wordpress with u2f logo

How to prevent your WordPress to be hacked, having unauthorized access to your admin panel?

Keep WordPress core up-to-date

By default, WordPress’ automatic update is only for minor versions. So it can just from 5.2.0 to 5.2.x, not to 5.3.0… shit!

You need to add it in wp-config.php (at top of file before lines about MySQL settings)

define('WP_AUTO_UPDATE_CORE', true);

Keep plugins up-to-date

It’s very weird because you need to modify your template to activate it …

WTF… template not core ?

Core developers = asshole! - sycured

Create child theme

Never, never, never modify official theme directly, you need to use child theme.

I let you read official documentation

Activate automatic update

You need to add two lines in functions.php

add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

U2F and OTP for all users

2FA rule the world and we use it right now to let hackers outside of wp-admin.

Plugin

It’s an open source plugin: Two-Factor

Configuration

All configuration is inside each user’s account:

I recommend you to use the same settings to have the best security…
After taking this screenshot, I added my 2 others U2F keys.

SSO when you can

SSO can be used to unify login method but keep in mind: U2F & OTP must be activated at SSO provider level.

Plugin

It’s another open source plugin: OpenID Connect Generic Client

Configuration

Error in log

This is an example about failure to authenticate to the WordPress, no authorized access

Caution

In this configuration, you need to create users in your WordPress using same email address which connect to SSO: no automatic registration/synchronization.

Conclusion

You have a better security level without high compute cost.
I prefer SSO way due to having possibility to force OTP/U2F.