Do you lock the front door of your home? Do you have outdoor motion-sensitive lights? Do you have a home security system? Do you have a dog?
My guess is that you answered yes to at least one of those questions. It's likely that you have not just one, but two or more layers of security protecting your front door and, thus, the family members inside. In the same way, your WordPress website needs security for its login page (the front door) and its admin area (the inside of the home). Let's look at why, and how to add the necessary security.
Note: This page contains affiliate links. Please see Affiliate Disclosure.
Over 29% of websites on the Web run WordPress, so "hackers" (I'll use that term to refer to anyone behaving maliciously online) pay attention to it. It's the same reason Microsoft Windows has been the target of attacks for years.
Most attacks on WordPress sites aren't carried out by someone targeting a specific website; they're large-scale, automated attacks that hit hundreds, thousands, or millions of websites. You don't need to have a noteworthy website to be targeted.
All WordPress sites combined are targeted by over 90,978 attacks every minute, according to Wordfence!
SSL (Secure Sockets Layer) is the term commonly used to refer to the technology that encrypts connections to websites, though the newer TLS (Transport Layer Security) is more commonly used. When I say SSL, I mean TLS too.
If your WordPress login page isn't secured with SSL, then when you log in, your username and password are transmitted in plain text from your browser, through the Internet, to the web server running your website. At any point in between, someone could eavesdrop and capture your login details, then log in as you. It's like going to the bank, writing your bank account details on a form, then passing it through a crowd up to the bank teller. Anyone along the way could read and copy your account details!
When your login page is secured with SSL, your username and password are encrypted in your browser before being sent over the Internet to your web server. It's like going to the bank, but this time, you go through the drive-through and put the form containing your bank account details into the canister and send it through the tube straight to the bank teller. No one can see the form inside the canister as it travels to the inside of the bank.
Your login page isn't the only place it's important to have SSL. Any page on your website that sends or receives sensitive data should be encrypted. That includes web forms, portals, ecommerce checkout pages, etc.
Because SSL is good for users of your website, Google is pressuring website owners to enable SSL on their entire websites.
If you've ever used an ATM, you know that you need your ATM card as your PIN to use it. If it only required an ATM card, someone could steal your card and access your account. The ATM requires you to use something you have (keycard) and something you know (the PIN).
In the same way, if your WordPress site only requires the username and password to log in, then if someone captures that info, they'll be able to log in. But if your site also requires you to enter a code from your phone, that makes it much harder for someone to log into your account.
This is the benefit of two-factor authentication (AKA 2FA or multi-factor authentication, MFA). I recommend the Google Authenticator plugin. It works with the Google Authenticator app on your phone to add a code that must be entered in addition to your username and password. There are other two-factor authentication plugins, so check them out to see which will work best for your situation.
While you're at it, I highly recommend enabling two-factor authentication for any online accounts where it's an option (your hosting account, domain registrar account, Google account, Mailchimp account, social media accounts, financial accounts, etc.).
Many attacks on WordPress sites are brute force attacks. Computers work through lists of usernames and passwords, trying each set on your login page until they hit the right combination and get in. By limiting the number of times someone can try to log in to your site, you can greatly reduce this risk.
If you have the Jetpack plugin installed, you can enable its Protect module to add brute force protection to your website. If you don't have Jetpack and don't want to install it (I wouldn't install it just for the Protect module), then use the Login LockDown plugin.
You can also consider Cloudflare, which adds a layer of security in front of your website, including brute force protection. Some hosts have Cloudflare integrated and make it easy to enable. If your host doesn't, you can still set it up directly through Cloudflare.
It's always a good idea to use strong passwords. Strong passwords are long and complex, with a mix of character types (uppercase, lowercase, numbers, special characters). This is important for your WordPress site as well. Don't make it easy for someone to get into your website by correctly guessing that your password is "password," "123456," "qwerty," or any such foolish password.
At a minimum, require that all site admins (those with role of Administrator) strong passwords. Even better would be to require all users to use strong passwords, through the risk is lower for limited roles such as Subscriber and Contributor.
Is all this talk of encryption and two factors and brute force giving you an anxiety headache? Then buy yourself some peace of mind by letting us take care of securing your WordPress website. We'd be honored to stand guard over your website!