Do you prefer a video?
You’ve probably heard that WordPress is the most famous publishing platform that runs over 36% of the web. But you might not know that it’s also a favorite target for all sorts of maleficent attacks.
Most of the new WordPress installs can be easily accessed by anyone just by typing /wp-admin behind the URL of your website and by default, the username is admin.
So, the only thing that stands between your content and the attacker is your password. That’s quite scary, right?
Now, if you consider that most people still use silly passwords like their names or birth dates, there’s no wonder that thousands of WordPress websites got hacked each year.
On top of that, a lot of WordPress websites are still delivered through the old and insecure HTTP protocol.
Not only that this hurts the Google search rating, but it makes the connection between your website and your customers vulnerable. Anyone can listen to such communication and steal passwords or credit card information.
In this article, I will show you how to easily secure your WordPress website with free tools and make it much harder for the attacker to hack it.
You’ll also learn how to quickly move your website from HTTP to secure HTTPS protocol without paying for expensive certificates.
Disclosure: Please note that some of the links in this post are affiliate links for products I use and love. This means if you click on such a link and take action (like subscribe, or make a purchase), I may receive some coffee money at no extra cost to you. This helps me creating more content free of charge to you. And, as an Amazon Associate, I earn from qualifying purchases. Thanks for your support!
HTTPS setup
Let’s start with Cloudflare. It’s a free service available at cloudflare.com. Create a new account and add the name of your website, that’s todaywp.com in my case.
Select the Free plan which is ideal for personal websites and blogs and let Cloudflare scan your site for DNS records.
Once it’s done, you should see something similar.
If you’re not familiar with DNS records, ask somebody for help, but it’s actually quite easy to understand. You should have at least one A record that points your domain name to unique IP address.
You don’t need to change anything here, just click the Continue button.
Now, to let Cloudflare manage your DNS records and optimize your sites, you need to point your domain’s nameservers to Cloudflare’s nameservers.
Depending on your domain registrar, the whole process might look quite different, but if your domain is registered with some of the popular registrars, like GoDaddy in my case, Cloudflare will offer you a nice step by step guide how to do it.
So, I’ll just go to my GoDaddy account, select DNS next to the domain name and scroll down to the Nameservers section.
Here, I’ll click the Change button delete three of five records and change the two records as instructed on Cloudflare page.
So, the first one is aron.ns.cloudflare.com and the second one is james.ns.cloudflare.com.
That’s it. So I can save the changes. Now, it might take a while before these changes get propagated through the Internet. Depending on your registrar, it takes even 24 to 48 hours, but it’s usually much faster.
You can re-check whether your domain points to Cloudflare if you want, but you’ll be notified by email once your site becomes active.
Once it’s done, you’ll see the message that your site is protected by Cloudflare.
Go to the SSL/TLS section and make sure that you have a Full certificate selected.
You can also check the DNS section to see your DNS records are proxied by Cloudflare and that your Nameservers are indeed those you set with your registrar.
Great job! Now, navigate to your website and check that your website is served via HTTPS protocol.
The default user
Now that we have secured our communication, let’s secure our WordPress administration as well.
The first thing you want to do is to change the default admin user. Unfortunately, you can’t rename the user account in WordPress, but you can delete it and create a new one instead.
Sign-in to the administration area of your WordPress, go to Users -> All Users, click the Add New button at the top and fill out the form.
There’s no need to use any meaningful username, the less obvious it is, the better! I’ll just use my email info@todaywp.com for this demonstration, but you can choose whatever you want.
Your email, first and last name and even website should be real, and don’t forget to use some strong, hard-to-guess password. You can choose whether you want to send the new user an email about their new account. I won’t send it in this case.
Make sure that the Role of the user is set to Administrator, so this new user has access to everything. Once you’re done, hit the Add New User button at the bottom of the page.
Now, you should see two users in the list, the default admin user and your newly-created user, both are Administrators.
Logout the admin user and sign in again, but this time with your new user instead.
Go back to the list of all users and point your mouse to the row with the admin user to reveal the Delete button.
Click it and decide whether you want to delete all the content owned by the admin user or attribute it to the new user. Finally, confirm the deletion of the admin user.
And it’s gone!
That’s it! Now you’re no longer able to sign-in with the admin user and the attacker have no idea what is the username of the Administrator account, especially if you’ve opted for something non-sensical which is not connected to you in any meaningful way.
Two-factor authentication
The next step to secure your WordPress is enabling the so called 2FA. This means that it’s not enough to know the username and password to get to the administration of your site.
You also need to enter a special, one-time code which is unique and valid for only a short period of time, typically only for a couple of seconds.
This way, even if the attacker guessed your administrator username and password, he’s still out of luck without this unique code.
You can use one of many plugins to enable this feature for your WordPress website, but I suggest you go one step further by connecting your WordPress installation to the official WordPress.com website and disable the default login form altogether.
This means that the only way to access your administration area will be through the secured WordPress.comaccount.
Let’s see how to do this.
First, you’ll need to connect your WordPress website with JetPack, the official WordPress.com plugin that offers some amazing additional features for your WordPress for free.
Go to Plugins -> Add New and search for JetPack. Click Install Now and then Activate.
Once it’s activated, you’ll be presented with the Welcome screen. Click the Set up Jetpack button and Continue with WordPress.com.
You can create a new JetPack account or scroll down and sign in if you already have one.
Once your WordPress.com account is connected with your WordPress installation, you can select the plan you want to use.
Scroll all the way down and click the Start with Free button.
If this is your new WordPress.com account, or you haven’t set up 2FA for your existing account yet, now it’s time to do it before we will move on.
So, in the new window, sign-in to your WordPress.com account, click the account icon at the top-right corner, go to Security, Two-Step Authentication and follow the steps to enable it for your account.
As you can see I have it already enabled for my account so anytime I log in to my WordPress.com account and to any of my connected websites, I need to use a unique passcode.
WARNING: Don’t continue with the setup, until you have Two-Step Authentication properly enabled and tested. Make sure you can successfully log in to your WordPress.com account with 2FA enabled before attempting to continue. I warned you. It’s very important that you don’t lock yourself out by mistake.
Once you’re sure you can log in to your WordPress.com account with 2FA passcode generated by your mobile app or via SMS, you can move on.
Ok, when you’re ready, go back to your WordPress administration and scroll down to Security section and hit the Manage security settings link on the right side.
Scroll down to WordPress.com login and select Allow users to log in to this site using WordPress.com accounts and more importantly select the Require accounts to use WordPress.com Two-Step Authentication.
Now click the “i” icon on the right side and click the Learn more link to navigate to the WordPress.com Secure Sign On article.
Scroll down and locate two functions you will need to add to your WordPress installation. The first one will disable the default login form so it won’t be possible to use the notorious /wp-admin form anymore and the second one will require Two-Step Authentication.
Now, go back to your WordPress administration, and select Plugins -> Add New once more. This time, search for the Code Snippets plugin.
Install it and activate it. Next, click the Snippets link and Add New button on the top of the new page.
Enter the title of the snippet, like WordPress.com 2FA for example. And copy & paste both functions to the Code area.
Once you’re done, scroll down and click the Save Changes and Activate button.
Now you can log out.
Notice that you can log in only via WordPress.com account now.
Great! Not only that no one can abuse the famous /wp-admin login form on your website, but even if they managed to guess your WordPress.com username and password, without the unique passcode delivered to your mobile phone, they can’t get to your website.
I hope you enjoyed this article. Have a great day and see you next time.
