WordPress hosting done right. done fast. done secure

GET STARTED
Menu

Stop hackers on your WordPress web site using two factor authentication.

hackers

You need to protect your WordPress website from hackers.

One way the hackers get in is by password guessing. They are very good at it, and even if they don’t hack your WordPress web site – they steal away performance from real people trying to use your web site.

Common mistakes:

  • relying on WordFence plugin. WordFence does have some protection for login attempts, it’s easily bypassed, and the hackers know how to get around it. For example, by guessing from multiple computers on the Internet, trying only a few guesses from each computer, bypasses the rule of only allowing a few guesses.
  • thinking older measures, like changing the login page URL is effective. The login page doesn’t do the login – the hackers bypass the page anyway.
  • disabling/deleting xmlrpc.php. There are multiple avenues of attack, this is only one.

There are more and more ways to attack your WordPress login.

  • the default WordPress login
  • xmlrpc.php
  • and the new WordPress API
  • via cross site scripting (XSS)

Two Factor Authentication

The only real way to protect logins is via 2 factor authentication. everything else is a half measure against a DDoS attacks (which are very common).

The idea of 2 factor authentication, is to have 2 sets of credentials, that are distinct from each another. It’s like the 2 keys used in a nuclear missile silo, they are opposite sides of the room, and have to be turned at the same time.

wpDone uses credentials on our load balancer, but you can use Auth settings in httpd.conf or .htaccess

The idea is that you set a simple challenge password, as well as your normal web page based wordpress username and password.

You can use a basic http password, or a plugin.
https://wordpress.org/plugins/tags/two-factor-authentication

I really like this plugin : https://en-au.wordpress.org/plugins/google-authenticator/

So if they hacker does crack your site, and get your passwords, they still don’t have the more custom passwords from .htaccess (or in our case on the load balancer).

You just setup the security on /wp-admin and /wp-login. So if you type in those URLs, you have 2 sets of passwords to enter.

 

By on March 21st, 2017

Email or call, and we can arrange a time to chat call 0412927156 or CONTACT US TODAY!