WordPress is one of the most popular blogging platforms out there, and for that reason it is also one of the most hacked. Here are some really simple ways to secure your WordPress site, and ensure it stays secure.

1. Secure Passwords

This is the most basic thing you can do, and I hope it’s something you’re already doing across all of the websites you use. You should aim for a minimum of 17 characters, and a mixture of uppercase, lowercase, numbers, and symbols. This protects you against brute force password attacks.

2. Non-standard Admin usernames

This is security through obscurity, which isn’t the greatest security method – but hear me out. If you got the choice between being blasted by a fire hose or a garden hose, which one would you pick? The garden hose, of course! This is similar to choosing non-standard account names. At a minimum, avoid ‘admin’ and your website’s name.

One of the attacks going around at the moment is a brute force on the default admin account. This particular attack, and many others like it, are distributed across many IP addresses so limiting logon attempts will only go so far. If you don’t have an account named ‘admin’, this particular attack is completely useless.

3. Limit Admin and FTP access

The admin account should be used for just that – site administration. Never use an admin account for day to day work such as posting content. By constantly logging into it, you are opening up your site to more attacks as your password is being transmitted across the wire (often unsecured) more than it needs to be. You also run the risk of logging in on insecure computers.

Wordpress Hacker: Plugins

4. Use only reputable, well tested plugins and themes

Possibly one of the biggest sources of vulnerabilities is plugins (and generally to a lesser extent: themes). The standards for public plugin release are very low, and often you have inexperienced people releasing extremely insecure plugins to the world. Firstly, I advise you to limit your plugin use to instances where you absolutely need it. Secondly, only use plugins that have a good rating and a few updates under it’s belt. Even better, make sure the last update was within the last six months. Abandoned plugins are the worst.

If you make a change or patch to the plugin, submit it back to the author so everyone benefits. Submitting the code back also means you can freely update the plugin without having to re-apply your own patch.

I find myself writing a lot of custom code instead of using pre-built plugins, mainly to reduce the attack surface. This may sound counter-intuitive at first. Why would I write code myself, and risk creating my own security holes, when other pre-tested and updated solutions exist? I do it because the code I write is very specific to my uses, and am able to be very sure about it’s security. With larger public plugins, it would be impractical for me to understand the ins and outs of it and properly assess it’s security. When I write it myself, I have a very high level of understanding about it. Also, having the code kept private means it cannot be targeted specifically.

5. Update often

If there’s a WordPress, Plugin or Theme update available, you should test it and apply it as quickly as possible. Always read the release notes and check to see what has actually changed before applying the patches. If you are a skilled developer, you could possibly apply the security updates manually and then get the rest of the updates done later.

Wordpress Security: Two Factor Authentication

6. Enable Two Factor Authentication

If you have a Smartphone, you can use a Two Factor Authentication Service such as Google Authenticator. This means when you want to login you not only need to know you password, but also enter a one-time code provided by a Smartphone app. This adds that extra layer of security without creating much extra hassle for yourself.

7. Hide the WordPress version number

By default, every WordPress page divulges the WordPress version number as a meta tag. Attackers can use this to target known vulnerabilities in your WordPress site. To disable this version number, add this PHP code to functions.php:

remove_action('wp_head', 'wp_generator');

8. Disable PHP file editing

If an attacker does manage to get into your site, you can prevent them from implanting malicious code by disabling the ability to edit PHP files. The easiest way to do this is to add this code to functions.php:

define('DISALLOW_FILE_EDIT', true);

You should also change the file permissions on the web server so the standard web user can’t overwrite any files (except the uploads folder).

9. Check what your site looks like on other browsers

Often, your website can be attacked and serving malicious content to visitors without you even knowing! Attackers often target Google Search results, rather than taking over your whole site. It pays to search for yourself regularly and from multiple computers. This way you can see if the search results have been hijacked, and if your pages serve up different content based on the referrer.

Wordpress Secure Backups

10. Take Regular Backups

It goes without saying that you need to regularly make and test backups. For my low volume sites, I will take a backup every couple of weeks. For high volume sites I prefer to do them every day via automated jobs. When you take a backup of WordPress, make sure you backup the files and the database as well.

Once you have a backup, you need to test that you can restore it. I do this on my local MAMP server. If there are missing dependancies or broken pages, I can find the source of them and correct my backup procedure. Test restores should be done every month or two, but more often if your site is very valuable.

11. Use Security Plugins

Reputable security plugins such as Wordfence and iThemes Security will continually scan your site for vulnerabilities, and also patch many out-of-the-box configuration problems.


What security tips have I left out? Leave your thoughts in the comments. Also, sign up to my email newsletter to get more information like this one!