WordPress website security isn’t hard, but there are a few considerations. While WordPress is a relatively secure Content Management System, nothing is safe from dedicated hackers.

If government websites can be hacked, then so can yours.

But fortunately, most attacks executed by bots, not dedicated hackers. These tiny computers are programmed to take advantage of known weaknesses, which are often out-of-date software and—wait for it!—weak passwords.

WordPress Website Security is a HHAM Sandwich

We use the acronym HHAM to describe the key areas that you need to be concerned about: Hosting, Hardening, Access, and Maintenance. You can read a more detailed description of HAMM in our post about WordPress website security, but here it is briefly:

  • High-quality hosting is a must have for WordPress website security—don’t go for cheap and cheerful because you’ll likely have to pay for it later by cleaning up security breaches. Consider Fully Managed WordPress Hosting.
  • We use iThemes Security to harden all the sites we build and manage, which makes automated hacks difficult. iThemes tells us that over 50% of all WordPress vulnerabilities are from plugins, which brings us to maintenance.
  • Maintenance is the low-hanging fruit that’s often left untended and picked by hackers. Out-of-date software is a key vector for hacker bots. If you keep plugins and the WordPress core software up to date, you minimize this risk.
  • This leaves access. Password theft is the easiest and most common hacking method. It’s a weak point for WordPress websites and on the web as a whole.

Brute Force attacks against usernames and passwords are ranked #1 by iThemes as the cause for hacks.

Stolen passwords are the most common hack made on WordPress sites.

WordPress Website Security

Think about the locks on the front door to your house. If the username is the lock on the handle, then the password is the deadbolt. You want strong deadbolt protection for your home, so why not have equally strong protection for your website?

So what’s the best solution?

Fortunately, this WordPress website security problem has a simple solution: use a unique username (not “admin” or something easy to guess), and enforce strong passwords. You know, the 13+ character long, random combination of letters, numbers, and characters that are difficult to remember but make it harder for hackers.

Two-factor logins and authentication systems help, but they are also a pain. You can and should use a password manager, but they cost money and are not without their difficulties. Basically, strong passwords are hard to manage and hard to use. Fortunately, there’s a new solution that overcomes these problems: the TraitWare WordPress plugin.

TraitWare – A Password-less Website Security Solution

Traitware WordPress website securityIf password theft is the problem, and password managers, while effective, are challenging to use, then let’s eliminate passwords.

We’re using and recommending TraitWare to eliminate usernames and passwords on the websites we build and manage. TraitWare provides a password-less login that makes it easier to access your website while also making it more secure.

The TraitWare WordPress plugin is easy-to-use and provides an ironclad lock on your WordPress website.

Using TraitWare to provide Password-less Login Security

A website user’s experience will depend on how the site owner allows them access. There are two typical situations: Either the site owner manually syncs all users to TraitWare, which sends them an email to register their mobile device and log into the website, or the website owner has a self-registration page setup that lets users sign themselves up for TraitWare.

The steps for option one are as follows:

  1. Your site admin sends an invitation from the website that includes a link to download the TraitWare app.
  2. You open the email from TraitWare on your mobile device and follow the provided link to download the app.
  3. You complete your TraitWare registration on your smartphone by choosing your authentication method.
  4. You scan the QR code on the login screen with the TraitWare app and are logged into your website.

The steps for option two are as follows:

  1. Enter your email to self-register on the site (note that you will automatically be signed in the first time).
  2. Open the email from TraitWare on your mobile device, and follow the link provided in the email to download the app.
  3. Complete your TraitWare registration on your smartphone by choosing your authentication method.
  4. For future sign-ins, scan the QR code on the login screen with the TraitWare app, and you will be logged into your website.

Use this link to access TraitWare’s documentation.

We have a brief video that demonstrates the login process that we use to train our customers. As you can see, TraitWare makes WordPress website security extremely easy.

Conclusion – WordPress Security has Never Been Easier

Follow the HHAM Sandwich Principles: Hosting, Hardening, Access and Maintenance, and use TraitWare for a simple, secure, password-less login. Check out the TraitWare WordPress plugin on WordPress.org.