There is a good chance that your WordPress website is under constant attack from hackers even though you might not be aware. Unless you have a system in place that alerts you of the failed login attempts or other suspicious activity, the moment you actually find out your site has been breached is when it’s too late to do anything about it.
It’s always in your best interest to proactively secure your site from spammers and hackers. The idea of setting up all of the right security settings may not be something that you joyously look forward to, but if you ask anyone who has experienced a hack if they wish they’d spent some time trying to prevent it, you can be sure that the vast majority of people will say “yes.”
With that in mind, here are 11 actionable tips to help you secure your WordPress website and keep hackers at bay.
1. Never Use the Default Username
Seriously. Change it already.
Any hacker worth his salt knows that a great deal of people use the “admin” username. This makes getting through the front door of your site as simple as hacking the password. Software can do that in the blink of an eye.
If you already have a great deal of content assigned to the admin user, it’s easy to switch it to another author.
Here’s how (you need at least two usernames on your site to do this).
Head to the Users section and delete the admin user. During the deletion process, WordPress asks if you would like to assign the posts to another user. Of course, you do. Choose another administrator account (create one if you haven’t already) from the drop down menu and re-assign the posts.
2. Set a Secure Password
Don’t just use a word you think nobody will ever guess for your password. Use your imagination: include numbers, special characters, and switch between uppercase and lowercase letters.
One of the best suggestions for a password is to string together the first letters from each word of a sentence.
Sentences are easy to remember, especially if they relate to something obvious, like your birthday.
Here’s an example—I was born on the 22nd of April 1987.
From this sentence the password becomes iwbot22oa1987.
Add a couple of special characters such as (&^ to either end, and you have a solid, easy to remember password that’s tough to guess.
3. Always Run the Latest Version of WordPress
I know it’s scary updating to the latest version of WordPress. Sometimes things can go wrong. But it’s still in your best interest to run the latest version possible, which is always the most secure.
WordPress files, plugins, and themes are mostly all open source, which means everybody has access to the code. If you can see the code, so can hackers.
They track down sites using older versions of WordPress and exploit the weaknesses. How do they know which version of WordPress you are running? It says so in the header section of the source code, which is viewable by right-clicking on a webpage and hitting “view page source” (Google Chrome).
4. Keep Plugins and Themes Up to Date
This point follows up from the last one. Old versions of plugins and themes may be vulnerable to attackers and provide easy access to your server/site. Keeping them up to date ensures they are as secure as possible.
If you’re worried about breaking your site when performing updates, use a reliable backup service like VaultPress. If anything goes wrong, you can easily and quickly restore the most recently backed-up version of your site.
5. Don’t Install Plugins or Themes from Third-Party Websites
I don’t blame you for wanting to download that theme or plugin from the website you found via Google. It looks great and performs a function you’ve been yearning after for months.
The site says it’s free to download and looks very attractive. . .but wait!
Don’t download and install it without first doing your homework and checking up on user reviews.
Start by asking yourself why the plugin or theme is not available through the official WordPress repository. That alone should raise suspicion (unless, of course it’s a premium product).
While there are legitimate reasons for not submitting plugins and themes to the official portal, the most likely reason is because they contain malicious code and did not live up to the WordPress.org quality standards. Once the plugin or theme is live on your site, the hacker has a potential way in.
6. Limit Login Attempts
Use a plugin to block numerous failed login attempts from the same IP address. This strategy works very well to prevent break-ins. If a user fails to login after three or so attempts, it blocks access from the IP address and stops them from trying again.
The Limit Login Attempts plugin is a good choice. It hasn’t been updated for a couple of years, but it still works for many users, as you can see by checking its many 5 star ratings.
7. Hide Your Real Username
This is an often over-looked security tip. Even if you don’t use the default “admin” username (see point 1), it is still possible for hackers to find out the username you do use simply by clicking on the link to the author’s archive (assuming your blog is configured to display author names).
To prevent this from happening, make sure that your display name is different from your username. This setting can be adjusted in the WP Admin > Profile page.
8. Use Security Plugins
There are a number of security plugins which monitor suspicious activity on your WordPress site. The Limit Login Attempts plugin I mentioned earlier is very simple and performs just one task.
There are others that do a more thorough job of catching and alerting you to possible security flaws.
Here are a few worth considering:
9. Restrict Permissions of Contributors
This suggestion is for anyone running a multi-author site.
The default user level, subscriber, allows people to do very little in terms of administering a WordPress website.
However, if you give people full admin rights to your site, they can do just about anything, including installing plugins and themes, and editing files. Any admin user with a desire to cause damage to your site can easily do so.
Think carefully about the level of access you give people. And only let people you fully trust have admin accounts.
Two plugins you might consider using—which allow you to create specific user roles to control access to certain parts of your site—are User Role Editor and User Access Manager.
10. Remove Unused Plugins and Themes
Keep your WordPress installation as clean as possible by deleting unused plugins and themes.
I don’t mean deactivating them, I mean deleting them.
11. Backup Your Site
Last, but certainly not least, backup your site. Track down a reliable backup service you like and use it.
Paid services like the one I mentioned earlier, VaultPress, are usually very simple to use—practically all you need to do is sign up, install the plugin, and follow the on-screen instructions.
Other free plugins, like these, will require some technical knowledge when the time comes to restore a backup to your site (but it’s something that a web hosting provider will usually take care of for you). If you don’t have much of a budget, then choose from that selection.
As Benjamin Franklin famously said, “an ounce of prevention is worth a pound of cure.” Ensuring that your site is secure from hackers is a vital part of configuring any new WordPress installation.
Which of these security tips are you going to implement first?
Jonathan John is a WordPress enthusiast and freelance blogger. He loves comparing WordPress plugins and themes, sharing the latest Automattic news, and helping non-techies get the most out of the world’s favorite CMS.
Join the conversation