, and won’t use it.
He mentioned to me last night if you use S2 Member (free) for processing payments on your website, then you already have too security as you have “double levels” someone would have to hack through to get to the Admin panel.
S2 Member plug in is thus not just for password protecting membership levels – up to four levels – but also processing for sales to secure pages for ebook downloads and also security.
So for anyone without a smart phone you have options.
I would submit that there are 1.9 million reasons every day (the estimated number of smartphone registrations daily in the US alone) that your webmaster should reconsider his hatred for smartphones. Sound arbitrarily luddite to me, especially for someone calling themselves a webmaster. I personally think this mobile stuff might just stick.
Also, S2 (which I know fairly well) has nothing to do with the generic WP login screen. It takes it over and brands it, but the login process is just as vulnerable to brute force hacking as a non-membership-plugin-enhanced look and feel.
David, as always I’m so grateful for the info you share! Brilliant. Oh and this cracked me up: “I personally think this mobile stuff might just stick.”
Do you think this is necessary if we have something like WordFence running?
I use both at the same time. They compliment each other really well, and each provide an additional layer of protection.