The most common way for hackers to gain access to a WordPress website illegally is brute force. Brute force attacks involve using software to repeatedly attempt to login to your website thousands of times every hour.
This technique can break a simple password in minutes (or less if you are still using “admin” as your administrator username). Even complex passwords can be guessed if given enough time.
Once the bot has accessed your WordPress website, they will start affecting your visitors with malware. This can result in your website being marked as dangerous by ISPs and removed from search engines. If this happens, your daily traffic can disappear overnight.
Malware is not the only thing you need to be concerned about. Hackers frequently hack WordPress websites in order to send spam mail. Most website owners are unaware of the fact that their website has been hacked and have had a mailing script uploaded to one of their directories. They only find out once its too late.
I know because this happened to me last year on one of my older content websites. A hacker had uploaded a mailing script and sent thousands of spam emails from my website. This resulted in my server IP address being marked as a source of spam; which greatly reduced the delivery rates of all emails that were sent through my server (contact form emails, notification emails, email newsletters etc).
The bottom line is that the threat of your WordPress website being hacked is high. You should therefore take as many precautions as you can to ensure
Protecting Your WordPress Website with Rublon
Rublon is a new WordPress plugin that prevents hackers from accessing your website. They do this by introducing a two step authentication procedure to logging in (sometimes referred to as 2 factor).
The official website of Rublon explains how this two step authentication procedure works.
The traditional method of logging onto a WordPress website is very easy to hack. Unfortunately, that is what most WordPress website owners use.
Rublon ensures that only authorised devices can access your website. Unauthorised devices are prevented from logging in.
The new configuration allows you to login from your computer as you normally would. However, hackers will be unable to access your website.
There are a number of two step authorisation plugins available for WordPress. The main selling point of Rublon is that you only need to authorise a device once. You do not need to login via your mobile phone every single time. Nor do you need to answer additional security questions. Once you have authorised a device, it will remain authorised.
How to Use Rublon to Protect Your WordPress Website
By default, Rublon protects every single user on your website by email. What this means is that in order to login to your website, the user needs to first verify who they are via a link that is emailed to them. This verification links will be sent to the email address that is listed in their WordPress user profile.
This verification step is required by anyone logging into your website after you have activated Rublon on your website. Once they have verified their computer, they can login at any time by simply entering their password.
Rublon automatically enforces email verification for every user group on your website. Through the general settings area, this setting can be changed for a particular user group.
If you change the default protection level to “None”, the user group will be able to log into your website using the regular WordPress login process (i.e. username and password). Effectively, this disables Rublon for that particular user group.
The other option is to increase security for a particular user group by enforcing verification through a smartphone application. This requires the user to download an app for their phone, however it is not a major inconvenience as this step only has to be performed once per device.
Once Rublon is activated on your website, you will see an account protection logo added to your login page.
If you have chosen to verify a particular user group using the mobile app and have not yet verified your account, you will see a message advising you to download the Rublon Mobile App on your smartphone. The app is available on Android, iOS, Windows, and Blackberry.
Once you have installed the app, you will see that the main function of the application is a QR Code Scanner. All you have to do at this point is login at Rublon.com and click on the user panel link at the top right hand side of the page.
You will then be taken to a page that displays a QR code. This is the code you should scan with the Rublon smartphone app you installed on your phone.
I took the screenshot below of the smartphone app on an Android phone (HTC M8). It takes less than a second for the app to scan the code (on most occasions it was almost instant).
Rublon will then authenticate your login.
Rublon’s authentication process relies on email addresses. The email address you add to your Rublon account should match the one that is associated with your WordPress user account. An unlimited number of email addresses can be added to your Rublon user panel.
Pin protection can be added through the mobile app. You can choose to request this during the account recovery process.
The language used with Rublon can be changed from English to German or Polish. Hopefully, support for more languages will be added in the future.
A list of all authorised devices can be viewed in the Trusted Devices Manager page in the plugin settings area in your WordPress website.
There is an option to delete all trusted devices or delete individual devices. You may want to do delete trusted devices if you are no longer using a particular computer to access your website, or if an author or editor has stopped working for you.
Trusted devices are also shown in your WordPress dashboard (i.e. the home page of your WordPress admin area).
I must admit that when I initially installed Rublon, I was not 100% sure what steps were involved in authorising an account. It became clear what I had to do once I logged out of my account and then attempted to log back in.
Making Changes to Your WordPress Website
Rublon takes security very seriously. If you make an important change to your website, such as changing your profile password or email address, you will need to verify these changes.
For example, when I changed the security level of administrators from mobile app to email, I was advised to check my mobile phone.
I then noticed that there was a message on my phone asking me if I approved these changes. This same process is followed if you change your password or change your email address. It can also be applied to other changes, such as when a different WordPress theme is activated.
After switching from mobile app to email security and removing my computer as a trusted device, I had to re-authorise my account. I was asked whether this was a trusted device I owned or whether it was a public device (e.g. an internet cafe).
I was then able to log back into my website.
Some of you may feel that having to verify every change on your website is a pain; however, this ensures that unauthorised parties cannot make changes to your account without your consent (which could happen if they hacked your email account).
Final Thoughts
I know firsthand how big of a problem security is to WordPress users. By failing to secure one of my older websites correctly, I had to spend weeks removing my server from spam list services. I was quite lucky as the hackers only wanted to use my server to send spam emails. Many other WordPress users have had their websites infect their readers computers with malware and/or had important content deleted from their database.
A two step authentication is one of the most effective ways of protecting your website from hackers. What I like about Rublon is the fact that you only need to authenticate a device once. This saves you from having to login via the mobile app every time you want to login (which could become a pain).
Rublon can be downloaded free of charge from the official WordPress plugin directory. The description at WordPress.org notes that the first year of usage of Rublon is free, however the developers of the plugin advised me that the want the service to remain free forever.
I recommend testing Rublon out for yourself. If you do not want to test it by installing the plugin, you can check out the demo area of Rublon to get a better understanding of how the service works.
Thanks for reading.
Kevin