Securing WordPress

Securing WordPress kp37

Anyone who is running their own instances of WordPress that they fully administer themselves (this doesn't include people maintaining sites on Sites @ Georgia Tech), should make sure they are running a comprehensive security plugin like WordFence to monitor and protect their WordPress instance from cyber attacks. WordPress sites are popular attack vectors, especially ones that rank well in the major search engines.

Minimal Security Settings

If you have a valid reason for not running a comprehensive security plugin, it is recommended that your website has Limit Login Attempts Reloaded to prevent brute force login attacks. 

Please note that WordFence limits login attempts as well, so you don't need a separate plugin for that if you're running WordFence.

User Login

To strengthen user logins on campus, CAS/Single Sign-On based authentication for user logins is strongly recommended. Please see the article on CAS for Drupal 7 for recommended settings and server information.

If you cannot enable CAS/Single Sign-On, consider adding a two-factor authentication (2FA) plugin to your site. WordFence supports 2FA but only in their paid premium version.

Please note that you should not run both CAS authentication and 2FA, as that will result in a three-factor authentication for all of your faculty/staff users.