The “One-Two-Three” Secret to Keeping Your WordPress Site Secure

locked fence gateWanna know a fun way to wake up fast at six AM in the morning?

Open up an email sent at 4 AM with the caption “SECURITY ALERT: Too Many Failed Login Attempts” from your WordPress website — and you haven’t been on your website in the last 16 hours.

Better than espresso.

The Bad News: You Need to Pay Attention to This NOW

Let’s get this out of the way: As of this date – 9/3/13 – there are multiple reports in the industry of a huge spike in forced login attempts over the last 48 hours or so on WordPress sites.

Tea Silvestre at The Word Chef reported over 200 of them in a 24-hour period.

The Truth About WordPress Security

The truth is this: Any platform, any content management system – if it’s worth its salt – will attract more malicious-intent hackers the more popular it becomes.

That’s true of WordPress.

Sometimes, when I explain this to clients, the pushback I get is fierce: “Well if it’s not secure then I don’t want it!”

Then I have to explain that this is a faulty perspective. It isn’t that WordPress is a failure. It’s that it’s too much of a success. It’s everywhere, and it’s a tempting, low-hanging fruit kind of target for hackers.

The other reason WordPress is sometimes vulnerable to hacking is that it’s so easy to use. It attracts non-coders and folks who really don’t know much at all about website security and coding in general.

That’s not a bad thing. One of the key components of the philosophy behind Stage Presence Marketing is that you shouldn’t have to become a coding expert to have a solid, hard-working website.

WordPress is, therefore, a really good solution for a lot of solos and creative freelancers who need an easy-to-maintain website.

And therefore it’s a really enticing draw for hackers who want to wreak their havoc — be it malicious or greedy in nature.

So what’s the solution? It’s not “don’t use WordPress.”

It’s “make your WordPress site as secure as possible.”

There are a lot of ways to do this – many different approaches and techniques, ranging from the super-simple to the “better call Annie”  to the “Annie calls her guru.”

But here is a super-simple, one-two-three punch technique you can use to shore up your site’s defenses without calling me, or anyone else.

It won’t guarantee your site will never ever be hacked. But it will make it a hell of a lot harder for hackers to gain access, and since hackers are essentially lazy (they’re like robbers – they’re not gonna go break into the house with the clearly visible alarm system), your site will become a whole lot less attractive to them.

And best of all: totally free.

The One-Two-Three “Secret”

How does it work? Very simply, you’re just going to install, activate, and configure three plugins. (Don’t worry – they’re very simple to manage.)

Here’s how it goes:

Step One: Install Limit Login Attempts

The Limit Login Attempts plugin is the first of the three “punches.”

After installing and activating it, visit the settings menu (Settings/Limit Login Attempts) to change the default configuration. Generally, since I’m the only person who should be on my site (I am my own WP genius – if you have other users, you might want to increase this a bit), I configure the settings as follows:

  • 2 allowed retries
  • 120 minutes lockout
  • After 3 lockouts, increase lockout time to 168 hours
  • 336 hours until retries are reset
  • Email after ANY retry (remember, I’m the only one on my blog – if you have many users/authors, and password forgetting is a problem, you’ll want to adjust this setting)

Step Two: Install Wordfence Security

Next up, install Wordfence Security and activate it.  Then, hit the Wordfence/Options menu. For the most part, I think the default settings are pretty adequate, though you’ll want to review them to be sure.

But there’s one section you should pay attention to: the list of options for receiving emails from your site on the occurrence of certain potentially troubling events. It’s totally up to you what you want to receive and when, but here’s my configuration for my sites (again, remembering I’m the only contributor to all of them – if you have multiple users you may want to adjust these to suit your needs):

  • Critical problems
  • Warnings
  • When IP is blocked
  • When lost password form is used for valid user
  • When someone with admin access logs in

Yes, I will get a few annoying “someone logged in” emails when I’m working on my sites but it’s a small price to pay for knowing when anyone accesses my site!

Step Three: Install WP-Ban

Finally, install the WP-Ban plugin. Wordfence & Limit Login Attemps also allow you to ban IPs, but WP-Ban allows for wild-card specification.

NOTE: I’ve done some very preliminary testing and it looks to me as if there is no conflict here between WP-Ban and WordFence. If you have a different experience, please either comment below or drop me a line to let me know so I can amend this post!

How They Work Together

So then what happens is exactly what happened to me this morning.

  1. First, you’ll get an email that someone tried to login to your website x number of times (the number you specified when you configured Limit Login Attempts for your site) as a specific user name. There’s your warning.
  2. Now you need to go into guard-dog mode. Also in that email, you’ll find the person’s IP address. Highlight and copy that IP address.
  3. Now, go log in to your site. Click on the “Ban” submenu in your “Settings” menu in your Dashboard. Paste that IP address into the “Banned IPs” box, and scroll down to click the “Save Changes” button. Whatever you do, DO NOT BAN YOUR IP! This will be a problem, and then you’ll probably have to pay someone like me to fix it for you.

Set a reminder for yourself to check your Limit Login Attempts log periodically (once a week is my rate). If you see a range of IPs popping up there, you’ll want to go to the WP-Ban settings and modify the banned IP to include the range. (Directions are there on the menu page.)

Keep Your Site Secure

As stated above, these plugins are not “all you need.” There are a lot of other techniques and tools you’ll need to create a truly secure WordPress site. Some may be worthwhile to you to pay someone like me to take care of for you. And I plan to write more about those techniques and steps in the future here on this site. (Today’s article is prompted by the multiple reports of hack attempts of the last few days.)

This is a very simple approach that anyone should be able to manage for just about any WP site. While it won’t keep you 100% secure against hackers, it will go a long way towards making your site not worth the effort for the little buggers.

And if you need more, drop me a line and I’ll be happy to help.


photo credit: Insight Imaging: John A Ryan Photography via photopin cc

{ 6 comments… read them below or add one }

Sharon Hurley Hall September 4, 2013 at 8:12 pm

Love this, Annie. I’m using Wordfence, but not the other two – yet!

Nicole Fende September 4, 2013 at 10:22 pm

Great reminder Annie. I use Limit Login Attempts also. Had not heard of Wordfence but will check it out. I do use two other plugins; Secure WordPress and WP Security Scan.

MitchellAllen September 6, 2013 at 9:31 am

Hi Annie,

Good looking out! I use Limit Login Attempts exclusively. Here’s why: from my understanding, banning IPs is of limited use because spammers don’t use the same blocks. Plus, you risk alienation of legitimate user who happen to be on that IP block. (Assuming you are wholesale banning top-level domains.)

Besides, Limit Login Attempts as a de facto IP ban built in! 🙂

I have linked to a comment I left on the Comluv network about how I block IPs for 416 days with Limit Login Attempts.

The other tip I left there was this: don’t use your posting name as your login name and don’t use “admin”, either.

Thanks for helping keep WordPress safe!



Annie Sisk September 6, 2013 at 3:06 pm

Happy to help, Sharon!

Annie Sisk September 6, 2013 at 3:07 pm

I’ve heard good things about Secure WP, too, Nicole. I think as long as you’ve got the bases covered – something to limit logins, something to perform regular scans, something to allow you to ban the malfeasors – you’re good to go.

Annie Sisk September 6, 2013 at 3:11 pm

Good points, Mitch – you do run a small risk with banning, but I think it’s still a good idea. You can always whitelist an appropriate user, but banning known hackers will definitely keep their mitts off your site. Yes, LLA does have a ban feature, but as I noted, it doesn’t allow for wild-card banning, where as WP-Ban does (which is why I selected it – your mileage may definitely vary).

The “no posting name/admin” rule is essential – I left it out of this article since that’s really best addressed on initial install (unless you’re really comfortable digging around in the PHP code, which most of my readers probably aren’t – heck, it gives *me* hives sometimes) instead of later on, after a site’s been up and running. But yes, I’d say that’s definitely something to do! Thanks so much for your comment, Mitch!

Leave a Comment

Previous post:

Next post: