User Security for WordPress — Getting Started Guide.

Every second, hacking in some way is happening across the world — Norse Report .

8% of the hacks happen over the normal login process. i.e. harvesting the username and password. There is no security in having a Electric Fence and keep the door open. These are simple steps a novice with zero knowledge of code can perform.

Remove the admin Login

admin is the default username that comes with a Administrator privilege. Make sure you change the username or provide a lower privilege to it or remove it. Refrain from using demo , test for usernames and providing them higher privilege. Choose non guessable usernames for logins.

Read the Guide here to change the Admin Username.

Enforce Strong Password

Trustwave security report of 2015 states that the top 10 corporate passwords used in 2014 are very simple and easily guessable. 55% of the Online users use same password for multiple sites online. There is a strong need to enforce a much stronger password. Ask your website contributors to use a random password generator and use unique password for your instance. In addition make sure they store their password safely using a secure password manager.

Limit Login Attempts or Add a Captcha:

Computer Robots are used to harvest password when the hacker know the user name. Robot continue to send sequential passwords to the login URL until it gets successful in crossing the login screen. Limit the number of login attempts a user can make in a time span of a minute and encourage your users to use the Forget password instead of trying one more time.

Computer brute force can be avoided by adding a captcha to your login forms. Use a math based captcha to avoid screen readers from reading the captcha.

A good Plugin to slow down the brute force

Two Factor Authentication:

Set up Google Authenticator or SMS or Voice call based One time passwords in addition to the normal username and password. The second factor will stop someone from getting access to your account, if the attacker has gained access to your password by some other means.

Refer to the step by step guide for setting up TFA using Google Authenticator.

Enable Login Notification:

As an admin you should know who accessed your website from where and how. Set up a plugin like Wordfence which can alert you when someone login into your system. The notification should also carry information like from where the user logged in and what activity he is doing.

Enjoy having a Secure Wordpress Hosting.