If you’re looking to keep a WordPress website secure, then password protection should be high on your list of priorities. With that in mind, here is a quick guide on how to password protect a WordPress website (and some other security tips).
How to password protect a WordPress website?
If you want to know how to password protect a WordPress website in its entirety, then the answer is that you can either use a plugin or HTTP authentication on the server.
Plugins are generally the easier route and you can even get a free and very effective one called Password Protected.
Your host should be able to give you instructions on how to password protect a WordPress website on the server. Generally, it will be a setting in your dashboard. This requires users to enter a password before the website even loads, so it’s generally best kept for staging/development environments.
How to password protect a category on a WordPress website
If you want to know how to protect a WordPress website category, the answer is that there are various options, but the easiest one is to use the free Password Protected Categories WordPress plugin.
This plugin is mostly self-explanatory but it does have one slight quirk. There is a box marked “Only single post”. What this means is that viewers will still be able to see posts from your homepage or your archive, but not from the category itself. This is left empty by default and it’s hard to see a reason for checking it.
How to password protect individual posts, pages or WooCommerce products
WordPress actually has this one built-in. All you need to do is go to the WordPress Editor for the specific post, page, or WooCommerce product and look under the Publish section for the Visibility option. Click on Edit and choose Password Protected. When you publish or update your post, it will only be visible if you have a password.
If you want to protect sections of posts on a WordPress site
There is a free plugin called Passster - Password Protection which allows you to password-protect or CAPTCHA-protect sections of posts. You can also use this to protect who posts, pages, and WooCommerce products, although you don’t need to as WordPress has an inbuilt option.
Passster tends to be used more as a way of enabling CAPTCHA than for passwords. For example, you can show part of a post so a genuine human can see whether or not they want to read it. Then you cover the rest of it via Passster and protect it with a CAPTCHA. A genuine human will be able to deal with this easily, whereas a bot or spammer should be defeated.
Remember that password protection is only as good as the password
By this point, anyone familiar with the internet should be familiar with the fact that you should use a strong and unique password to protect all your accounts. In the real world, however, many people simply recycle the same password through different accounts, possibly varying it slightly.
If this sounds familiar then make a promise to yourself to use a strong and unique password for any important accounts, including anything to do with your WordPress website.
Implement two-factor authentication as much as possible
Two-factor authentication can really boost the security of a WordPress website. Remember, however, that it is not a “silver bullet” solution and it is not an alternative to using a strong and unique password. TFA can be broken, especially if you implement it via text message rather than through a token (as is generally the case).
Manage your users appropriately
It’s strongly recommended to block users after repeated failed password attempts. Three failed attempts is the general standard, although it’s up to you. You could choose to be a bit more generous, but be careful of being overly generous, otherwise, you could open the door to brute-force attacks.
Similarly, it’s best to log out users once they have been idle for some time, especially admin ones. This isn’t quite so critical as they’re often either still at their computer (doing something else) or that they’ve locked their computer rather than log out of the website. It does, however, offer some protection against unauthorized use of a legitimate user’s credentials.
Ban credential-sharing
Give each of your users their own unique set of credentials and make it clear that these credentials are for their sole use. If someone needs temporary access (or a temporary upgrade to admin), then provide them with their own credentials (or upgrade their existing account) and make sure to revoke them when they’re done.
Please click here now to have your website scanned, for free, by cWatch from Comodo.