Securing your WordPress website

WordPress is by far and away the most popular content management system. However, due to it’s popularity it also attracts huge numbers of attacks. Thankfully, it’s popularity and versatility also means that it’s core system is always worked on in the way of regular updates. Many of these updates continually improve the security of WordPress. However, regularly updating WordPress with core updates doesn’t mean that you should ignore other good practices in keeping your WordPress website as secure as possible. Below we look at a variety of steps that help facilitate good security practices.

Username and password

The most simple and obvious step anyone can take is to make sure their WordPress administration username and password combination is unique. This is particularly important for any accounts that have ‘admin’ as the username that are active on the website.

When a WordPress installation takes place, a default administrator account is created with the username ‘admin’. This is a potential problem as most automated Brute Force attacks (a consistent trial and error attack to determine data such as passwords) tend to use a combination of the word ‘admin’ and variant passwords. Making sure your username is changed from ‘admin’ can significantly reduce the chance of success of an attack as you are effectively making your username harder to guess. If the default ‘admin’ account still exists then create a new account with administrator rights and then delete this ‘admin’ account (you will be prompted to assign any posts from this account to a different account).

Passwords are a difficult one. You obviously need to try and remember your password for continued access to the administration but at the same time securing your user account with something that is very obvious is not advisable. A recommended secure password is ideally a mixture of lowercase and uppercase letters interspersed with numbers and special characters such as underscores and hyphens. To add to this complication your user account password should be unique to the website (ie don’t reuse a password you use elsewhere). This is where password managers become very useful. A password manager such as the excellent LastPass allows you to store any website login addresses, and your username / password combination. This means that if you have LastPass correctly installed on your device then it will recognise when you hit that login page and can autofill the username and password fields and log you in.

Administration Accounts

If you have a number of accounts that need administrator access then make sure those accounts are kept on top of. Any accounts that are no longer used should be removed immediately and usernames and passwords for these accounts should be unique and follow good username / password practices.

Cloaking the login url

By default the WordPress login page url is similar for all installations; such as:

As with the ‘admin’ username most Brute Force attacks will look for these variations of login paths. Fortunately there are plugins for WordPress such as WPS Hide Login that make it easy to switch this login path to one of your choice. This means that the default login url will no longer work and will no longer be accessible. To make this as secure as possible, when setting the path for the login page, introduce some randomisation with numbers and letters (eg ‘login_3fHH01p’). Obviously, make sure to note down this new login url or you will not gain access to the administration.

Two-Factor Authentication

Finally with regards to logging in, a further security risk reduction is to implement Two Factor authentication. However, logging in can get complicated and potentially frustrating with Two Factor authentication so implementing this is a weigh up of how secure you want your administration to be.

As the name suggests Two Factor authentication involves two elements to the process of logging in. The first stage is to login as you normally would. At this point before logging in fully you will usually be asked to enter a series of digits that have been sent to your mobile phone. Without entering this you will not be able to access your account. Two Factor authentication is not default on WordPress installations currently but there a number of plugins that add this extra layer of security, including Two Factor Authentication and Wordfence (we cover Wordfence on it’s own later in the article).

Keeping WordPress up to date

It goes without saying that updating WordPress when new core updates are available is crucial to minimising security exploits. As a company we regularly check all our WordPress sites to ensure that the core build is the latest version (we have minor revision releases set up to automatically update). Once in the administration there will be a notification if you need to update to a latest version (including showing you what version you are currently running). Updating WordPress is relatively straight forward and can usually be done through the administration with a few clicks. If you are unsure then contact your hosting support or web development team to advise.

Minimise the usage of plugins and keep them up to date

As with the main core version, make sure all plugins that are used on your website are kept up to date. Plugins present another potential way for your site to be exploited. As well as maintaining versions of the plugins make sure the plugins themselves are actively maintained by their authors. The larger the install base and the higher the rating a plugin has on the likelihood is that the plugin is well maintained and will continue to be so in the future. The danger with certain plugins is that they are not actively maintained by their authors which means they can be ‘lame ducks’ for exploits.

It is also good practice to make sure that the theme your website is using is kept up to date as well. Any themes that are not used on your installation should be removed.

Adding a dedicated security plugin

Although the WordPress core does a good job of patching security exploits, an extra layer of active system security is worth serious consideration. From our experience the acclaimed plugin Wordfence is a must-have for your website (by default we install the free version of this plugin on all our clients’ websites). The plugin has been downloaded millions of times and has a great average rating of 4.8 out of 5 on There is a dedicated team working on Wordfence constantly.

About Wordfence

Wordfence is a free plugin (with a premium license option available) and will actively scan your WordPress system for exploits and vulnerabilities through scheduled scans and alert you to any problems. Wordfence also comes with it’s own firewall protection. If enabled this will block any known threats to your website before any PHP code is run on the website so essentially negating the threat immediately. The team behind Wordfence actively update the known threat feed from the millions of websites they already protect. Wordfence will also prevent Brute Force attacks by locking out any users who try to login too many times.

The premium edition is definitely worth consideration. The plugin has a number of useful additions including:

  • An option for Two Factor Authentication
  • A more up to date Threat feed than the free version
  • Ability to block individual countries

Make sure your website is running over https

This is a general security addition that applies whether you are running a WordPress website or not. I have talked about the benefits of having an SSL (Secure Socket Layer) certificate elsewhere. Making sure that any data transfer between users who are logged into your WordPress website and the server will make it more difficult for threats to intercept any of this data as it is encrypted.

Backup your website and database regularly

A regular website backup will always ensure that you potentially have a clean copy of your website that you can revert to if the website has been compromised. How easy it is for you to back up your website will depend on what your hosting providers offer. We have access to multiple back ups of our clients website data should we ever need to revert. If your provider does not have this service then there are a number of plugins such as Vaultpress that allow you administrate this yourself.


Securing your WordPress website can be daunting but with a little know-how and good hosting support it is relatively straight forward to take steps to make sure that your website has good basic security exploit reduction practices implemented.