How to Protect your WordPress Site

WordPress SecurityThe technology news is currently filled with dire doom and gloom stories about a concerted global WordPress hack which will undoubtedly bring around the end of humanity as we know it! Sure, I’ve noticed an increase in attempted hacks of my blogs recently, but since I’d taken steps to protect myself already, it wasn’t a major problem. After getting a few questions from readers and clients about this, I thought you might appreciate the opportunity to learn what options you have to protect your own WordPress sites.

Obfuscate Admin Account Names

Whenever you install a WordPress blog, the admin account name defaults to ‘admin’ unless you change it. This is the account that I see most often being attacked and as such, should be the account that never exists on your WordPress sites. Any account with this level of access should be named something that’s hard to guess, such as ‘RumpleAdminSkin5542’ (no, that’s not one that I’m using – I just made it up as an example!). The same goes for any test accounts that you’re using, as ‘test’ is the second most common account that hackers are trying.

Use Complex Passwords

Hackers will often use a technique called “brute force dictionary” where they use common words from a dictionary in repeated attempts to guess passwords. If your password is something simple like “password” or “football”, then it won’t be too hard for the hackers to get in. WordPress passwords should be a minimum of 8 characters, be a combination of upper and lower case letters, as well as numbers and special characters, such as “@&$%” (see the WordPress documentation for more information). So for example, if you still are stuck on having something like “password” as your password, then try this instead: “Pas$w0Rd!”. It’s still fairly memorable, but obscure enough that it won’t get cracked easily.

Secure Your WordPress SiteMy own preference for admin level passwords is to use a password generator. These often come with password management software, such as RoboForm, and generate completely random, complex passwords of any length. As long as you then store these passwords either in a password manager or some other secure location (such as a password protected Excel spreadsheet) you can easily use 24 or more character, randomly generated passwords for maximum security.

Secure Your Login Page

One method that can be used to stop people even accessing your WordPress login page is to add an additional layer of password protection specifically against that page. This can be a little annoying (particularly if you have lots of users) but is highly effective. You will need to be a little more comfortable with the technology on which your site runs in order to do this, so it’s not for everyone. Details of how to do this are beyond the scope of this article, but there’s a fantastic tutorial available on Hostgators support site.  (By the way, Hostgator is my number one recommendation for web hosting – get a 25% discount when you use the discount code IMwithJohn25).


WordPress Security Plugins

The other key area where you can add significant protection is via WordPress plugins. There are two in particular that stand out that I would recommend taking a look at. They are:

Limit Login Attempts

This plugin is quite effective at stopping repeated login attempts from a single IP address – exactly how a hacker would attempt to get into your site. It allows you to configure a number of limits after which the user will be locked out for a particular period of time. There is also a setting to have the user locked out for significantly longer (e.g. 24 hours) after 2 or more of the shorter lockouts.

What I like about this is that I can see a history of who has tried to access my site and from where, and potentially add their IP addresses to a blacklist (you can find out how to do this via Hostgator’s excellent support site). I found this plugin to be effective until the recent surge in hacking attempts, which is when I looked to tighten things up on my site.

WordFence Security

WordFence SecurityAs far as I’m concerned, WordFence represents the current state of the art of intrusion prevention and site protection that’s available for free to WordPress users. It will proactively block any users who try to gain access to your site with a user that doesn’t exist or who repeatedly enter wrong passwords. It also has a huge list of additional security features that make it particularly interesting if you have a popular WordPress site!

Checkout the WordFence site for more details and to see about their cost effective paid subscriptions which offer even better security!

Finally, to protect against the worst case scenario, always make sure you have a recent backup available from which to recover your site. My recommendation is BackupBuddy which although a paid product, does the job of backing up sites and making recovery easy better than any other product I tried. I’ve even used it to move a WordPress installation from one host to another with virtually no downtime!

What do you think? Have I missed anything? What steps do YOU take to protect your sites? Let me know in the comments below.

About The Author


John is a Senior Solutions Engineer for a U.S. IT company, specialising in Software Defined IT Infrastructure. He has an extensive background in IT and spends way too much time sitting at his PC's, making videos for himself and other Internet marketers and dreaming of spending more time boating. He's also passionate about Jesus.

Comments are closed.