Securing your login page
Video: Securing your login pageIn this screencast, we prevent unwanted access to the WordPress admin by locking down the login page, which essentially is the doorway to your site. It's important to keep it as secure as possible. As you can see, the login page is readily available on any WordPress site, at a predictable URL, and by default, there is no limit to how many times someone can try to guess your password and gain access to everything. To fix this, we want to secure the login page itself.
- Next steps
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
- Backing up and restoring your site
- Setting up strong passwords
- Choosing trusted plugins and themes
- Protecting the configuration file and the admin directory
- Securing the login page
- Fighting comment spam
- Blocking access and detecting hacks
- Finding and reporting vulnerabilities
Securing your login page
In this screencast, we prevent unwanted access to the WordPress admin by locking down the login page, which essentially is the doorway to your site. It's important to keep it as secure as possible. As you can see, the login page is readily available on any WordPress site, at a predictable URL, and by default, there is no limit to how many times someone can try to guess your password and gain access to everything. To fix this, we want to secure the login page itself.
The easiest way to do this is with a plug-in, and one of the best is called Login Lock, which is newly listed here in the plug-in directory. Just do a quick search from the Admin for Login Lock and click on the Details link for the first result. Let's view some of the highlights for this plug-in. Version 2.2.3, reputable author, recently updated, compatible with the latest version of WordPress. It's relatively new, only been downloaded about a thousand times. It's got some great ratings, but only based on four votes.
Still, this plug-in enforces strong password policies, monitors logins, blocks IP addresses, and much more. As we see here, the plug-in is already installed on this site, and as you can see here, installation is typical, as usual. So let's close out of here and go to the Plugin Configuration page to set up the plug-in and get it working for our site. First, if you're short on time, know that the default options for this plug-in are going to work just fine.
Now let's go through and fine-tune things and see how to use Login Lock to protect your site and improve security. Here is the main part of the plug-in here. Login Protection Settings. I like to set this at five attempts within 30 minutes and then block for 60 minutes. To email all admins, we select Yes or No. That's up to you. Password Policy Settings, the plug-in can also enforce a solid password policy to improve site security.
This is a great way to improve the overall security of your site, so go ahead and set Require password changes to something that will suit your users. Here, require passwords to be at least 12 characters in length, and here, setting password strength to at least Medium makes it a little easier for users, but High is recommended. For password recycling, selecting Yes is the best option. Then the final setting is an option to log out idle users after a certain amount of time.
Let's say 15 minutes is a reasonable amount of time. You many need more if you're prone to multitasking. Once the settings are configured, click the Update Settings button to save your changes. The plug-in is now installed and fully configured and will now help protect and improve the security of your site. Let's scroll down again. Just to be aware, beneath the main settings is an option to force password changes now. This is a serious move that should only be used in the case of an emergency and after you've read and understood the implications.
Lastly, we see a list of currently blocked users and the option to unblock any of that we prefer. So when you get that urgent email or tweet from a locked-out customer, you can be sure to respond swiftly with just a few clicks. Once you get everything configured, you're all set. As seen in the screencast, protecting the login page with better security is easily done with the Login Lock plug-in. It only takes a few minutes to implement and doing so helps keep your login page very secure.
There are currently no FAQs about WordPress 3: Developing Secure Sites.