WordPress Security

Out of the box, WordPress is a relatively secure publishing platform, but a magnet for hackers. Unless you want to find your site overrun by hackers on a regular basis, WordPress Security something you have to take seriously.

Luckily, there are several things you can do to make your website significantly more secure, but which don’t take up a whole lot of your time and effort. Nothing you can do will ever make your site 100% safe, but if you follow the advice below, you’ll be making yours one of the hardest sites to crack.

WordPress Security

Things you can do

WordPress security is not about removing risk. You can’t. If a skilled hacker wants to get into your site, he will do it eventually. No, WordPress security is about reducing risk; making it as hard as you can. The good news is that there are lots of things you can do easily.

WordPress Security Starts with Hosting

A huge number of websites are actually hacked through weaknesses their hosting security. It makes sense, if you think about it. Why waste time trying to hack a single site when you can look for weaknesses in the hosting system? There’s not a huge amount you can do about your hosting company’s security, but you can ensure you use a professional hosting company with a good reputation. You can also take care to use a strong username and very strong password on your hosting, email and ftp accounts. If you use cpanel, your login address should always be https, so your password is encoded.

Contact your hosting company and ask if it is possible for you to login via SSH, which is an added means of protecting your login. In most cases they will also help you set it up.

Get an SSL Certificate

It’s not a coincidence that one of the basic requirements if you want to have an online store which handles credit card transactions is that you get an SSL Certificate for your website. An SSL Certificate is what you need in order to use HTTPS, which is more secure than the more common HTTP. Read more about HTTPS and SSL here.


Keep it all updated

One of the most basic things and easiest things to do is to ensure that you keep WordPress and the plugins and themes you use up to date. Each updated release of WordPress contains an assortment of security fixes, patches and bugfixes. Each update adds an extra safeguard and ensures your site is as secure as possible. And, if you’re not actually using a theme or plugin at all, delete it. You can always upload it again in the future if you want it.

Admin username and password

Most hackers prefer to enter websites via the front door, by logging in. That means they need to find a username and a password. If your admin username is ‘admin’, ‘adm1n’, ‘administration’, ‘office’, ‘manager’ or something like that, you’ve just made the hacker’s job much easier. If your password is ‘password’ or something similarly silly, well, you just left the door wide open and the key in the lock for good measure. Even so, the solution is simple:

Go into your admin ‘users’ section and create a new user with an unguessable username. Make this new user an administrator and be sure it has a strong password. Then, after you save your new admin username, delete the old user. When WordPress asks you what to do with the pages and posts created by the old user, attribute them to your new username – the option will be on-screen in front of you.

Page and Post Authors

A hacker can look for the admin username by looking to see who created your pages and posts, and there are several ways he can find this information. One solution which we always employ is to create a new user and make it an ‘author’. Give this user a good username and a strong password and save it. When you create a page or post, choose this ‘author’ username as the page/post author. That way, even if a hacker finds the username and cracks the password, he still isn’t entering the site as an administrator.

Two-factor authentication.

You’ve almost certainly used two-factor authentication before. We hate it to bits, and it’s a real pain in the butt, but it creates a very effective barrier against hackers. Even if you don’t use it for all your users and subscribers, using it for your admin accounts is a very good idea. Some security plugins such as WordFence (more on this later) offer this facility, or you can look at standalone plugins like ‘Google Authenticator’ which is free and available from the WordPress.org plugin library.

Lock the back door

Making your home secure doesn’t stop at buying a security door with top quality locks. You need to think about other doors and windows too. And so it is with WordPress security – not everybody tries to come in via the login page.

You can start by making wp-config.php and .htaccess invisible, and it will take you all of about 10 seconds to do. If you have cpanel or something similar for your hosting, simply open your file manager and find your .htaccess file. Then paste this code into it:

That’s all it takes to stop anybody accessing your wp-config and htaccess files.

Recent Posts

  • Plugin Review - WP Rocket

WP Rocket Review

Review - WP Rocket cache plugin In case you didn't already know, WP Rocket is a WordPress caching plugin and, [...]

  • WordPress Security

WordPress Security – 2

WordPress Security Plugins You can take care of the basics of WordPress security yourself, and it doesn't take long. The [...]

  • WordPress Security

WordPress Security – 1

WordPress Security Out of the box, WordPress is a relatively secure publishing platform, but a magnet for hackers. Unless you [...]

  • feat-starter-plugs

Essential plugins at startup

Startup plugins and themes Like most people who create WordPress website regularly, we have what you might call a default [...]

  • feat-notification-mails3

User Notification Emails

Changing the 'from' in notification emails Stopping WordPress sending user notification emails to new members from 'wordpress' or using 'wordpress@yourdomain.com'. [...]

  • feat-logins-1

Display User Logins

Showing User Logins If you're running a WordPress website with multiple users, administrators, authors, contributors or just normal subscribers, it's [...]

  • displaying code

Displaying code

Displaying Code Snippets Creating the content for a WordPress 'help' website like this, it's very difficult to know where [...]

  • WordPress and GPL

WordPress and GPL

WordPress and GPL WordPress is a fantastic piece of software, a content management system (CMS) based on PHP and MySQL [...]