A beginner’s guide to WordPress security

If you’re using self-hosted WordPress it’s really important to consider your site’s security.  Luckily, WordPress already has a lot of inbuilt security features, but there’s still a lot you need to do to shield your site from unauthorised access.  I’ve asked experienced website designer Cristina Castro Moral to give us a few tips.  She kindly agreed and has shared the following list of basic steps:

Note: The article below contains one or two affiliate links.  For more information, click here.

1) Use a secure hosting company

First, make sure your hosting provider is up to date with the latest requirements.  If they’re not, hackers and spammers will take advantage and target any security vulnerabilities.  Look for these features when considering your options:

• Support for the latest PHP and MySQL versions
• Account isolation
• Web Application Firewall
• Intrusion detecting system

We recommend: Bluehost and Siteground.  They are two of the best hosting providers out there.

2) Change the default username

Avoid using “admin” as your username. Most of the attack attempts that affect an average WordPress website come from the /wp-admin or /wp-login pages.  They are called brute-force attacks and what they will do is trying numerous combinations of passwords with the “admin” username. Changing that saves you a lot of trouble. I also recommend you not to use your domain name as username, as it is the second most obvious guess.

Resource:  How to properly change your WordPress username.

3) Set a strong password

To complement the previous point, avoid using weak passwords that only include recognisable words. Instead, go for a strong combination of lowercase and uppercase letters, numbers and special characters.  Try to make it 15-20 characters. That way, it will be virtually impossible for a bot to hit the right combination.  I also recommend updating your password once every couple of months.

How to set a new password: Visit  Users > Your Profile in the sidebar.

4) Add secret keys

WordPress secret keys add an extra layer of protection.  They are not set up by default so you will need to do it yourself.  Simply access your wp-config file via file manager or FTP and look for the following line of code:

That’s the first line of a group of eight lines with a similar structure. Use this WordPress secret key generator to get a random set of keys.  Copy the result you get there and replace the eight lines in your file.  Don’t forget to save the changes!

Further reading:  The what, why and hows of WordPress secret keys.

5) Change the database table prefix

Another way to protect your database from unauthorised access and modifications is to change the default table prefix, wp_. If you haven’t set up your WordPress website yet, you will be able to do this during the installation process, when you modify the wp-config file to connect your database.  If you already have your website running or if all this sounds like a foreign language, you can also achieve the same result by using a plugin such as WP Prefix Changer.

6) Install Limit Login Attempts + Whitelist my IP

These two plugins will help you prevent in part those brute-force attacks mentioned above.  The first one will limit the number of times an IP can try to access your dashboard via your login page by blocking that IP after a certain number of unsuccessful login attempts.  The second plugin will prevent you from getting locked out of your own site. It is not very common but it happens sometimes. To prevent that, you just need to add your own IP to the safe list.

Download now:

• WP Limit Login Attempts
• Whitelist my IP

7) Always update!

This is the easiest step!  Keep everything up-to-date.  Being an open source platform, WordPress is constantly evolving to improve site performance, introduce new features and fix bugs and security issues.  If your website is running on an old WordPress version, or your theme and plugins are outdated, you are more vulnerable to attacks.  It’s crucial to use the latest version of WordPress and to keep your themes and plugins updated too.

Additionally, when choosing a theme for your website, make sure it has been updated recently (at least, after the latest WordPress version release) and that it gets updated regularly. Avoid using themes and plugins that are not used by a large number of people, or that look like they have been abandoned by their creators.

8) Backup often

It’s crucial that you back up your site regularly.  If you do not want to update the site manually by using FTP and downloading a copy of the database, use a plugin.

We recommend:  UpdraftPlus WordPress Backup Plugin

Nobody is completely safe from security issues on the internet, even if you take all the actions on this post. The problem doesn’t necessarily need to come from outside. Sometimes when updating elements or modifying options, we can arrive at a point when restoring the latest backup is the easiest fix. If you have a pretty static site, one backup per month should be ok. If you are constantly uploading new content, or have an online shop that receives daily/weekly orders, you should definitely backup at least once per week.

Over to you

I hope you found Cristina’s tips useful? I certainly did!  What other actions have you taken to make your WordPress website more secure? Feel free to post your experiences and questions in the comments section below.

Please pin this graphic and share Cristina’s post with your blogger friends:

Finally, if you need further help, Christina offers personal WordPress lessons via Skype so you can learn by working on your own project, without the need of programming skills and at your own pace.