Since it was first introduced in more than two decades ago, WordPress has grown (and grown) now safely be named as the world’s most popular content management system. Today, more than a quarter of the websites that exist are run on WordPress.
Yet since time immemorial, the more popular something is, the more people want to leverage on it for nefarious means. Just look at Microsoft Windows and the massive number of malware, viruses and other exploits designed to target just this one specific operating system.
Why your WordPress blog is a valuable target?
In case you’re wondering why on earth a hacker would want to control your Wordpress blog, there are several reasons including;
- Using it to secretly send spam emails
- Steal your data such as a mailing list or credit card information
- Adding your site to a botnet that they can use later
Fortunately, WordPress is a platform that offers you a multitude of opportunity to defend yourself.
Having helped setup and administer several websites and blogs myself, I’d like to share with you some of the more basic things you can do to help secure your WordPress site.
Here are 10 actionable security tips you can make use of.
Secure Your WordPress Login Page
Protecting your login page cannot be accomplished by any one specific technique, but there are certainly steps and free security plugins you can take to make any attacks far less likely to succeed.
Your site's login page is certainly one of the more vulnerable pages on your website, so let's get started on making your WordPress site login page a little bit more secure.
1. Choose a good administrator username
Use unusual usernames. Previously with WordPress, you had to start out with a default admin username, but that is no longer so. Still, most new web admins use the default username and need to change their username. You can use Admin Renamer Extended to change your admin username.
Brute forcing login pages is one of the common form of web attacks that your website is likely to face. If you have an easy to guess password or username, your website will almost certainly be not just a target but eventually a victim. From experience, most site hack attempts try to login with three main choices of usernames. The first two are always ‘admin’ or ‘administrator’, while the third is usually based on your domain name.
For example, if your site is crazymonkey33.com, the hacker might try to login with ‘crazymonkey33’.
2. Make sure to use a strong password
By now you would probably think that people would know to use strong, complex passwords to protect their account, but there are still many who think ‘password’ is a great one.
Splash Data compiled a list of frequently used passwords in 2018. Password by rank in terms of usage.
If you use one of those passwords and your website receives any traffic at all, your website will almost certainly be taken down sooner or later.
A strong password will include a mixture of:
- Upper and Lower capitalized characters
- Be alphanumeric (A-Z and a-z)
- Include a special character (!,@,#,$, etc)
- At least 8 characters in length
The more random your password is, the more secure it will be. Try using a password manager to generate strong random password if you’re having trouble coming up with one.
3. Implement a reCaptcha
reCaptcha was designed to stop automated tools from working on a site. Of course, given the complexity of hacking tools today, these can be quite easily bypassed, but at least there is that added layer of security.
There are a number of reCaptcha plugins you can use with your installation that will work pretty much out of the box.
4. Use Two-factor Authentication (2FA)
2FA is an authentication method that requires a verification on your login. For example, once you’ve logged in with your username and password, the system might send a SMS to your mobile phone or email you with a code you need to input to verify your identity.
This method of authentication offers good protection and is used by many banks and financial institutions today. Again, this need can easily be met with a 2FA plugin.
See how miniOrange (a 2FA plugin) works with WordPress login in the following video.T
5. Rename your login URL
Most hackers will attempt to login through the default wordpress login page, which is usually something like
To add another layer of protection, change the login page URL quickly and effortlessly with a tool like WPS Hide Login.
6. Limit number of login attempts
This is one incredibly simple technique to stop brute force attacks on your login page right in their tracks. A brute force attack works by attempting to get your username and password right by trying multiple combinations over and over.
If the particular IP which is perpetrating the attack is tracked, then you can block out the repeated brute forcing attempts and keep your site secure. This is also why global DDOS attacks occur with multiple IP addresses with different origins of attack, to throw hosting services and website security off guard.
Harden Site Security Wall
We've discussed various tactics in securing your WordPress login page – those mentioned steps above are the basics you can do. You should also be aware that some web hosts mandate some of these security practices on their users. There are a number of other security practices that you can implement on your sites.
7. Protect your wp-admin directory
The wp-admin directory is the heart of your WordPress installation. As an additional safeguard, password protect this directory.
To do so, you’ll need to login to your hosting account control panel. Whether you are using cPanel or Plesk, the option you’re looking for is ‘Password-protect Directories’.
Alternatively, you can password-protect a directory by tweaking your .htaccess and .htpasswds files. Detail step-by-step guide and a code generator are available for free at Dynamic Drive.
Note that password-protecting your wp-admin folder will break public AJAX for WordPress – you will need to allow permissions to admin ajax via .htaccess to avoid any site errors.
8. Use SSL to encrypt data
Aside from the site itself, you’ll also want to safeguard the connection between you and the server and this is where SSL comes in to encrypt your communications. By having an encrypted connection, hackers will not be able to intercept data (such as your password) when you’re communicating with your server.
Aside from this, it’s also good practice to implement SSL now since search engines are increasingly penalizing sites which they consider ‘non-secure’.
For individual bloggers and small business, a free, shared SSL – which you can usually get from your hosting provider, Let's Encrypt, or Cloudflare – is usually more than good enough. For businesses that process customers' payment – it's best that you buy an dedicated SSL certificate from your web host or a certificate authority (CA).
Learn more about SSL in our comprehensive A-Z Guide to SSL.
9. Make use of a Content Distribution Network (CDN)
While this might not save your site from being hacked it does help mitigate against malicious attacks against it. Some hackers aim to bring down websites, making them inaccessible to the public. A CDN will help cushion the blow of a Distributed Denial of Service attack on your site.
Aside from that, it also helps your speed up your site a little by caching some content. To explore this option, look towards Cloudflare as an example. Cloudflare offers CDN services at multi-tiered pricing levels, so you can even use basic features for free.
Learn more about how Cloudflare works and the advantages of using the service.
10. Ensure ALL your software is up to date
No matter how good or expensive software is, there will always be new weaknesses found in them that might leave them open to exploit. WordPress is no exception and the team is constantly releasing newer versions with fixes and updates.
Hackers almost always seek to take advantage of weakness and a known exploit that is left unfixed is simply asking for trouble. This goes twice as much for plugins which are often created by much smaller companies with less resources.
If you’re using plugins, make sure that updates are released regularly, or consider finding popular plugins with similar functionality that is kept updated.
Having said this, I do NOT recommend you use automatic WordPress and Plugin updates, especially if you’re running a live site. Some updates may cause problems, whether internally or through conflict with other plugins and settings.
Ideally, create a test environment that mirrors your live site and test the updates there. Once you’re sure everything works fine then you can apply the update to the live site.
Control panels such as Plesk give you the option to create a site clone for this purpose.
11. Backup, backup and backup!
No matter what security measures or how cautious you are, accidents happen. Save yourself a from a crushing heartbreak and hundred of hours of work by simply making sure you have adequate backup services in place.
Normally your web host would come with some basic backup features at least, but if you’re paranoid like me, always make sure you carry out your own independent backups. Backing up is not as simple as just copying out some files, but also take into consideration the information in your database.
Look for a backup solution that’s tried and proven. Even a small investment is worth it to save on the tears in case of emergency. Something like BackupBuddy can help you save everything including your database at one go.
12. Your web host counts!
Although traditionally, web hosting companies simply offered space for us to host our websites, times have changed. Web hosting providers, understanding the vulnerabilities, have stepped up to increase the security with many offering value-added services to complement their web hosting.
Take for example HostGator, one of the more established names in the game. Aside from basic Cloudflare features, HostGator (at the price of $10+/mo) also comes with Spam Free Protection, Automated Malware Removal, Automated Backups, Domain Privacy and more.
If this is something that hasn’t occurred to you yet, I highly encourage you to look at what security features your host provides and compare it with what’s currently available.
For a comprehensive list you can check out WHSR's compilation of best web hosts here.
Before you run wild and start scouring the Internet in panic searching for a million and one security solutions – take a deep breath. As with everything else, someone will have helped you panic already and looked for a solution.
Even if you implement as many security solutions as you can find, are you sure you’re safe?
Here’s where something like Security Ninja come in, which helps you probe your site for weaknesses.
There are a couple of compelling reasons to use something like Security Ninja but let me say that it’s a tool which I would recommend using at multiple stages in your journey to secure your site.
First, run it on your website ‘as is’ – before making any changes. Let the plugin poke and prod your site before giving you the results.
Then based on those results, work towards securing your site. Security Ninja performs more than 50 tests to probe your defences. Even after you’ve made your changes, run it again (and every time there are site changes or plugin updates) just to test your site.
If this sounds like a little too much work for you, Security Ninja also comes with a host of additional modules (pro version, single site $29) that can help you fix the problems it finds.
Some other key features in these modules include:
- Scan WP core files to identify problematic files
- Restore modified files with one click
- Fix broken WP auto-updates
- Ban 600 million bad IPs collected from millions of attacked sites
- List auto-updates, no need for any maintenance or manual work
- Protect login form from brute-force attacks
While all of this may seem a little excessive to the average WordPress user, I assure you that all of it (and more) are necessary. Ignoring the worldwide hacking statistics and whatnot for a while, let me share with you some personal information on one of most obscure sites I help manage.
Originally started off as a simple biography site, I created www.timothyshim.com. Obviously, it was just something that I setup and most of the time leave alone, simply as a reference point. On each month-long period, this site which basically does nothing and collects no data, faces over 30 attacks – a combination of brute force and complex ones.
All it needs is for one of them to succeed and I’d be having a really bad day.