As your site becomes more popular, the stakes get higher and higher. You find yourself thinking of more ways to secure your site. Now of course, you can do what everyone else does – plugins to defend against login attempts, strong passwords, and even 2FA.
But in this article, I’m going to discuss three additional methods that go above and beyond these run-of-the-mill techniques. Instead, these measures will make your WordPress installation not just secure, but watertight. However, they each come with their own advantages and disadvantages.
But first, let’s see why the regular “strong password” system isn’t good enough.
What’s Wrong with Just Having a Strong Password
Security purists often content that it’s enough to have an “uncrackable password”, and they reject all other forms of security as being merely variations on the same theme. However, in the real world, this philosophy doesn’t work.
The main reason for this is server resources. An attacker (or attackers) constantly hitting your WordPress site, and generating login attempts is impacting your site’s resources. Each attempt requires database access to verify the login credentials, then a response etc. I’ve personally seen a botnet bring a website to its knees simply by attacking the regular login page wp-login.php.
A strong password keeps people from getting into your site. But it’s not a long-term viable solution to keep your site running smoothly.
Method 1: Password Protect the WordPress Admin Folder + wp-login.php
This is a very simple, but quick technique to stop attackers in their tracks when they attempt to visit your login page or the WordPress admin folder. The latter can be accomplished by following the directions in our knowledgebase.
The wp-login.php page isn’t located in the wp-admin folder, so we need to create a special password file and point to it in the .htaccess file. This way, the system asks us for a username and password whenever we try and access either the admin folder, or the login page.
Pros: Easy to implement. Doesn’t require PHP to check the username/password on the backend, meaning better performance.
Cons: Attackers can still place a load on your server. But it’s significantly less compared to what it would have been if they were accessing wp-login.php directly.
Method 2: Use a VPN and Whitelist the IP Address
In this approach, you configure your site to only allow access to the wp-admin area if the visitor is from a selected whitelist of IP addresses. Of course, you can never guarantee that you’ll receive a particular IP address even when sitting at home on your personal Internet, never mind accessing it from Wi-Fi somewhere else. So the sensible thing to do is to set up a VPN server with a static IP, and connect to your website through it after having whitelisted the VPN address.
You’ll also need to prevent access not just to the wp-admin folder, but also to wp-login.php.
Pros: Almost 0 server load. The check is from a short list of whitelisted IPs, and so barely takes any time and computing resources at all.
Cons: Pretty complicated to set up. All but guarantees that you can’t access your site from a strange computer, or one on which you haven’t had time to set up the VPN software. Also vulnerable to outages in the VPN service.
Method 3: Obfuscating wp-login.php
This is my personal favorite method. The idea is to only allow access to wp-login.php through a special URL that’s known only to you. Attempting to access it directly leads to an error or redirects back to the homepage. I’ve detailed this technique in an earlier tutorial.
In a way, the secret URL is like a password to access the login area, but it doesn’t require checking a database for verification, or anything like that. Neither does it rely on installing special software on devices or requiring the purchase of additional VPN services.
Some security experts will disapprove, as they probably consider this a form of “security by obfuscation”. But that’s a pretty loose interpretation of the word, in my opinion. It’s more like splitting your password into two parts, and you require the first one just to be able to get access to wp-login.php.
So there you have it! Three advanced methods for making your WordPress site super secure. I think everyone should implement at least one of them to ensure your site is safe from hackers.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!