• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

All Things Secured

Online Security Made Simple

FREE ONLINE SECURITY CHECKLIST! DOWNLOAD NOW

  • Security Basics
    • Start Here (Security Guide)
    • What is a Digital Footprint?
    • What is a VPN?
    • What is 2-Factor Authentication?
    • What is SmartDNS?
    • Bad Security Habits
    • Http vs Https?
  • VPN Security
    • Best VPNs 2022
    • Best Free VPNs 2022
    • VPN Reviews
      • ExpressVPN Review
      • Surfshark Review
      • NordVPN Review
      • ProtonVPN Review
      • VyprVPN Review
      • Mozilla VPN Review
      • IPVanish Review
      • Avast VPN Review
      • Ivacy VPN Review
      • PureVPN Review
      • Atlas VPN Review
    • Frequent Asked Questions
      • Are VPNs Illegal?
      • Tor vs VPN?
      • What is a VPN Kill Switch?
      • What is Split Tunneling?
      • Zero Log VPN?
      • Free VPN vs Paid VPN?
      • Lightway vs WireGuard vs OpenVPN
      • Increase Internet Speed on VPN?
      • How to Watch Netflix in China?
    • 10 Important VPN Features
    • 5 Best VPNs for Routers
    • Common VPN Myths
    • Common VPN Scams
    • VPN Connection Protocols Guide
  • Password Security
    • Password Manager Setup Guide
    • Best Password Managers 2022
      • 1Password Review
      • Dashlane Review
      • NordPass Review
      • Best iOS Password Manager
    • Frequently Asked Questions
      • How Do Password Managers Work?
      • Are Password Managers Safe?
      • Are Chrome Passwords Secure?
    • Double Blind Password Strategy
    • Using Google Authenticator
  • Email Security
    • Secure Email Providers in 2022
    • Email Phishing Scams
    • Best Gmail Alternatives
    • Gmail vs ProtonMail
  • Resources
    • Help! I’ve Been Hacked!
    • Password Strength Checker
    • Security Checklist PDF
    • Digital Death Checklist
  • About
    • Contact
    • Advertise

WordPress Security Tips 2023 (that don’t require a plugin!)

March 15, 2023 By Josh

As of 2023, it is estimated that almost half a BILLION websites use WordPress as their CMS. Unfortunately, the majority of people who use it don’t always secure it well. Here are the most important WordPress security tips to help you secure a WordPress website without using a pricey plugin.

Wordpress security tips in 2022 to help you secure a Wordpress website

As somebody who has used Wordpress for almost 10 years – and who uses WordPress for All Things Secured – I’m intimately familiar with the CMS.

It’s become popular not only because it is open-source, but because it’s intuitive to use and has a developed library of themes and plugins.

However, the fact that anybody has the right to code a WordPress theme or plugin also introduces a number of security risks.

If you have a desire to secure your WordPress website, we’re going to cover three important areas you should focus on:

  • Securing the WordPress login page
  • Securing the WordPress back end
  • Future-proofing your WordPress foundation

Best of all, the WordPress security tips I’m listing here don’t require a paid plugin. In fact, I recommend that you don’t use a plugin like Securi.

Watch the video below or continue to scroll down to read more.

Be sure to subscribe to the All Things Secured YouTube channel!

Note: Some of the links in this article are affiliate links, which means that at no extra cost to you, I may be compensated if you choose to use one of the services listed.

Securing Your WordPress Login Page

The most vulnerable part of any WordPress website is the login page.

This is where the majority of brute force attacks happen and the place where most hackers get access to your website.

For this reason, one of the most important steps you can take to secure a WordPress website is to fix your login page. This means:

  • Removing the “admin” user;
  • Creating a stronger login password;
  • Limiting login attempts;
  • Changing the login URL;

Let’s dive into each of these individually.

Remove “Admin” as a User

When you first set up a WordPress install, it’s common that the initial user is set with the name “admin”. Most people make the mistake of using this as their primary user from day one.

Because this is well-known, it makes hacking a website that much easier since they only have to guess the password, not the user.

75% of all attacks on my WordPress login page attempt “admin” as the user name.

So what can be done about this?

Unfortunately, since WordPress does not allow the username to be changed after the user has been created, you have only a couple options:

  1. Change Username via phpMyAdmin (hard): It is possible to change the username by logging into your WordPress database, but this is only recommended for those advanced users.
  2. Change Username via a Plugin (medium): There are plugins such as Username Changer that allow you to make the switch.
  3. Create a New Admin User (easy): The easiest method is to create a new administrator account using a different username and then delete the “admin” account, transferring all posts to the new administrator.
Try Hushmail to keep your business email secure

Create a Stronger Login Password

While you’re in the middle of adding a new administrator account (or changing your current admin account), it’s worth the effort to create a stronger login password.

At the very least, you can check the strength of your current password to see if it’s any good.

In general, I recommend that your WordPress login password have the following characteristics:

  • At least 15 characters in length;
  • Use of uppercase, lowercase, symbols and characters;
  • Completely unique (i.e. not used with any other login you have);

Creating a strong password is becoming easier and easier with the help of all the good password manager apps on the market today.

Go ahead. Forget your passwords. 1Password remembers them for you.

These managers not only help you create stronger passwords, they also store them in a secure vault behind a single master password so you don’t have to remember them.

The reason these Wordpress security tips are important is because there is software designed to guess your password. Another way to stop this is by limiting login attempts.

Limit Login Attempts on WordPress

Brute force attacks on any website are dependent upon the ability to make unlimited guesses. Given enough time, these attack bots can try hundreds of thousands of password combinations until it finds the one that works.

Why give them such an advantage?

Limiting login attempts means that after 3 failed attempts (i.e. wrong passwords or admin), any login attempt by that particular IP address is blocked for hours or days.

Limit Logins to secure a wordpress website

Instead of unlimited guesses, they get only three every day.

So how do you do this?

I recommend the free plugin called WPS Limit Login. It’s an easy, lightweight plugin that has become the standard.

You simply install the plugin and set the number of tries allowed. This is one of the easiest Wordpress security tips to implement.

Change your Login URL Page

The final change you can make to secure a Wordpress website login is also the most important:

Change the login URL.

Using a free plugin like WPS Hide Login, you can change the default login URL (“/wp-login”) to be anything else you like.

Login URL Tips

Don’t change your login URL to simply be “/login” as this, too, is easy to guess and doesn’t necessarily make your login stronger.

When you do this, anybody who tries to log into the wp-login URL gets redirected to a 404 page, or any other page you want.

This also means that you need to alert all current users to the new login page.

Securing Your WordPress Back End

Now that we’ve secured the WordPress login page, let’s spend a little bit of time inside your dashboard.

There are plenty of things that can be done in the back end as well as the database to lock down your website, but we’re going to look at the ones that are both easy and important:

  • Remove unused themes and plugins;
  • Check when your plugins were last updated;
  • Remove unused/old uers;

Here’s how that looks in detail.

Remove Unused Themes and Plugins

The average WordPress website has 5+ unused themes and more than 10 unused plugins.

You may not realize it, but these unused themes and plugins represent an unnecessary security risk. It’s possible to gain access to your website via a security bug in these pieces of code, even if they aren’t activated.

Download a free personal online security checklist!
Get a virtual address with PostScanMail!

And honestly, if the themes and plugins aren’t activated…why do you still have them?

You can always re-install them if you need to, but for now, it’s best to delete any that aren’t being used.

Check “Last Updated” Date on Plugins

Do you know when your current website plugins were last updated?

Yea…most people don’t.

Thankfully, WordPress gives you this “Last Updated” information on any plugin you have. On your “Installed Plugins” page, click on “View Details” on each plugin. What you’ll find looks something like this:

Check when your plugins were last updated to help secure a Wordpress website

As a general rule, I tend to replace a plugin that doesn’t get updated at least once every 6 months.

I’m a bit conservative, though. You can probably get away with a year if you like.

The point here is that if a plugin hasn’t been updated for years, there’s a high probability that it presents a security risk for your WordPress website.

Remove Unused and Old WordPress Users

Finally, while you’re in the dashboard, click on your “All Users” page.

If your website is like most, over time you end up creating users for a variety of different people that could include:

  • Guest writers;
  • Editors;
  • Hosting customer support;
  • Web developers, etc.

The problem, however, is that most of the time we forget to remove those users when the job is completed. Unless they are active users who log in regularly, having a defunct user account presents more risks than benefits.

WordPress security tips: Simply delete these old users and assign their posts/pages to you as an admin.

Future-Proof Your WordPress Security Foundation

This last section of WordPress security tips is going to focus on future-proofing your website. In other words, these may not be changes that you make right now, but it’s a mindset shift to strengthening your security foundation.

There are two particular ideas to focus on here:

  • Keep your WordPress core and plugins updated;
  • Use managed WordPress hosting;

Let’s take a closer look here.

Keep WordPress Core & Plugins Updated

In my experience, there are usually two types of webmasters:

  • Those who rarely undergo core updates;
  • Those who can’t stand having an outstanding notification on their dashboard;

The reality is that updates are a good thing…until they break your website.

Regular updates often patch up security holes in the software, but it can also sometimes break a current theme or plugin. If you’ve hosted a WordPress website for any length of time, you probably have had experience with an update breaking your website.

Get a private phone number today with Hushed

So what’s the solution here?

There are managed solutions available (i.e. you pay your web host to manage all updates for you), but the free solution is to use what is known as a “staging site”.

Every week or two, I go through the following process:

  • Copy the live website to staging: I’m basically creating a clone of my current website on a private site.
  • Perform all updates: On the staging site, I update the WordPress core or any plugins that need to be updated.
  • Check for any issues: After updates are complete, I check the staging site to make sure that it hasn’t broken the website in any way.
  • Copy the staging site to live: When everything looks good, I push the staging site to live.

This takes a little bit of time (which is why some people prefer the managed solution), but it eliminates the possibility of downtime when the site gets broken and you need to restore a daily backup version of your site.

Use Managed WordPress Hosting

If you’re hearing me talk about things like daily backups, staging sites, or managed updates and you say to yourself, “My web host doesn’t offer this…“

…it might be a sign that you should upgrade your hosting.

The cheap $5/mo hosting plans are fine if your website only gets 5-10 visitors per day. But if you get any significant amount of traffic, you really need to look into something known as Managed WordPress Hosting.

Managed WordPress Hosting services only host WordPress installs, so they can optimize their servers and customer support to do this well.

There are a number of good options, these are three that I’ve used and recommend:

WP Engine – Premium Managed Hosting

WP Engine managed hosting service, one of my Wordpress security tips

  • Startup, Growth, and Scale plans available for any size WordPress site;
  • Free access to StudioPress premium themes;
  • Global CDN (content delivery network)
WP Engine Pricing

Flywheel – Simple Managed WordPress

Flywheel Managed Wordpress Hosting Service

  • Variety of options available based on the size and traffic of your site;
  • Free SSL certificates and global CDN;
  • White label options for agency users;
Flywheel Pricing

SiteGround | Most Affordable for Small Sites

Siteground managed wordpress hosting

  • Most affordable option for small WordPress sites;
  • Free SSL certificates and global CDN;
  • Free email hosting for all plans;
SiteGround Pricing

The benefit of each of the managed hosting options listed above is that the security and firewall they offer makes a paid security plugin like Securi unnecessary.

Think about it: instead of paying an annual fee for a security plugin, it’s better to invest in a better hosting platform for your website.

Final Thoughts on Securing a WordPress Website in 2023

The fact that WordPress is so popular is both a benefit and a cure.

Yes, you can benefit from the many great themes and plugins that have been developed around the CMS…

…but the popularity also means that it’s a huge target for hackers.

It only takes a few minutes to make the security changes listed above, but it can make a huge difference in how secure your website is.

You need to make this a priority!

Don’t just rely on the best WordPress security plugins, take active steps to secure a Wordpress website login page, back end and foundation.

It’s an investment of your time that won’t be wasted.

Is there anything else you think I’m missing here that needs to be added?

Further Reading & Resources

  • Don't use Zoom Meetings anymore
    Should You Still Use Zoom in 2022? (Hint: Security is not an Issue Anymore)
  • Google Titan Security Key Tutorial
    Google Titan Security Key Setup Tutorial (2 Factor Authentication)
  • Free Online Security Tools
    7 Free Online Security Tools for 2023 You NEED to Use NOW!
  • Home WiFi Security tips for your home network
    Home Network Security in 2023 | 5 WiFi Router Settings to Change

Download the Security Checklist!

A Free Resource from All Things Secured

    Primary Sidebar

    Download the free online security checklist!
    Check your password with this password checker by All Things Secured

    Best Personal Privacy Tools

    Use DeleteMe to Remove Your data onlineDeleteMe (remove personal data online)
    Use Traveling Mailbox to keep your address privateTraveling Mailbox (private virtual address)
    Hushed private second phone numberHushed (private 2nd phone line)

    Recommended Password Managers

    1Password Logo Mark1Password (Best for Individuals)
    Dashlane Logo MarkDashlane (Best for Businesses)
    Bitwarden Logo MarkBitwarden (Best Free Option)

    Best Secure Email Providers

    ProtonMail Logo MarkProtonMail (Best Gmail Alternative)
    StartMail Logo MarkStartmail (unlimited email aliases)
    Mailfence Encrypted EmailMailfence (Best Limited Free Option)

    Recommended VPNs

    ProtonVPN Logo MarkProtonVPN (Best Overall)
    iVPN Logo MarkiVPN (Most Privacy)
    ExpressVPN Logo MarkExpressVPN (Best for Streaming)

    Best Identity Theft Protection

    Identity Guard Logo MarkIdentity Guard (Personally Recommended)

    © 2022 All Things Secured
 · Affiliate Disclaimer 
· Privacy Policy
 · Advertise
 · Contact