My method for securing WordPress

I’ve been using Incapsula, WordFence, and a strong password to help secure my WordPress installs, but I just came across LastPass, which really puts the icing on the cake. The executive summary is that I create a strong username and password, and let LastPass remember them for logging in. Here are the steps:

Before starting, install the WordFence plug-in in WordPress. I recommend ManageWP, too, if you manage more than one WordPress install.

Then, set up an account with LastPass, and install the appropriate extension or plug-in for the browser you use when managing your WordPress installs.

WordPress will not allow you to change a user name, so you need to create a new user. When it comes time to fill in the user name and password, use LastPass to generate strong “passwords” for each. (Despite LastPass’ promise that you’ll never have to remember more than one password for the rest of your life, I also record these in my local password file, just in case.) Enter your first and last name as always — it’s just your WordPress user name that we’re obscuring. You’ll need to enter a different e-mail address than the one you’re currently using for your admin account, but you can change it back later. Before saving the new user information, remember to set the permissions for this user to “admin”.

Log out of your existing admin account, and then log into your newly created admin account. When you’re in your new account, you’ll have the ability to delete your previous admin account. When you tell WordPress to delete the old account, it allows you to assign that user’s posts to your new admin user.

In WordFence –> Options, under “Live Traffic View,” set it to ignore your new user name. Under “Login Security Options” select “lock out invalid usernames.” Save your changes.

In your plug-ins section, deactivate ManageWP and then reactivate it.

In your Users section, reset your e-mail address if necessary.

Finally, log into ManageWP.com (if you’re using ManageWP, obviously), and change the admin username under “options.” Then, re-add your site, which updates ManageWP with your new user.

When you’re done, you should have no user named “admin,” and the user name for your account will be highly resistant to attack, as will your password. With LastPass remembering your user name and password, however, you won’t have any problem logging in without any drama.

Advertisements

One thought on “My method for securing WordPress

Comments are closed.