A recent discussion on Reddit left me amazed by the lengths that people will go through to try and secure their WordPress site. In this case, renaming their login page to random strings of numbers to prevent bots from trying to crack user passwords.
When this didn’t work, they turned to plugins to lock accounts where multiple, failed attempts at the password have been attempted.
But the answer is a lot, lot simpler.
And it’s 2FA. Add 2FA to your WordPress site and enforce it.
That’s it. No obfuscating your admin URL or, even, locking out accounts. Because it doesn’t matter if a bot does work out an email address – with good 2FA rules in place, they’ll hit that requirement and get no further. Not only that, but if a user does get an unexpected 2FA request then it suggests their password is weak, because it’s been cracked.
Locking out multiple password attempts sounds like a good idea but is likely to frustrate users who can’t sign in because a bot has locked them out. Such a plugin is installed, by default, with WordPress but only because 2FA isn’t included. In my mind, you don’t need both.
WordPress VIP provides high-end WordPress hosting to organisations such as Facebook, CNN and even The White House. They take security very seriously and they do exactly what I’m suggesting here. They don’t recommend third party “total security” plugins, or even lock out your XML-RPC file (which is rather important for things like Jetpack and the WordPress app). Sometimes the simplest solution is best.
Adding 2FA to your WordPress site
I’d recommend the Two Factor plugin. Install it and then add something like this to enforce it…
add_filter(
'two_factor_enabled_providers_for_user',
function( $providers ) {
if ( empty( $providers ) && class_exists( 'Two_Factor_Email' ) ) {
$providers[] = 'Two_Factor_Email';
}
return $providers;
}
);This will force any users without 2FA to have email 2FA. Personally, I’d look at making everyone using an app-based authenticator.