Securing WordPress : A Simple Step-by-Step List

/Securing WordPress : A Simple Step-by-Step List

Subscribe to our newsletter and get more tips!

Securing WordPress is not an easy task, especially when you’re not particularly well-versed in editing code or taking care of the more technical side of running a website. However, failing to do this may result in hackers gaining access to your secure info, which is never fun. That’s exactly why we decided to put together this quick and painless guide. Our list of easy to follow steps is a good starting point for anyone interested in securing WordPress.

PRO Tip: We’ve put together a list of the Best WordPress security plugins. The same ones we use when building websites for our clients and would recommend to anyone looking for more ways to secure their WordPress install. Improve your WordPress security with just a couple of clicks.

We now live in a digital world where hackers, malicious threats, and identity thieves are a real problem; so taking your website live is always risky if you haven’t taken the necessary precautions to ensure your personal data stays safe. It’s true that WordPress is a highly user-friendly CMS platform, but this doesn’t mean it has to be a soft target for hackers and spammers. Learning how to secure your WordPress powered blog is a must.

Unfortunately, most website owners don’t even think about the security of their website or blog until AFTER they’ve already been hacked and lost everything. Thus, it is absolutely crucial to keep your website secured and protected against hackers from the very beginning. To get started, you can always check out the following article on securing WordPress. Keep in mind though that this requires a bit more technical know-how. If you’re looking to keep things simple, read on.

There are a lot of things a website or blog owner can do to protect themselves and their WordPress website. Or, in other words, to make hackers back off. We’ve built a very user-friendly list on the best practices we rely on when it comes to securing WordPress. It’s really easy to follow and should help with the usual security questions that arise. Here goes nothing.

1. Create a new login username and password

The first thing you should do when you set up a new website or blog is to delete the WordPress default admin user and create a new one. If you are installing WordPress 3.2 or above, you can change or set any other username fairly easily. However, if you’re running a WordPress blog with a default username, you might be in trouble.

All hackers know that the default WordPress user account has both the login username and password set as admin, making them a convenient target for attacks. Ultimately, the best thing to do is to create a new login and completely delete the default admin. To do this, go into the WordPress menu, click Users and then Add New. Make sure to set your new user as an Administrator. After completing these steps, log out and log in with the new login account. Transfer all your old content to your new account and delete the default admin accountt.

Moreover, you should set a new nickname for your username; otherwise, it will appear on all posts and it won’t make any difference in the world if you changed it or not. Hackers will gladly copy it from your posts’ signature and use it to break into your website. You can do this by going to Users in your WordPress menu and access the Nickname field. Create a new nickname and set it as you default public name.

Picking a password that’s hard to crack should also be on your to-do list. Data on the most popular used passwords is worrying, to say the last. Here’s a breakdown of the top 5 most used passwords, according to TeamsID:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty

With a bit of time – and I mean it, just a bit – anyone really motivated to gain access to your site will eventually reach their goal. To avoid this bleak outcome, make sure you pick a strong password, preferably using a combination of upper & lowercase letters, with numbers and special characters mixed in. If you can, use something that holds absolutely no meaning to you and make sure it consists of at least 10 characters or more. The higher the character limit – the longer the passwords – the harder they’ll be to crack via brute force attacks.

When it comes to usernames and passwords, the less sense they make, the harder they’ll be to crack. If you need some tips on how to pick a really secure password, check out this article from DigitalTrends – How to pick strong passwords and keep them that way

Usually, hackers try to brute force your account details, so if you changed both your username and password into something difficult you should be just fine.

Preventing WordPress Brute Force Attacks can be easily accomplished by using this plugin called Brute Force Login Protection. We’ve been using the same plugin on this site, so we vouch for it.

2. Upgrade WordPress for better security

securing wordpress update with update

Are you the kind of user who finds upgrade prompts annoying? Yeah, I know the feeling. When it comes to securing WordPress, however, you should always upgrade to the latest version. Actually, go ahead and do this for everything – accounts, technology, software…

Why? Well, it’s a no-brainer: websites using an older version of WordPress are more likely to be hacked. The longer a WordPress version exists, the higher the chance hackers and spammers have already found a way to penetrate it. In other words, it becomes more and more vulnerable as time goes by.

Developers upgrade their software and plugins regularly to prevent their website or blog from being hacked and to erase security vulnerabilities found in older versions. This is one of the easiest to follow tips on securing WordPress. Thus, you should keep both your WordPress and your security plugins up to date.

Another tip on securing WordPress: remove the WordPress version from being displayed to the public in the header tag. This will make life a little harder for hackers. Yay!

Recommended plugin for removing the WordPress version from being displayed in the header of your site and securing WordPress: Yoast SEO

3. Disable guest user registration


There is no need for you to allow visitors to register for guest accounts on your blog or website, except for when you own a membership website or work with guest contributors on a regular basis. If you’re running a newer version of WordPress, user registration is disabled by default. If you’ve installed an older one, you might have to disable it yourself. To do this, go to Settings -> General and uncheck the Anyone can register option. And if that’s the case, we strongly suggest you update WordPress as well. See #2 again.

4. Backing up is important – remember to do it often

When it comes to website or blog security, things can look pretty grim. If someone is highly motivated to hack and break into your website, they are going to persevere until they’re successful. NASA has been hacked, American Military Systems has been hacked, even Area 51 has been hacked. But they weren’t reading our article on securing WordPress properly, were they?

Kidding aside, to add an extra layer of security it’s highly recommended you create a backup of your database and files and update it regularly. You can do this manually or automatically by using the backup plugins WordPress provides.

There’s one plugin that stands out when it comes to WordPress backup plugins. We think it’s the best, we always rely on it, and we highly recommend you give it a go: VaultPress.

5. Use security plugins

Security plugins are a great way to protect your WordPress website or blog from hackers and spammers. Some of the best free security plugins out there are Wordfence, Better WP Security, and Bulletproof Security. They will help you make your website or blog safer by actively scanning your WordPress and detecting any malicious activity. They will also block bot traffic, limit login attempts, enforce strong passwords, and prevent users with ambiguous IP addresses from logging in.

PRO TIP: We’ve put together a list of the Best WordPress security plugins. The same ones that we use when building websites for our clients and would recommend to anyone looking for more ways to secure their WordPress install. Improving WordPress security has basically never been easier.

6. Use reliable and secure hosting

With more than a third of all hacks occurring via hosting, it becomes obvious that you should never compromise when choosing a hosting provider. Generally speaking, a trustworthy provider is one that is backed up with only the latest technologies and operating programs.

Also, it should have a powerful and impenetrable data center. For a hacker, gaining access to your WordPress website or blog through your server is the ultimate delight.

When it happens, the hacker may be able to overcome most if not all your security measures without any difficulty. Take choosing a hosting provider seriously and you’re more likely to dodge a bullet in the long run.

7. Use Secure Sockets Layer (SSL certificates)

SSL is a security technology that creates an encrypted connection between a server, a client, and a browser. It hides your content or data when transferring it on the Internet. Data is usually sent between browsers and servers in simple, plain text, making you vulnerable to hackers and identity thieves.

When using this security protocol all your personal information (such as social security numbers, credit cards, login credentials and website content) is kept safe in the transmission process.

You can learn more about SSL certificates here: What is an SSL Certificate?

8. Disable or block certain IP addresses

As we’ve already said, hackers will usually opt to brute force their way in. This means they will try thousands of combinations of usernames and passwords until they find the right one. When it comes to securing WordPress it’s key you stop these attempts before it’s too late.

One way to do this is to install a dedicated plugin, such as Login LockDown, Limit Login Attempts or BruteProtect. This way, you will be able to record any failed attempts to login into your website or blog. When a certain number of failed attempts to log in occur within a short period of time and from a specific IP range, the plugin will block the specific IPs, hence preventing the hacker from accessing your website.

Another way to go is to block everyone from accessing the login area – that’s the wp-admin area. Except for yourself, obviously. Unfortunately, this solution isn’t perfect. If you have to travel a lot, changing your IP on a regular basis can be somewhat of a burden. But if you do not mind the extra work, then you’ll have a strong and unhackable WordPress blog or website. Another easy win on securing WordPress, if I may say.

Here’s some code to facilitate the above:

9. Wipe out Cookies and Cache

Another essential step in preserving your website or blog security is to clear Cookies and Cache on a regular basis. Overlooked by many when logging in from a different device, this step can drastically reduce the security vulnerability of your site or blog.  To put it simply: regularly clear all your Cookies and Cache.

10. Secure your WP-admin & WP-login files

Last but not least, you might want to keep your WordPress admin or wp-admin files out of the reach; except for when you have a trustworthy designated person to access them. You can restrain all access to your wp-admin files by using .htaccess. This will allow only a specific IP to the directory, keeping your WordPress website or blog secure from unwanted eavesdropping. Here’s a code snippet that’ll make it happen.

Another way to go is to create a password in the .htpasswd file. Here’s some code to facilitate this.

11. Secure WordPress via WAF

Another great option when it comes to securing WordPress is using a Web Application Firewall or WAF. Much like the firewall you probably already run on your laptop or PC, a WAF acts like a barrier between your website and the rest of the Internet. It analyzes requests users/visitors make and blocks them if it notes any suspicious activity. In short, it adds an extra layer of security to your blog.

PRO Tip: When it comes to WAF, we’re big fans of Sucuri. A global leader in website security, Sucuri offers cloud-based protection that will keep your site or blog safe from most cyber attacks.

When securing WordPress, better safe than sorry

Our advice will keep your WordPress website or WordPress blog safe from hackers, spammers, and identity thieves. Recovering after a hack can be daunting. It’s best to reduce the risk by applying these quick and simple tips on securing WordPress. Think of it this way: investing in your site’s security isn’t a joke, especially if your business relies on it for income. Implement the methods above and you will feel a lot safer.

Final thoughts on securing WordPress

Whether you decide to boost your WordPress blog’s security via plugins or by manually applying the above tips, you’ll sleep better knowing your site is protected. Taking the necessary steps to securing WordPress will allow you to be more productive and focus on what’s really important: growing your business without stressing about potential malicious attacks.

Get more stuff like this

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

WordPress business owner with an eye for simplicity. Building stuff that works seamlessly is my personal motto. Happy to be a part of the WordPress community.

Leave a Reply