Securing Your WordPress Website

exclusive-tech-bIt’s no accident that WordPress has become the 800 lb gorilla in the web publishing field. As of March 2012, 72.4 million sites were running on the CMS, amounting to 25% of all websites operating on the Internet. With that gaudy figure in mind, it should come as little surprise that hackers have flocked to exploit the weaknesses of WordPress.

Last April, a massive army of botnets were created to infiltrate WordPress sites using the “admin” user name via brute force attacks. Every day 30 to 40,000 attacks take place because owners allow their sites to become easy prey for these nefarious individuals.

It’s time to ensure you aren’t one of them. Let’s take a look at some easy ways to protect your WordPress site, helping you sleep a little easier at night.

As with any significant changes you make to your WordPress installation, I strongly recommend you back up your files and databases prior to making any of the changes listed below.

1) Update the admin user name: If the botnet example above didn’t put the fear of God in you, it really should have. Brute force attacks (programs nailing a website hundreds of times a minute by plugging in common user names and passwords) have become increasingly common. Using “admin” or other common user names like “administrator,” “test” and “root,” put a large target squarely on your back.

During the initial WordPress installation, you are prompted for your default user name. Change this to something unique to you. I wouldn’t recommend your name, but maybe something for you to easily remember (Mary526 for instance as a name/birthday combo).

If you’ve already installed your version of WordPress, you can go into mySQL and update the user name. In the wp_users table, you’ll find records of all the users setup on your installation. Just update the user_login for the admin account, and you are golden.

2) Create strong passwords: Having a unique user name is critical, but don’t neglect that other piece of the pie. Those brute force programs are regularly exploiting the most commonly used passwords like “admin,” “password,” “123456,” “111111” and “qwerty.” Don’t make the hackers job easier by serving up one of these juicy passwords. Pick something that has letters (upper and lower), numbers, special characters and over eight characters to really lock down your account. You say you can’t remember all these crazy passwords, much less which one belongs to which account? Consider a free program like Keypass to store all of your user names and passwords, allowing you to login to any site with a quick copy and paste. It can even generate 20 digit random passwords for you. Remembering complex passwords for your email, banking, and WordPress will officially become a thing of the past.

3) Update Your wp-config Security Keys: Tucked beneath your WordPress database settings in your wp-config file are your site’s unique keys and Salts. These are a random array of letters, numbers and special characters you’d likely never run across unless they were pointed out to you. Making a new set is very easy with this handy tool WordPress has provided.

4) Limit Login Attempts: This free WordPress plugin is a very handy addition. About three months ago, I replaced the Login Lockdown plugin on one of my sites with this one. In that time, 3968 users (or more likely bots) have been locked out. Not a single one of these incorrect logins was me.

Basically, this plugin locks a user out for 20 minutes if they have tried to login unsuccessfully more than four times. If they have been consecutively locked out four times, then the time period grows to 24 hours. You can alter these time and chance variables to loosen or tighten your login security. It also has helpful features like logging offender’s IP addresses and emails when a lockout happens. It can be unnerving when those emails start rifling in every minute over an hour long period, but you should feel comforted knowing your site guard is on high alert, earning its keep.

5) Secure WordPress: This is another free WordPress plugin I wouldn’t do without. Basically, it just patches a lot of common holes that exist in the basic WordPress install. It will do things like removing the version number of WordPress throughout the site or blocking malicious URL requests. The plugin allows you to toggle these options on and off to customize the settings for your security needs.

6) Always Have a Timely Backup: If a hacker did breach your site and proceeded to wreck havoc, could you recover? If you have a current file and database backup on hand, you could wipe the site clean and start over if needed.

One option is to just download your files to your local machine, but I’d recommend talking to your web host about backup options. Usually they are fairly inexpensive, and they can schedule them to go every night, once a week or whatever interval makes sense for your needs. Never assume your web host is making backups regardless of how much you are ponying up for your monthly hosting bill. I found this out the hard way.

Also make sure you are backing up your database. There are a ton of good options out there. I have used WordPress Database Backup which emails me zipped data files on a daily basis so I always have my data regardless.

There are other methods to constructing a wall around your WordPress website, but these six quick fixes will put you ahead of 99% of the sites out there. I know most readers will say that can’t happen to me, but I assure you it can. You can take an hour to setup your security correctly, or you can connect with your inner sadist by spending days or weeks repairing the damage, not to mention the potential financial impact inflicted by a savvy hacker. Its your choice.

Mark Runyon is a programmer, project manager and CEO at the web and applications development firm, Vandelay Web. He regularly writes on WordPress, Microsoft.Net and web marketing topics. Follow Vandelay Web on Twitter and ‘Facebook.

About the author


Mark Runyon

Mark Runyon is a programmer and Web marketer at the Web and applications development firm,
Vandelay Web
. He regularly writes on WordPress, Microsoft.Net and Web marketing topics. Follow Vandelay Web on Twitter and Google+.


Click here to post a comment
  • I agree updating your passwords and usernames regularly will definitely keep you secure. Moreover with the new encryption security methods in hand you should make full use of them in order to stay protected from being hacked.

  • Mark Runyon, It’s a great article for wordpress security but i would like to suggest few more important steps fir wordpress security.

    1. Please add following rule in your .htaccess to disable directory browsing.
    “Options All -Indexes”

    2. Please change the prefix of your database this must be other than default one.

    3. Please change the admin user name to something else and update the userid “1” to any other digit from phpmyadmin->wp_user

    4. Change permissions of .htaccess and wp-config.php to 444.

  • Nice suggestions Wasif. I agree. These are some great additional steps anyone can add to their WordPress security routine. A couple of these may be more appropriate for the power/more technical users out there.

    The Secure WordPress plugin does shut down certain important directories from browsing.

  • I highly agree with the backup method. Backups are really necessary or else we risk losing all the hard work done so far, should anything go wrong.

  • I actually did not do data backup, it seems to act quickly before.

  • Nice Mark, you have told some already known but still valid points. I would like to know first that Secure WordPress will really secure the website and secondly what if i will change userid from “1” to some other number?

    • Changing user Id from “1” to any other number will actually secure your WordPress from basic login attacks.

    • Per your question Vivek, I wouldn’t use Secure WordPress alone and feel you are protected. Its just one tool to help tighten your security. If you were to only make one change from the list, I’d focus on updating the user name but most of these updates should be fairly straight forward.

  • There is a very good plugin called Better WP Security, through which you’re able to secure your wordpress website 100%.

    You already mentioned, different admin id and strong password, plus you need to change the admin id other than default 1

    Quick tips to secure your WP
    Hide your admin url (default is yourwebsite.com/wp-login.php)
    Change database table prefix (wp_)
    Secure your .htaccess & wp-config files

  • This is a very poor article and might give the
    impression that your steps are enough to have a secured site, and they are not.

    Try to do your homework better or write about things you really understand.

    And thanks to Wasif, your contribution is very valuable

    • J – If you felt this article lacking, please contribute to the conversation telling us what additional measures should be taken to secure your site.

  • The web development companies should pioneer the security of website right from the beginning of development. There are trusted wordpress security plugin online with easy to use installation. One of my favorite is wordfence.

    • I agree with Arnold and Nebulas below. Wordfence provides a significant expansion in protection compared to Secure WordPress alone. It can block fake crawlers, specific IP addresses, etc. plus send you alerts when unusual activity is happening on your site. I use Wordfence in addition to Secure WordPress and they both play nice together.

  • I always like to see articles about WordPress security. Great article, all very valid points. I use a free plugin called better wp security and it takes care of every single point you’ve covered and those covered by Wasif (it even sends database backups to me). What I like most about it is you can do the basics or really lock down the website depending on your level of experience with WordPress. I’ve used lots of other plugins which I’ve liked but this really is an all in one security solution.

  • Good article, and one that anyone with a WordPress website should take note of.

    Remember that it’s not only your website that will suffer if a hacker gets into your WordPress installation, but your domain and all the pages on it could be blacklisted by search engines for having an insecure site, so there is a definite SEO advantage to having a secure site too. If you get blacklisted by Google your traffic will stop, and getting your hacked site removed from their blacklist won’t be easy…

    Thanks for the great article Mark!

    • Great point about the SEO benefits. If your site gets infected with malware, Google will often remove you from search results until the matter is fixed. Getting blacklisted by Google can be crippling for most sites even if its temporary.

  • Like many other people on here, I use Wordfence to protect my WordPress sites. If a site gets hacked, I use Sucuri Security in the past to fix it. I use BackupBuddy for automated database and file backups.

    I’ve used the Limit Login Attempts plugin before, but I haven’t thought about updating the security keys. How often should I update the security keys? Maybe every 3 months? I guess it’s according to what you see fit.

Sign Up for Our Newsletter