Secured your WordPress blog using a very strong WordPress administrator password? Well, your job is not finished yet. Your beloved blog may still be vulnerable, as there are more passwords you need to secure to prevent hackers an easy entry. Some of them may not be very obvious, but any of them, if hacked can bring chaos, so read on:
1. Your WordPress administrator password(s)
First thing to know is that if there are more than one users, there are more than one passwords. And all those passwords need care. Being the manager of your website team, you need to know the fact that people are predicable, and so are the passwords. As described in this analysis of 10 million passwords by WPEngine, most people tend to use memorable passwords.
No matter how much you encourage your team to use strong credentials someone of them may turn out to be the Trojan. You can however take action now to avoid it.
First thing first, secure your own admin password
If you think your own password, while being simple is impossible to guess, you may be bluntly wrong. This comprehensive article by Dan Goodin tells that cracking software (and hardware) are becoming stronger day by day.
Core WordPress has an inbuilt password generator, so use this tool anytime and change your password to a strong one. Just go to users -> Your Profile -> Account Management -> New Password.
An administrator can also go to other users’ profile and change password for them (without seeing their existing ones).
Downgrade other administrators
Unless you are running a fairly large organization, working 24×7, you do not need more than one administrators. So, it is the time to review the role of all users and downgrade them to their appropriate role. Unless a second administrator is absolutely necessary, downgrade it to either editors or author. If you choose to keep more than one administrators, force them to use very strong passwords.
Force strong passwords to all users
Yes, editors too, not just admins need to use strong credentials because a compromised account of even an editor is a threat. One easy way to do it is this simple plugin. It simply forces all users who have publishing privilege to use strong password next time they login. Further you should periodically review your users and delete the inactive ones.
2. Your hosting account credentials
Just because you purchased your hosting in a hurry or someone else did that for you, you should not leave that gate open. A hosting service itself has several passwords which can be used as a backdoor entry by hackers and give you a nightmare.
Most web hosting companies and products (shared, VPS or managed) provide a customer dashboard where they can manage their purchase, add and remove services and ask for support. This dashboard may contain direct access links to cpanel, email accounts, databases, ftp accounts, domains and backups. Here you can also reset your Cpanel/plesk password. So you do not want to compromise with security of this dashboard.
Almost all shared hosting plans, most managed VPS plans few managed WordPress plans come with a cpanel or plesk login. Cpanel/Plesk is the place to control almost everything about your website, so naturally most attention is required to keep hackers away. This control panel inevitably has its own login credentials which need your care.
Note: Many hosting services have direct access link to cpanel from their dashboard, so you may never need to use cpanel credentials, nevertheless you should change the password to a very strong one.
These days, with one click installation of wordpress, use of FTP is quite uncommon. But if you created an FTP account at some point of time, do not leave it unattended. Delete it if no longer required, else at least harden its credentials.
3. Your MySQL user & wp-config.php file.
MySQL database user
If you installed WordPress using one of the latest click installation tools, there is not much to worry about this point. Because these tools create and use strong passwords for MySQL database.
But if you installed WordPress manually, did you used a really strong password (using the in house tool) back then? As the database username and password are required just once, i.e. during the installation of WP, there is no need to make them easy to remember. You may want to check this password again, (which you will find in wp-config.php file). If it is not alright, you can always change by logging into your cpanel -> Databases -> MySQL databases. Select the appropriate user and reset password, then copy the same into your wp-config file again.
Another mistake, though rare, people do is they accidentally save their wp-config.php file as wp-config.txt which is a disaster as shown in this video.
So positively check your file manager for any such file exists.
Another good step will be to deny access to this file completely using this code in your .htaccess file.
# protect wpconfig.php
deny from all
4. Your domain registrar
In case your domain registrar is different from your hosting company, do not forget to secure access to that. Domain hijacking is a worse nightmare than a hacked website because though hacked WordPress installation is possible to be restored, few people have ever successfully recovered their hijacked domains.
I strong recommend to use 2 Factor Authorization or other such security feature which your domain registrar provides.
5. Your backup storage service
If you do not regularly backup your website remotely, you should start doing this today. But you should also ensure that you did not leave a weak access to hackers to your backup/cloud storage service like Dropbox, Amazon S3, Google Drive, Onedrive etc.
6. Your primary email
Do you ever realize that if your primary email is hacked everything in your world is endangered. Because almost all services online use primary email for recovery of forgotten password, which hacker can then use once he has access to your email. Your WP Admin account, hosting account, domain account and what not! Not just from business point of view, but from privacy concerns too you need to ensure maximum security for your primary email.
Use only reputed email service
One good way to ensure your email security is to only use a top email provider for your email needs (like Gmail, Ymail or Live). I recommend that if you are using personalized emails like email@example.com even then use Gsuite(formerly Google Apps) or outlook (Microsoft).
Look out for any forwarders
Go to settings and delete any forwarders which forward your emails to a less secure email service and hence compromise with your email’s security. Even if you are using forwarders to consolidate several email accounts in one, you should choose a reputed service like gmail this service.
Enable 2-Factor Authentication
The best thing you can do to secure your email address is to enable 2FA. It means that a second authentication, other than the password, will always be required to login to your email account. The second factor can be a One Time Password (OTP) sent via SMS or voice call to your mobile phone number or one of the several other options like mobile app or physical key(pendrive).
Note: Good thing is that two factor authentication option is also available in WordPress in the form of this plugin.
Tips to keep your passwords even safer
Do not use the same password everywhere
No matter how strong it is, you should not use your one password anywhere else. Use a different password every time you register for a new online. For example your email password should not be used while buying a WordPress theme. Almost every service provider these days requires you to register while making the purchase, but not all of them are as secure as your email provider (Google/Yahoo/Microsoft) or WordPress. So if their website get hacked your other account with same password immediately becomes vulnerable regardless of the strength of the password.
Use only high reputation password manager.
Once your passwords are too strong to crack, they are also very difficult to memorize. Almost everyone uses software to save all those passwords. Thus your security relies upon the reputation of the software where all your passwords are kept. I only save all my passwords in Google Chrome except a few very important ones which I prefer to write down physically.
Use a good antivirus program for your device.
Once you have saved all your passwords (never save your primary email password as email can be used as a recovery option) security of your computer/device also becomes important. There are always malware, key-loggers and spyware trying to get access of your computers for sensitive data. So purchase a good reputed antivirus program with firewall and keep the 24×7 monitoring on.