WordPress is a really popular content management system and being so prone to attacks. sapnasecurity team has accordingly released a guideline to help secure your WordPress admin environment.
Recommendation
- Implementing Two Factor Authentication to prevent unauthorised access
- Implementing Password Policy Manager/enforcement plugins and ensuring usage of strong password for backend and changing it every six months.
- Handling Username enumeration and password brute forcing by implementing wordfence plugin
- Restricting Users can submit unlimited login requests with no apparent request throttling or account lockout policy using wordfence plugins
- Disabling Username autocomplete disabled
- Never use the default admin username
- Password protect wp-admin folder.
- Create a custom login URL to avoid exposing default login URL(/wp-login.php). One plugin which does something similar is WPS Hide Login.
- Restrict login access to specific IP addresses if possible.
- Use a Website Application Firewall
- Ensuring Login session timeout of 24-30 minutes
- Ensuring that the “Remember Me” option of the browser is not used while login.