Force Two-Factor Authentication on your WordPress login screen
- How To Force Two Factor Authentication in WordPress with Jetpack
- Two-Factor Authentication in WordPress with Google Authenticator
- Force Two Factor Authentication and know user’s password strengths along unlock many other powerful security enhancements with iThemes Security Pro
Enable Two-Factor Authentication on your web hosting account
Google the following to see how to enable it if your host offers it:
site:yourhost.com two factor
For example if your host is SiteGround you would Google the following:
site:siteground.com two factor
Enable Two-Factor Authentication on your domain registrar account
…or wherever your domain’s nameservers are pointed to and your DNS records are managed.
Google the following to see how to enable it if your registrar offers it:
site:yourregistrar.com two factor
For example if your registrar is GoDaddy you should switch to Namecheap, but you would Google the following for now:
site:godaddy.com two factor
Install SSL Certificate and redirect all HTTP traffic to HTTPS
- My guide on using Let’s Encrypt to install a free SSL certificate
- You can redirect HTTP to HTTPS with the free iThemes Security WordPress plugin
Use a secure managed WordPress host
You need to make sure everything is up-to-date, especially plugins or themes with security exploits identified. Managed hosts will help automate updates and patch security holes. They also achieve better performance as they’re optimized specifically for WordPress hosting.
Install and use established security plugin(s)
iThemes Security Pro + Sucuri Security = Best Combo
Use a trusted password manager and make unique passwords for all your accounts
Automate full offsite WordPress backups
Protect yourself with a Proxy or VPN
Always use a VPN when logging into your site from public wifi or your login credentials could be compromised
Add Security Header Protections and block access to wp-config in .htaccess
Add the following code to your website’s .htaccess file to enable security header protections and block access to wp-config as recommended by the Sucuri Security plugin:
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff </IfModule> <files wp-config.php> order allow,deny deny from all </files>
Enable automatic updates for WordPress core
To auto-upgrade WordPress core, add the following line of code to wp-config.php:
define( 'WP_AUTO_UPDATE_CORE', true );
To auto-upgrade WordPress plugins, add the following line of code to wp-config.php:
add_filter( 'auto_update_plugin', '__return_true' );
To auto-upgrade WordPress themes, add the following line of code to wp-config.php:
add_filter( 'auto_update_theme', '__return_true' );
Scan for / fix mixed content errors
Scan your site now for free using JitBit’s SSL Check
Use trusted WordPress plugins and themes
Only utilize plugins and themes that have lots of active sites, good reviews and frequent updates from trustworthy looking authors.
Delete unused WordPress themes & plugins
They’re just dead weight that if compromised may still impact your security. Just delete them.
Other Practical WordPress Security tips
If you have any ideas for additional practical WordPress security tips that should be added to the checklist, please share them in the comments below! If you found this checklist useful please do me a favor and share it with your network.
