As of 2021, it is estimated that almost half a BILLION websites use WordPress as their CMS. Unfortunately, the majority of people who use it don’t always secure it well. Here are the most important WordPress security tips to help you secure a WordPress website without using a pricey plugin.
As somebody who has used WordPress for almost 10 years – and who uses WordPress for All Things Secured – I’m intimately familiar with the CMS.
It’s become popular not only because it is open-source, but because it’s intuitive to use and has a developed library of themes and plugins.
However, the fact that anybody has the right to code a WordPress theme or plugin also introduces a number of security risks.
If you have a desire to secure your WordPress website, we’re going to cover three important areas you should focus on:
Best of all, the WordPress security tips I’m listing here don’t require a paid plugin. In fact, I recommend that you don’t use a plugin like Securi.
Watch the video below or continue to scroll down to read more.
Be sure to subscribe to the All Things Secured YouTube channel!
Note: Some of the links in this article are affiliate links, which means that at no extra cost to you, I may be compensated if you choose to use one of the services listed.
Securing Your WordPress Login Page
The most vulnerable part of any WordPress website is the login page.
This is where the majority of brute force attacks happen and the place where most hackers get access to your website.
For this reason, one of the most important steps you can take to secure a WordPress website is to fix your login page. This means:
- Removing the “admin” user;
- Creating a stronger login password;
- Limiting login attempts;
- Changing the login URL;
Let’s dive into each of these individually.
Remove “Admin” as a User
When you first set up a WordPress install, it’s common that the initial user is set with the name “admin”. Most people make the mistake of using this as their primary user from day one.
Because this is well-known, it makes hacking a website that much easier since they only have to guess the password, not the user.
75% of all attacks on my WordPress login page attempt “admin” as the user name.
So what can be done about this?
Unfortunately, since WordPress does not allow the username to be changed after the user has been created, you have only a couple options:
- Change Username via phpMyAdmin (hard): It is possible to change the username by logging into your WordPress database, but this is only recommended for those advanced users.
- Change Username via a Plugin (medium): There are plugins such as Username Changer that allow you to make the switch.
- Create a New Admin User (easy): The easiest method is to create a new administrator account using a different username and then delete the “admin” account, transferring all posts to the new administrator.
Create a Stronger Login Password
While you’re in the middle of adding a new administrator account (or changing your current admin account), it’s worth the effort to create a stronger login password.
At the very least, you can check the strength of your current password to see if it’s any good.
In general, I recommend that your WordPress login password have the following characteristics:
- At least 15 characters in length;
- Use of uppercase, lowercase, symbols and characters;
- Completely unique (i.e. not used with any other login you have);
Creating a strong password is becoming easier and easier with the help of all the good password manager apps on the market today.
These managers not only help you create stronger passwords, they also store them in a secure vault behind a single master password so you don’t have to remember them.
The reason these WordPress security tips are important is because there is software designed to guess your password. Another way to stop this is by limiting login attempts.
Limit Login Attempts on WordPress
Brute force attacks on any website are dependent upon the ability to make unlimited guesses. Given enough time, these attack bots can try hundreds of thousands of password combinations until it finds the one that works.
Why give them such an advantage?
Limiting login attempts means that after 3 failed attempts (i.e. wrong passwords or admin), any login attempt by that particular IP address is blocked for hours or days.
Instead of unlimited guesses, they get only three every day.
So how do you do this?
I recommend the free plugin called WPS Limit Login. It’s an easy, lightweight plugin that has become the standard.
You simply install the plugin and set the number of tries allowed. This is one of the easiest WordPress security tips to implement.
Change your Login URL Page
The final change you can make to secure a WordPress website login is also the most important:
Change the login URL.
Using a free plugin like WPS Hide Login, you can change the default login URL (“/wp-login”) to be anything else you like.
Login URL Tips
When you do this, anybody who tries to log into the wp-login URL gets redirected to a 404 page, or any other page you want.
This also means that you need to alert all current users to the new login page.
Securing Your WordPress Back End
Now that we’ve secured the WordPress login page, let’s spend a little bit of time inside your dashboard.
There are plenty of things that can be done in the back end as well as the database to lock down your website, but we’re going to look at the ones that are both easy and important:
- Remove unused themes and plugins;
- Check when your plugins were last updated;
- Remove unused/old uers;
Here’s how that looks in detail.
Remove Unused Themes and Plugins
The average WordPress website has 5+ unused themes and more than 10 unused plugins.
You may not realize it, but these unused themes and plugins represent an unnecessary security risk. It’s possible to gain access to your website via a security bug in these pieces of code, even if they aren’t activated.
And honestly, if the themes and plugins aren’t activated…why do you still have them?
You can always re-install them if you need to, but for now, it’s best to delete any that aren’t being used.
Check “Last Updated” Date on Plugins
Do you know when your current website plugins were last updated?
Yea…most people don’t.
Thankfully, WordPress gives you this “Last Updated” information on any plugin you have. On your “Installed Plugins” page, click on “View Details” on each plugin. What you’ll find looks something like this:
As a general rule, I tend to replace a plugin that doesn’t get updated at least once every 6 months.
I’m a bit conservative, though. You can probably get away with a year if you like.
The point here is that if a plugin hasn’t been updated for years, there’s a high probability that it presents a security risk for your WordPress website.
Remove Unused and Old WordPress Users
Finally, while you’re in the dashboard, click on your “All Users” page.
If your website is like most, over time you end up creating users for a variety of different people that could include:
- Guest writers;
- Hosting customer support;
- Web developers, etc.
The problem, however, is that most of the time we forget to remove those users when the job is completed. Unless they are active users who log in regularly, having a defunct user account presents more risks than benefits.
WordPress security tips: Simply delete these old users and assign their posts/pages to you as an admin.
Future-Proof Your WordPress Security Foundation
This last section of WordPress security tips is going to focus on future-proofing your website. In other words, these may not be changes that you make right now, but it’s a mindset shift to strengthening your security foundation.
There are two particular ideas to focus on here:
- Keep your WordPress core and plugins updated;
- Use managed WordPress hosting;
Let’s take a closer look here.
Keep WordPress Core & Plugins Updated
In my experience, there are usually two types of webmasters:
- Those who rarely undergo core updates;
- Those who can’t stand having an outstanding notification on their dashboard;
The reality is that updates are a good thing…until they break your website.
Regular updates often patch up security holes in the software, but it can also sometimes break a current theme or plugin. If you’ve hosted a WordPress website for any length of time, you probably have had experience with an update breaking your website.
So what’s the solution here?
There are managed solutions available (i.e. you pay your web host to manage all updates for you), but the free solution is to use what is known as a “staging site”.
Every week or two, I go through the following process:
- Copy the live website to staging: I’m basically creating a clone of my current website on a private site.
- Perform all updates: On the staging site, I update the WordPress core or any plugins that need to be updated.
- Check for any issues: After updates are complete, I check the staging site to make sure that it hasn’t broken the website in any way.
- Copy the staging site to live: When everything looks good, I push the staging site to live.
This takes a little bit of time (which is why some people prefer the managed solution), but it eliminates the possibility of downtime when the site gets broken and you need to restore a daily backup version of your site.
Use Managed WordPress Hosting
If you’re hearing me talk about things like daily backups, staging sites, or managed updates and you say to yourself, “My web host doesn’t offer this…“
…it might be a sign that you should upgrade your hosting.
The cheap $5/mo hosting plans are fine if your website only gets 5-10 visitors per day. But if you get any significant amount of traffic, you really need to look into something known as Managed WordPress Hosting.
Managed WordPress Hosting services only host WordPress installs, so they can optimize their servers and customer support to do this well.
There are a number of good options, these are three that I’ve used and recommend:
WP Engine – Premium Managed Hosting
- Startup, Growth, and Scale plans available for any size WordPress site;
- Free access to StudioPress premium themes;
- Global CDN (content delivery network)
Flywheel – Simple Managed WordPress
- Variety of options available based on the size and traffic of your site;
- Free SSL certificates and global CDN;
- White label options for agency users;
SiteGround | Most Affordable for Small Sites
- Most affordable option for small WordPress sites;
- Free SSL certificates and global CDN;
- Free email hosting for all plans;
The benefit of each of the managed hosting options listed above is that the security and firewall they offer makes a paid security plugin like Securi unnecessary.
Think about it: instead of paying an annual fee for a security plugin, it’s better to invest in a better hosting platform for your website.
Final Thoughts on Securing a WordPress Website
The fact that WordPress is so popular is both a benefit and a cure.
Yes, you can benefit from the many great themes and plugins that have been developed around the CMS…
…but the popularity also means that it’s a huge target for hackers.
It only takes a few minutes to make the security changes listed above, but it can make a huge difference in how secure your website is.
You need to make this a priority!
Don’t just rely on the best WordPress security plugins, take active steps to secure a WordPress website login page, back end and foundation.
It’s an investment of your time that won’t be wasted.
Is there anything else you think I’m missing here that needs to be added?