How To Secure Your WordPress Site - WordPress Security 101

WordPress is a pretty secure platform, but there are several things you can do to harden WordPress security and protect your website.

By Tim TrottWordPress • April 10, 2012
1,077 words, estimated reading time 4 minutes.
How To Secure Your WordPress Site - WordPress Security 101

One of the most vital steps for WordPress Security is to keep your WordPress installation up to date. If a new security vulnerability is found in WordPress, it is usually fixed pretty quickly, and a new version is released. Not updating your WordPress installation can leave your website vulnerable to these security issues, potentially leading to unauthorized access or data breaches.

Cybersecurity
WordPress Security 101 - How To Secure Your WordPress Site

Change the Database Table Prefix in WordPress

When installing WordPress, you can specify a database table prefix. By default, this is 'wp_', and it is an easy guess for would-be attackers. By Changing this to something only you know, you can harden the database from potential attacks.

Keep Wp-Admin Directory Protected with .htaccess

Although you need to enter a username and password to enter the WordPress administration pages, there are still resources within the admin folder that an attacker could use to gain control of your website. Server-level password protection is a security measure that adds an extra layer of protection over all the administration content. It requires users to enter a password before they can access the admin folder, even if they have the correct username and password for the WordPress admin pages. This can help to prevent unauthorized access to your website's admin content. The following tutorial shows you how to enable server-level password protection on your WordPress site in 7 easy steps.

Keep Backups of your Database and Files

Ensuring the safety of your WordPress database and files is crucial, just as important as strengthening your site against hackers. In the unfortunate event of a breach, having clean backup files to revert to can be a lifesaver. Many hosting companies offer options to backup databases and files, or you can explore a few reliable plugins for WordPress that will backup your database and email it to you.

Disable XMLRPC to Improve WordPress Security

If you do not publish posts from an external application, you should disable XMLRPC, which is a method for remotely logging in and publishing using desktop or mobile applications such as Windows Live Writer.

Disable or Remove Unused Plugins and Themes for added WordPress Security

If you have downloaded a few plugins or themes and decided not to use them, did you deactivate them? Did you delete the files? There is always a possibility that a vulnerability can be found in a plugin or code that the plugin or theme uses. Removing any unused plugins or themes you have installed is always best. Unused plugins and themes can pose a security risk as they may contain vulnerabilities that could be exploited by hackers. By removing or disabling these, you can reduce the potential attack surface of your WordPress site.

Remove or Rename the Admin User Account in WordPress

A typical WordPress installation has a default user account with the login name admin. If you use that to access your site, you have made a hacker's job 50% easier. Now, all he has to do is guess the password...

Here is how to change the admin login name:

  1. Login to WordPress admin panel
  2. Go to Users -> Add New
  3. Add a new user with Administrator role, make sure you use a strong password.
  4. Log out of WordPress and re-login with your new admin user.
  5. Go to Users
  6. Remove "admin" user
  7. If "admin" has written posts or pages, remember to attribute all posts and links back to the new user.

Use a Strong Password

A strong password is one that you can remember quickly enough but is difficult for somebody else to guess. It should also be as long as you can make it. You should also avoid using common letter replacements in standard words, such as changing an o to a 0, a with an @, etc.

Good passwords are often made up using phrases; for example, think of a common phrase and use the first letter of each word. "The Quick Brown Fox Jumps Over The Lazy Dog". The password becomes 'tqbfjotld', which seems like a good password but would only take the average desktop computer about 22 minutes to crack. You should also add numbers and symbols to a password, which you can remember but nobody else. And not your PIN, either. A simple change to the password '1tqbfjotld!' (adding a ! and the number 1) takes the cracking time to 48 years. Adding another number to the end, '1tqbfjotld!4462', should take cracking time to several hundred million years.

You can check how strong your current password is with howsecureismypassword.net.

Bad Password Examples
Easily guessed words and some numbers but still guessable.

april1
1223334444
admin
password

Better Password Examples
Random letter generators are secure, but can you remember these? Chances are you would have to write this down somewhere. Random strings are also crackable using a brute force technique.

usuengoidlnpwxean
g1sJOj1Oo3bp3cyvLr63

Best Password Examples
Combinations of letters, numbers and symbols.

n[4[(x%I0RC|
MRPeSF;{MAYm
Y5^-x]njQh3Qk32

Plugins to Help Improve WordPress Security

Akismet

Akismet checks your comments against the Akismet web service to see if they look like spam or not. If a comment looks like spam, it is automatically moved to the junk folder. Spam comments may contain scripts or other codes that can compromise your WordPress security.

Better WP Security

Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin, thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.

Use Google Authenticator for WordPress Security

The Google Authenticator plugin for WordPress gives you two-factor authentication. This is an extra layer of security that requires not only a password and username but also something that only the user has on them, i.e., a piece of information only they should know or have immediately to hand-such as a physical token. The Google Authenticator app for Android/iPhone/Blackberry can be used for this. The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but login with less privileged accounts as usual.

Jetpack - WP Security, Backup, Speed, & Growth

WordPress security, performance, marketing, and design tools - Jetpack is made by WordPress experts to make WP sites safer and faster and help you grow your traffic.

We guard your site so you can run your site or business. Jetpack Security provides easy-to-use, comprehensive WordPress site security, including auto real-time backups and easy restores, malware scans, and spam protection. Essential features like brute force protection and downtime/uptime monitoring are free.

About the Author

Tim Trott is a senior software engineer with over 20 years of experience in designing, building, and maintaining software systems across a range of industries. Passionate about clean code, scalable architecture, and continuous learning, he specialises in creating robust solutions that solve real-world problems. He is currently based in Edinburgh, where he develops innovative software and collaborates with teams around the globe.

Related ArticlesThese articles may also be of interest to you

What is SQL injection - With Examples & Prevention
Cookie Security and Session Hijacking in Web Applications
Simple String Encryption and Decryption with C#

CommentsShare your thoughts in the comments below

My website and its content are free to use without the clutter of adverts, popups, marketing messages or anything else like that. If you enjoyed reading this article, or it helped you in some way, all I ask in return is you leave a comment below or share this page with your friends. Thank you.

There are no comments yet. Why not get the discussion started?

New comments for this post are currently closed.