How to Secure Your WordPress Site with Secure Sign On

How to Secure Your WordPress Site with Secure Sign On

Securing your WordPress should be the first thing you focus on after the installation. Since WordPress is so popular, it’s also a very rewarding target for all kinds of attacks.

Important: If you’re just starting and don’t have your blog yet, stop right here and read How to Build a WordPress Blog with SSL & 2FA where I explain exactly what to do to get you up and running. Don’t worry, this article will wait here for you 🙂

The last thing you want is to lose your hard work because somebody will manage to log in to your Dashboard, steal or delete your content and gain access to your credentials for whatever reason.

That’s why you should start by forcing admin access only via WordPress.com with 2FA turned on. This way, you will effectively forbid access to your account via regular username and password stored in the database of your WordPress installation.

To set this up, you will need three things:

  1. WordPress.com account
  2. Jetpack plugin
  3. Code Snippets plugin

1. WordPress.com account

WordPress.com account is free of charge, so just go ahead and sign up with a free plan: Creating WordPress.com account

Once you have your account, you’ll be presented with a similar page: WordPress.com dashboard

As you can see, you’ll end up with your own WordPress site hosted on yourname.wordpress.com, but that’s not why we’re here.

Now you need to go back to your dashboard and install the Jetpack plugin.

2. Jetpack plugin

Installing Jetpack is quite a straightforward process. From your dashboard, move your mouse over Plugins link in the menu and click the Add New link: Adding new plugin

Jetpack by WordPress.com is usually among the most popular plugins. Hit the Install button. Installing Jetpack

Once it’s installed, you need to activate it by clicking the Activate button. Activating Jetpack

You’ll see this welcome screen. Just scroll down… Jetpack welcome screen

…and click the Set up Jetpack button. Setting up Jetpack

Once installed and activated, Jetpack will ask you to sign in with your WordPress.com account. Connecting Jetpack

You can skip those questions about your website, it’s not important. Jetpack site type

Make sure to scroll down on the page with plans offer and Start with free account. Jetpack free plan

Free plan welcome screen

Great, you have your Jetpack plugin installed so your WordPress installation is now connected with your WordPress.com account.

Let’s turn on the 2FA:

  1. Click on your profile avatar
  2. Click on Security
  3. Choose Two-Step Authentication tab
  4. Enable 2FA

Security settings for Two-Step Authentication

Once you have 2FA turned on, you need to limit the access to your WordPress installation only via WordPress.com account.

Click My Sites and then Manage -> Settings.

Site security settings part 1

Click the Security tab.

Site security settings part 2

While you’re here, turn on the Downtime Monitoring to get notified when your site goes offline. Nice feature.

Turning on downtime monitoring

Scroll all the way down and allow users to log in to your site with WordPress.com account. Good idea, but we will push it even further. Not only that users can log in with WordPress.com, but they must.

Allowing WordPress.com login

Turn on those two options below and most importantly, click the info icon and then Learn more link.

Requiring 2FA login

This will show you what the Secure Sign On is about.

Secure Sign On information

Scroll down to see the code for:

  1. disabling default login form
  2. requiring 2FA

We will use these to make sure that in order to log in to your site, you need to use 2FA and you need to use WordPress.com account.

Now, there are few ways to get these codes to your WordPress installation, but the easiest is by using the Code Snippets plugin.

Secure Sign On directives

3. Code Snippets plugin

Ok, let’s install a new plugin. You should know the drill by now.

Installing Code Snippets plugin

Once installed and activated, go to the list of plugins and click the Snippets link to see all snippets available and add a new one.

Code Snippets settings

Click the Add New button and make sure to copy and paste both lines of code from the Secure Sign On page.

Adding a new snippet

Adding Disable default login form

Adding 2FA requirement

If should look like this:

Snippet preview

Save the changes and activate the snippet.

Activating snippet

Now log out to test this new feature.

Logging out

As you can see, you need to use your WordPress.com account to log in to your site.

Logging in with WordPress.com account

Cool! You made it.

WordPress dashboard

Jan Zavrel

Jan is Biohacker, iOS & Web Developer, Author, Teacher, Lifelong Learner, Evernote Certified Consultant. He’s an author of THE SYSTEM2, a unique methodology for Evernote power users, and THE NEW FITNESS: Forty Years Old Dad in Twenty Years Old Body where he explains how to hack your life to live forever. Learn more about his work at jan.zavrel.net.

next >>