If you have a website, more likely than not, your website is based on WordPress platform. Now being a webmaster of any website, apart from day to day tasks of management and updates, you are also responsible for managing its various security aspects.
W.r.t. WordPress, amongst its various security aspects, Login Security is probably one of the most important, and yet is relatively easy to manage. A good Login Security setup helps prevent many activities associated with cybercrime, website compromises like phishing etc., and to quite an extent also helps prevent compromising of data and user details.
Before we dive deep into implementing Login Security in WordPress, please checkout our previous blog on WordPress security. It is an excellent way to begin your journey to securing your WordPress website. Now lets come back to Login Security. Here’s how you can do it :
- Enable two-factor authentication using tools such as Wordfence
- Implement login captchas
- Use tools such as Wordfence to prevent brute force login attacks
Securing your website’s login is crucial. A website that makes it difficult for hackers to break their way is more secure than one that does not. Using 2FA, CAPTCHA, and other login security methods can help you keep your website safe.
What is 2FA or Two-Factor Authentication?
Two-factor authentication—also known as 2FA, is a login security feature used by banks, defence personnel and government organizations globally. It is one of the most secure forms of remote system authentication. 2FA relies on a device in your presence that is essential to login to your website. This makes it extremely difficult for someone to log in without the remote authentication device.
Here’s how you can use tools such as Wordfence to secure your website
Installing a login security plugin or web application firewall (WAF) such as Wordfence.
The installation and configuration of security plugins such as Wordfence is easy. All you need to do is log in to your website as an administrator and install the Wordfence Login Security plugin. If you do not have a web application firewall installed, we recommend that you install one immediately.
Note: If you already have Wordfence Security – Firewall & Malware Scan installed, you do not need to install the login security plugin. The Firewall and Malware scan variant from Wordfence includes the capabilities of the Login Security plugin. Skip to step 2 if you have already installed the plugin or have the full Wordfence WAF installed.
1. Here’s how you can install the plugin
- Log in and go to your website dashboard
- Click on Plugins> Add New
- Search for Wordfence Login Security and click on Install Now
- Once installed, click on the Activate button to activate the plugin
2. Click on Login Security (or Wordfence > Login Security if you have the Wordfence WAF installed) to configure the plugin.
3. The plugin interface has two tabs—Two-Factor Authentication and Settings. If you use the WAF, you will be introduced to the Wordfence 2FA through a pop-up dialog when you open the plugin. Read through the dialogs to know more details about the plugin.
Enabling 2FA or Two-Factor Authentication
Enabling Two-Factor Authentication is easy through the Wordfence plugin. You will need a TOTP-based app such as Google Authenticator, FreeOTP, and Authy. You can download these from the Google Play Store or Apple App Store. We used Google Authenticator for this.
1. Download and install Google Authenticator on your mobile phone
2. Open Google Authenticator and tap Scan a QR Code.
3. Open the Wordfence Login Security page (or tab) from your WordPress dashboard
4. Scan the QR code displayed on the screen. You can also type in the key located at the bottom of the code in some apps.
5. Download the recovery codes displayed on the screen. This step is essential as you will need them to log into your website if you lose access to your authenticator device. The plugin will prompt you to do so if you have not.
6. Enter the security code displayed in the app and click Activate
7. Once activated, you will see the following screen:
Here’s how your login process will change after enabling 2FA:
In addition to your username and password, you will also need to enter your 2FA code.
- Enter your username and password and click the login button
- When prompted to enter “2FA Code”, enter the code from the authenticator app. Note: If you use 2FA for more than one website, ensure that you choose the correct site
- Click Login
Note: if you do not have access to your 2FA device, you can enter the recovery code instead of the login code. The procedure is the same; just enter the recovery code instead of the login code.
Tip: If you can’t see the “2FA Code” prompt, or if you prefer a slightly quicker method, you can also enter a 2FA code directly after your password:
- Enter your username and password, but do not click Login
- Enter your code from the authenticator app immediately after your password without a space
- Example: For the password ‘PackWeb and code ‘123456’, enter ‘PackWeb123456’
- Click the Login button
Disabling 2FA is easy. Just log in to WordPress and click on Login Security (or Wordfence > Login Security). Click the Deactivate button under Wordfence 2FA Active.
Setting 2FA for multiple roles
If you have more than one role (Administrator, Editor, Subscriber) who log in to your website, you can easily enable 2FA for that role. Just select the roles you wish to enable 2FA for and click the Save Changes button. Additionally, you can also force other administrators to enable 2FA within a set timeframe. Click the Require 2FA for all administrators checkbox.
You can also provide a grace period to administrators before they enable 2FA by clicking the Grace period to require 2FA button and setting a date. Click Send Notification once you’re done.
CAPTCHAs are an additional authentication feature that needs an additional action for login. This feature prevents bots (automated scripts, robots) and other forms of automatic logins to log onto your website. Wordfence uses Google’s reCAPTCHA service to verify that the visitors to your website are real people.
How does reCAPTCHA work?
reCAPTCHA uses an advanced risk analysis engine to challenge bots and malicious software trying to force their way in. This feature uses scripts loaded from Google that blocks bad login attempts. Most viewers will only see a Google reCAPTCHA logo on the login and registration pages. reCAPTCHAs are of two types. V3 and v2. V3 verifies requests with a score, and V2 challenges the user with an image puzzle or other types of login challenges.
How can I get a Site Key and Secret?
Enabling reCAPTCHA requires a Site Key and Secret from the Google reCAPTCHA V3 service. Click here to setup new keys. You will need to log into your Google account and go to the reCAPTCHA admin page.
1. From the Google reCAPTCHA page, click on Register a new site
2. Add a label for your site
3.Choose the reCAPTCHA type
4. Add your domain
5. Add email addresses if you need to
6. Accept the terms, check the Send alerts to owners checkbox and click Submit
Once you click Submit, Google will generate a site key and a secret key for you. Keep these keys safe.
Adding reCAPTCHA to login and user registration pages
To add reCAPTCHA to the user registration and login page go to your website admin dashboard and click on Login Security > Settings. Enter the site key and secret obtained in the steps above, set the threshold score and click on Save Changes
Website visitors will now see a reCAPTCHA logo when they attempt to create a new user or log in. Their action and related score will determine whether Google allows them to sign in. Click here to read the Google reCAPTCHA documentation and to know more about how this process works.
Preventing brute force attacks
Bruce force attacks can bog down your website and use resources as hackers try various permutations and combinations to crack your website’s password.
What is a brute force attack?
Brute force attacks involve hackers or bots using a list of commonly used passwords and algorithms to guess your password and try to log in. Bruce force attacks require multiple attempts to gain access to your site.
How can you prevent brute force attacks?
Limiting the number of attempts you can get to log in and blocking invalid usernames can protect you from such attacks.
What are the various types of Brute Force Attacks?
- Simple brute force attack—This attack type involves ‘guessing’ your password without any outside logic.
- Hybrid brute force attack—This attack is more complicated. It uses external logic to determine which password variation is most likely to succeed and then continues with the simple approach to try many possible combinations.
- Dictionary attacks—This attack leverages a list of possible passwords to guess credentials.
- Rainbow table attacks—A rainbow table is a precomputed table for reversing cryptographic hash functions. It can be used to guess a password up to a certain length consisting of a limited set of characters.
- Reverse brute force attack—This uses a collection of passwords against many usernames. These attacks often follow a data leak.
- Credential stuffing—This attack uses previously-known password-usernames at multiple websites. The attack relies on the fact that users often have the same username and password combination across different systems.
Enabling brute force protection in Wordfence
To enable brute force protection, you must install the Wordfence Security – Firewall & Malware Scan plugin. Once installed and activated, click Wordfence > Firewall > Manage Brute Force Protection
Choose the appropriate options and click on Save Changes to save these settings. You can also choose to enable the following additional options:
These options are mostly self-explanatory. Wordfence’s excellent documentation provides information about each of these options and configurations in detail.
Although no approach can single-handedly stop every form of attack, however, ensuring that you protect your website against the most common and well-known attack types can help you to stay safe. Ensuring the safety of your website is essential for your visitors and you. With right and professional guidance, Pack Web Hosting can help you ensure that your website stays safe and secure. Using a combination of lockout policies, reCAPTCHAs, strong password requirements, and 2FA can help you keep your website safe and secure for a long time. If you need more information about installing these plugins or any additional support, contact your web hosting team. If you are a current Pack Web Hosting customer, we’re just a call away. Contact us today if you need further support.
You may also checkout our previous blog article w.r.t. WordPress Security. It provides you with more detailed guidance on implementing various techniques that can help you in making your website safe.