Press enter to see results or esc to cancel.

5 Tips for Securing Your WordPress Site

wordpressWordPress is the largest CMS (Content Management System) in the world, netting 41% of sites using a CMS. This is because WordPress is easy to use, heavily curated, and widely supported for both themes and plugins. This also makes it a target for hackers. For a long time it took great pains to secure a WordPress site, using server settings, firewalls, and more- all far beyond the means of most consumers looking to create a site. However, there are now a huge number of ways to secure your site via best practices, plugins, and settings that promise to lock down your site and keep it safe.

1. Don’t Give Away the Keys to Your Site

There are a few things you can do even as you set up your site to help ensure your site is less vulnerable. First, NEVER use “admin” as your username. When you do this, you are giving any potential hacker half of the key to unlock your site. Make it something unique, and avoid your name or just the site name. These will be the first things a hacker tries. Don’t forget this important point when setting up your database as well.

Next up is passwords, the other half of the key. Don’t get lazy here, put some effort into creating a unique and secure password. And that goes for both WordPress and your database passwords. Use a good combination upper and lowercase letters, numbers and symbols. And for goodness sake, don’t use “password”, “12345”, or “secret”. Instead use a tool like to create a random password. If you are afraid you will forget a truly unique password, then use a tool like or both of which will store your password and keep it secure under a password of its own.

2. Don’t Ignore Your Database

The single easiest way to avoid your WordPress site from getting hacked is to NOT advertise that you are using WordPress. You can start this process as you are setting up the site. When you are on the set up page where you select your username and password as well as the name of your site. An often ignored field is the database prefix, which defaults to “wp_”. Change this prefix and you will be starting the process of hiding what you are using. Good examples are initials, maybe a simplified version of the site name, etc.

It is vitally important to also keep backups for your database in case you are hacked. Yes, our goal is prevent attacks but they do happen. If you have a recent backup of your database you can easily restore your site if you have to rebuild your site.

3. Plugins and Themes have to be Considered

Only download and install plugins and themes from TRUSTED sources. You must treat this like you would downloading software for your computer. If the site in question looks shady, it probably is. Do some research and see if you can find anything on the reputation of the site or plugin/theme. It should go without saying, do not download and install pirated or stolen plugins and themes. Not only are you stealing from an author who has spent many hours developing the product, you are taking a chance on what you put in your site. Anything could be added to the code which means it could install viruses, or create a backdoor to your site. In really bad situations, it could turn your site into a malicious page that tries to install adware, malware, or viruses to visitors through their browser.

Keep your site updated constantly. This is one best practice that should be a no-brainer. You update your OS, you update your phone, and you update your software- so why wouldn’t you update the software that keeps your site running? Updates come often from WordPress as they work tirelessly to eliminate vulnerabilities that have been found. Themes and plugins also update not only for features but to work best with the newest versions of WordPress. Simply by keeping your site updated, you will be heading off a lot of problems.

4. Lock It Down From the Server

Not all attacks are brute force attacks. Some come by gaining information about your structure and security. First, you don’t want anyone having access to your wp-admin directory. This is where many of your sensitive files are housed, so make sure the door is locked. You will do this via the .htaccess file. A good tutorial on this can be found here.

Another way to eliminate info that goes public is to hide login error messages in the functions.php. Right now, it will tell you if your username or password is incorrect. If they hit the right username, it will just say the password is wrong- giving an attacker a clue that they are on the right path. To block this simply add the following to your functions.php file and make your message more vague.

function wrong_login() {
return ‘Wrong username or password.’;
add_filter(‘login_errors’, ‘wrong_login’);


Finally, don’t let users browse your directory structure. Think of it in these terms. If you had an image that was located at then all a user needs to do is take off the image.jpg from the address and they will have access to see every file in the directory. To keep your server private just add the following to the .htaccess file:

Options -Indexes

5. Let WordPress Do Some Work

There are many options including those that are native to WordPress including security programs and site scanners. These tools will look for vulnerabilities as well as protect against attacks. Here are a couple of trusted tools:

Sucuri Site Check

Sucuri Site Check is a free tool that checks your site for errors, out of date software, malware, blacklist status and more. They also offer a subscription service to keep your site protected as well as cleaning up any infections, removal from blacklists and security monitoring.

Code Guard

A tool similar to Sucuri, Code Guard monitors your site remotely for any vulnerabilities and protects against active attacks. However, one of the great points here is Code Guard’s ability to perform daily database and site backups as well as restoring from any point. Truly a huge plus for any siteowner.


Like both Sucuri and Code Guard, Wordfence is a premium plugin offering a paid service. However, it boasts an incredible suite of tools in its free version. I personally use this on every WordPress site I build, and cannot say enough good things about it. Wordfence, in its free version, will block anyone attempting to access your site too quickly, let you see failed attempts to log in to yours site and immediate ability to block those users temporarily or permanently. You can also choose the criteria for login attempts and lockouts. You can also eliminate anyone spoofing an admin account by blocking usernames that are created with certain words.

Wordfence will email you immediately if you have a failed attempt to log in, and can choose to be emailed whenever anyone logs in- or just admins. It will also email you to warn about necessary updates and any file changes. Truly a huge value even in its free version.

Security is a real concern, especially with WordPress sites, but it is manageable to lock it down. Using these tips you can have both the usability of WordPress with full security.


Comments are disabled for this post