Top Eight Wordpress Security Tips
Whilst a determined hacker will try many ways to gain access to a website, here are a number of ways to make their lives harder. These tips are very important basic practices if you're running a website that collects information about your users, especially personal information and most importantly credit card data.
Keep your WordPress website up to date!
Always ensure your WordPress installation is up to date. The community behind WordPress (WP) is an extremely active one and when security issues arise, WP is quick to push out a new version. In the admin interface you will always see notifications from WP that a new version is available and also you will see when updates are available for your plugins. You can also activate automatic updates!
However, not every plugin can be automatically updated and automatic updates can fail, so you should regularly check your plugins or have your developer do it for you (we do this for our clients).
Remove any plugins you’re not using, and especially be on the lookout for any plugins you have installed that have been abandoned by their developer. These are usually indicated within their listing on the official WP plugins directory as either abandoned or not updated for a long time. Certain security plugins, e.g. Wordfence, will check and notify you if it thinks a plugin has been abandoned. With the many plugins available you’re sure to find an alternative plugin still under active development.
Also, only ever install plugins from the WP plugins directory or the official plugin developer’s website. Never, EVER, use pirated plugins! Yes you can find cheaper sources of expensive plugins, but these are almost guaranteed to contain malware and backdoors that will compromise your site as soon as you install it.
Be aware that sometimes upgrading WP and / or your plugins can break the site if, by mistake, some faulty code is introduced by the update. So, following a WP upgrade check your website - and ensure you have good quality hosting with reliable backups in case anything goes very wrong! You will receive a notification when an automatic update has run, and importantly if WP has encountered an error.
Don't do Admin
'Admin' or ‘Administrator’ is frequently used as a default username for website administrator accounts. Do not do this! The majority of attacks from users wanting to gain access to your website will try using the name 'admin' and attempting to guess the password repeatedly with brute force. You can use pretty much any other name you want, even something long and complex using a combination of letters and numbers.
Additionally, in your WordPress user account you can choose to change your public facing name to a nickname, so your username will not be shown when you write news posts for example.
Pa$$w0rds!
Passwords are relatively easy to guess even today because people will not put much thought into them and tend to reuse the same ones on different sites. Also, due to the rising number of security breaches username and password combinations are often exposed* and made available for sale on the dark web. As mentioned above, hackers also simply try to brute force their way in using programs that continually try to login.
Make it hard for hackers - use a long (minimum 18 characters), unique password with a combination of upper and lower case characters and numbers. WP can generate a complex password for you, and if you use a password manager app (such as BitWarden, Proton Pass, 1Password) you won’t need to remember it.
Tip: if you don’t want to use a password manager and find remembering passwords difficult, try thinking up a passphrase - see this site to see why this is effective! You can even generate your own easy to remember passphrase here.
You can also enable 2 Factor Authentication (2FA, also called Multi-Factor Authentication or MFA) on your user account where an extra code is sent to your phone for example.
*Check to see if your credentials have been found in a known data breach using haveibeenpwned.com
Implement security plugins
There are a number of WordPress security plugins available and it is worthwhile investing in implementing a few of them to make sure your website is as secure as possible.
The below plugins are available as both free and premium versions, so you can at least have some basic protection or use the free version as a trial before paying for additional features:
- Wordfence Security
- iThemes Security
- Sucuri Security
- All In One WP Security & Firewall
- Defender Security
Using a security plugin that has a firewall, the ability to protect the all important wp-config.php file, and options that can hide information about your site (WordPress and Plugin versions etc) will make a hacker’s job just that little bit harder.
Backup Backup Backup
Backing up your website on a regular basis is a key way to help you get back on track should you get hacked. Hosting companies should back up the server your site is hosted on normally, but be wise and take your own backups just in case.
This is paramount if you are upgrading the core WP app or the plugins you're using (and as mentioned previously, setting automatic updates). Install a plugin that will enable you to both manually AND automatically backup your entire site (files and database), and automate transferring your backup somewhere safe.
If in the unfortunate case you've been hacked and don't have the time or skills to investigate and remove offending changes to your code, you can restore your backup to replace what is there in case data integrity has been compromised. Be aware that the backup you restore may also be a hacked version, so you can always contact a professional such as ourselves to security audit your site.
Table Prefixes
If you're installing WordPress yourself, it's a relatively painless process to set up. But in the same way that people stick with the common ‘admin’ username, people will also bypass changing the default table prefix.
By default all database tables created by the WP installation will have the prefix:
wp_
Because the same installation file is used for any WP install, it's not hard for hackers to look for database tables starting wp_ as their first attempt when trying to gain access to your site.
As with your administrator account, make their lives harder by changing this default value when you install WP to make it less obvious. It’s easy to do during the setup process, and doesn’t have to be complex e.g. change wp_ to mytableprefix_ if you really want!
Secure, reliable hosting
A suitable web host for your WP site will ideally be one that specialises in hosting WordPress sites, and as such be already configured to mitigate known vulnerabilities as well as optimised to keep your site running smoothly.
A good host should provide a backup / restore system, and a free SSL certificate - there really is no excuse not to! They may also have additional useful security features such as DDoS (Distributed Denial-of-Service) protection, malware scanning, a configurable firewall, a country blocker, and brute force login protections for example.
Importantly, WordPress and its plugins run with “PHP” code and a database (either “MySQL” or “MariaDB”) which your host will have installed for you. Make sure you’re using the latest, most secure versions compatible with your version of WP:
Your host should either keep your PHP and database versions up to date, or allow you to change between versions so you can select the latest.
The built-in Site Health Check (accessed via the WP Dashboard) can give an indication of any issues with your hosting environment as well as the WP installation itself. Pay attention to issues it highlights as critical, but be aware that not all issues will be a security or even functionality problem.
Be wary of cheap hosting services that use a shared hosting environment without mitigations to prevent one site affecting another. It’s entirely possible that, even if you harden your website to the max, a hacked website that has nothing to do with you but exists in the same shared hosting system will result in your site being hacked!
Scan and monitor your site
As well as the Site Health Check to review the status of your site, with plugins and services such as Wordfence, mySites, and Patchstack you can keep a watchful eye over your website’s files, database, and user activity on a regular basis.
Run regular scans to check to make sure everything is looking healthy and fix highlighted issues on actual or potential problems. Scans can be automated, and you will generally be alerted if an issue is found (depending on the plugin / service).
In conjunction with the other plugins mentioned in this article, it's a neat way of keeping everything ship shape and give you that extra peace of mind. And if you spot in the logs that someone has discovered your admin username, change it and change your password at the same time.
WordPress Security by Channel
There are many more tools and techniques to make a WordPress website more secure, and all our websites benefit from our bespoke WordPress security hardening, monitoring and backups. If you would like to enjoy peace of mind, let us do the work. Contact us to find out how we can make your website secure.
Hacked Site Repair
If your WordPress website has been hacked, we can help! Contact us today and we will work at top speed to get your site back online and ensure it does not happen again.
This article was first written in 2013 and updated in 2024.