We are a Saint Louis based online marketing agency specializing in minimalistic website development. Besides web development we also offer website maintenance, logo design, and copywriting services.

Get In Touch

In this week’s WordPress Tip Friday, we will be talking all about security. Specifically, how we ensure that the websites under our management remain secure. All of these items are free and will assist with website security while also not compromising on performance. We also assume that you have already installed an SSL certificate on your site to ensure the connection between your website visitors and hosting provider is encrypted. If you are unsure, feel free to use this free tool here to check if your website’s SSL certificate is valid or not. Or, stay tuned for another blog post for a full guide on how to set up an SSL certificate for your WordPress site.

With the brief introduction out of the way, the following are a few items from our internal checklist for WordPress website security:

Change the default login directory for your website away from “wp-admin”

This involves setting up a plugin called “WPS Hide Login” which allows you to change the default login URL for your WordPress site away from the standard /wp-admin directory.

We recommend taking this action as it decreases the chance that your website’s login page is discovered by anyone, hence decreasing the chance of a breach.

The setup for this is simple, once the plugin is installed, navigate to Settings -> WPS Hide Login and update the “Login url” and “Redirection url” sections as desired for your website.

Implement the Google Authenticator app for all administrator-privileged users on your website.

Google Authenticator app is a popular two factor authentication app that allows you to easily add an extra layer of protection for your website. It works by generating a random code on your phone that is entered on the website’s login screen to allow access.

The Google Authenticator method is considered more secure than receiving a text or an email message as your phone number and email may be compromised while gaining physical access to your phone is likely more difficult.

Begin by installing the Google Authenticator WordPress plugin on your website. After the installation is complete, navigate to Settings -> Google Authenticator to set up what website roles you would like to require the usage of Google Authenticator for.

For our example, we will only be selecting Administrators.

Following this, if you select the “Users” page from the left-hand WordPress menu, you will be redirected to a “Google Authenticator Settings” page.

Next, install the Google Authenticator app on your phone and scan the QR code that is present on your screen.

Once inside the Google Authenticator app, select the “+” icon on the bottom right-hand corner of the page. Then select “scan QR code” and use your phone’s camera to scan in the QR code that is presented on your screen.

If everything has gone smoothly so far, your phone should display “WordPress: [your website name]” followed by a 6-digit code. Enter the code on your website under “Authenticator Code” and click “Verify Authenticator Code”

And that is it! Every time that your current user logs in to the site, they will be required to enter a code from the Google Authenticator app to be permitted into the site.
Please note that if you have more than one admin account, each account will need to go through this process for the respective individual that uses it to set up their own Google Authenticator app.

In addition to these items, you may want to explore the plugin “Really Simple SSL” to ensure your WordPress website functions properly with your SSL certificate. Or, stay tuned to our next week’s Friday post on how to secure your WordPress contact us form (and decrease spam substantially).

If you have any other questions or want to learn more about securing your site, feel free to shoot us an email at [email protected] as we would love to hear from you.