Your WordPress Login

Your WordPress login is the most commonly attacked WordPress security vulnerability because it provides the easiest access to your site’s admin page. Brute force attacks are the most common method of exploiting your WordPress login.

A brute force attack is an attempt to correctly guess username and password combinations to gain access to the backend of your WordPress site.

A brute force attack is an attempt to correctly guess username and password combinations to gain access to the backend of your WordPress site. Brute force attacks can be effective because WordPress doesn’t limit the number of login attempts someone can make.

You can strengthen the security of your WordPress login by using a WordPress security plugin like iThemes Security Pro to limit the number of login attempts. Limiting login attempts is just the first step in WordPress brute force protection.

Being mindful of your WordPress password security is also essential in securing your WordPress login, and this is why you should use a password manager to generate random strong passwords and securely store them. Forcing every WordPress user on your site to use a strong password will greatly decrease the effectiveness of a brute force attack.

In addition, adding WordPress two-factor authentication is one of the best methods to secure your site’s logins. Two-factor authentication requires users to use an authentication token in addition to their username and password to login to WordPress. Even if a correct username and password are phished directly from a user’s email, the malicious login attempt can still be prevented if the user is using the mobile application to receive their authentication token. Two-factor authentication adds an incredibly strong layer of security to your WordPress site, and can easily be added using a plugin like iThemes Security.

PHP Expoits

The PHP code on your WordPress site should also be included in the WordPress security vulnerabilities list.

Exploiting PHP code is a common method used by hackers to gain access to your WordPress site, so it is crucial you reduce the risk by limiting exploit opportunities.

Uninstall and completely delete any unnecessary plugins and themes on your WordPress site to limit the number of access points and executable code on your website.

In addition, avoid using abandoned WordPress plugins. If any plugin installed on your WordPress site has not received an update in six months or longer, you may want to make sure it hasn’t been abandoned. A plugin not having any recent updates doesn’t necessarily mean it has been abandoned, it could just mean it is feature complete and will only receive updates to ensure compatibility with the latest versions of WordPress and PHP.

Running Non-SSL Sites

Adding an SSL certificate to your website ensures that only intended recipients can view sensative information like login credentials, form submissions and even billing information. Luckily, unencrypted communications is one of the easiest WordPress security vulnerabilities to mitigate.

Your host should provide a service to add an SSL certificate or you can add the SSL certificate on your own.

When someone visits your WordPress site, a line of communication between their device and your server begins. The communication isn’t a direct line, and the information passed between the visitor and your server makes several stops before being delivered to its final destination.

To better understand how encryption works, consider how your online purchases get delivered. If you’ve ever tracked delivery status, you have seen that your order made several stops before arriving at your home. If the seller didn’t properly package your purchase, it would be easy for people to see what you purchased.

When a visitor logs into your WordPress site and enters payment information, this information isn’t encrypted by default. So just like your unpackaged purchase, there is an opportunity for the login credentials and credit card details to be discovered at every stop between the visitor’s computer and your server.

Luckily, unencrypted communication is one of the easiest WordPress security vulnerabilities to mitigate.Luckily, unencrypted communication is one of the easiest WordPress security vulnerabilities to mitigate. Adding an SSL certificate to your is a great way to encrypt and package the communication on your site to ensure that only the intended recipients can view the sensitive information being shared. Your host may provide a service to add an SSL certificate to your WordPress site or you can add the SSL certificate on your own.

If you decide to go the do-it-yourself route, I would recommend using certbot. Certbot makes it very easy to add a Let’s Encrypt certificate to your site as well as set it up to automatically renew your SSL certificate. You can also check out our WordPress HTTPS training to learn how to add an SSL certificate to your website.