Securing your WordPress should be the first thing you focus on after the installation. Since WordPress is so popular, it’s also a very rewarding target for all kinds of attacks.
Important: If you’re just starting and don’t have your blog yet, stop right here and read How to Build a WordPress Blog with SSL & 2FA where I explain exactly what to do to get you up and running. Don’t worry, this article will wait here for you 🙂
The last thing you want is to lose your hard work because somebody will manage to log in to your Dashboard, steal or delete your content and gain access to your credentials for whatever reason.
That’s why you should start by forcing admin access only via WordPress.com with 2FA turned on. This way, you will effectively forbid access to your account via regular username and password stored in the database of your WordPress installation.
To set this up, you will need three things:
- WordPress.com account
- Jetpack plugin
- Code Snippets plugin
1. WordPress.com account
WordPress.com account is free of charge, so just go ahead and sign up with a free plan:
Once you have your account, you’ll be presented with a similar page:
As you can see, you’ll end up with your own WordPress site hosted on yourname.wordpress.com, but that’s not why we’re here.
Now you need to go back to your dashboard and install the Jetpack plugin.
2. Jetpack plugin
Installing Jetpack is quite a straightforward process. From your dashboard, move your mouse over Plugins link in the menu and click the Add New link:
Jetpack by WordPress.com is usually among the most popular plugins. Hit the Install button.
Once it’s installed, you need to activate it by clicking the Activate button.
You’ll see this welcome screen. Just scroll down…
…and click the Set up Jetpack button.
Once installed and activated, Jetpack will ask you to sign in with your WordPress.com account.
You can skip those questions about your website, it’s not important.
Make sure to scroll down on the page with plans offer and Start with free account.
Great, you have your Jetpack plugin installed so your WordPress installation is now connected with your WordPress.com account.
Let’s turn on the 2FA:
- Click on your profile avatar
- Click on Security
- Choose Two-Step Authentication tab
- Enable 2FA
Once you have 2FA turned on, you need to limit the access to your WordPress installation only via WordPress.com account.
Click My Sites and then Manage -> Settings.
Click the Security tab.
While you’re here, turn on the Downtime Monitoring to get notified when your site goes offline. Nice feature.
Scroll all the way down and allow users to log in to your site with WordPress.com account. Good idea, but we will push it even further. Not only that users can log in with WordPress.com, but they must.
Turn on those two options below and most importantly, click the info icon and then Learn more link.
This will show you what the Secure Sign On is about.
Scroll down to see the code for:
- disabling default login form
- requiring 2FA
We will use these to make sure that in order to log in to your site, you need to use 2FA and you need to use WordPress.com account.
Now, there are few ways to get these codes to your WordPress installation, but the easiest is by using the Code Snippets plugin.
3. Code Snippets plugin
Ok, let’s install a new plugin. You should know the drill by now.
Once installed and activated, go to the list of plugins and click the Snippets link to see all snippets available and add a new one.
Click the Add New button and make sure to copy and paste both lines of code from the Secure Sign On page.
If should look like this:
Save the changes and activate the snippet.
Now log out to test this new feature.
As you can see, you need to use your WordPress.com account to log in to your site.
Cool! You made it.