Snug Site

10 WordPress Security Tips

The makers of WordPress take security very seriously – However, they cannot account for things that are only under your control – like installing vulnerable themes and plugins, weak passwords etc.

There are always going to be some extra precautions you will need to take, to prevent potential security issues.

Security does not only refer to “preventing hackers” – a secure WordPress website should also protect against: DDOS (Denial of Service attacks), Spam, and Data Loss.

This guide provides our top 10 tips on enabling greater security for your WordPress website. However, if you have specific concerns or doubts about your WordPress security, we recommend you contact Snug Site today to discuss them.

Your WordPress websites security chain is only as strong as it’s weakest link; Let’s just cover some of those weak spots here. We advise against spending too much time fretting over or dwelling on security. You should only need to cover these basics – The most important aspect of security is having a contingency plan. Keep backups, keep logs, and keep calm.

1. Limit Login Attempts

WordPress doesn’t have a built in mechanism to prevent someone (or a bot) trying every possible username and password combination all day long. This is often referred to as a “Brute Force Attack” – When a login allows someone to get a password wrong a million times without getting locked out. A bot can simply throw every variation of username and password at a login until something gets through. You need to take measures to prevent this.

Limit Login Attempts is a good plugin to enable this feature. However it is also available as a part of the excellent iThemes Security  plugin.

2. Strong Usernames and Passwords

Usernames: Most attacks that need a username, will first try the default username of “admin”. If you currently have this username is use, delete it and create another Administrator account with a less obvious name.

You will also want to avoid using all obvious usernames (eg. your first name), and perhaps even look into finding a plugin or method of changing the “author-slug” to obfuscate the usernames of your website contributors and admins.

Passwords: Keeping track of passwords can be annoying, however, we highly recommend that you use a unique password (not used elsewhere) for your WordPress Dashboard. This should be at least 8 characters longs, and contain at least one uppercase and one numerical.

3. Change your login URL

By default, you log into your WordPress Dashboard by adding /wp-admin, or /login to your domain name. There are various plugins designed to change this default login URL – making it harder for humans and bots to get to your login screen. I recommend using iThemes Security for the task.

By changing the login URL of your website, you ensure that even if someone does know your WordPress Dashboard username and password, they won’t actually be able to find anywhere to log in.

I recommend changing your login page to something like:

4. Change the default WordPress database prefix

The default prefix value of “wp-”  should be changed to prevent potential SQL injections. This is typically to prevent autonomous software bots from sniffing out your WordPress database for vulnerable plugins.

This is usually done when first installing WordPress. If you missed that boat, it’s not too difficult to do now.

Do this manually by following an online guide, or use an excellent plugin like iThemes Security

Tip: You will want to set the prefix to something random, like: r83h0_

5. Keep everything up to date

Whenever a vulnerability is found in WordPress, a Theme, or Plugin – the developers of these things will roll out an update with a security fix. If you see an update for any of these things become available, assume it is for a security patch – Backup your WordPress then update immediately.

6. Trusted Sources

Only install and enable reputable plugins that are compatible with the latest version of WordPress. This can sometimes be hard to ascertain, however a good starting point is to take a look at the Plugins listing on the Official WordPress repository – and confirm the follwing;

“Compatible up to:” Should be most current WordPress.

“Last Updated:” Should be within the last few months.

You can also check for known plugin vulnerabilities on the Secuniawebsite.

7. Disable File Editing from your Dashboard

Under Apearance > Editor in your WordPress Dashboard – you have access to directly change the code of some essential theme and plugin files. If someone were able to get into your site, you don’t want them to have direct access to these files. Not only can they change the code, but add executable code that could harm visitors to your website.

Easy to fix, just add this line to your wp-config.php file

define(‘DISALLOW_FILE_EDIT’, true);

8. File Permissions

As a general rule – All WordPress files on your host (the place where your WordPress core files live) should be set to the binary permissions value of 644. All Folders should be set to 755.

An exception is: wp-config.php – This contains very sensitive information, including your database username and password and should be set to 440 or 400 to prevent others from reading it.
Typically, permissions are already set when installing WordPress. However, if you manually create a file, and upload it to your server, ensure that it has the correct perms after upload.

9. Detection, Monitoring, and Logging

An integral part of a security plan, is to know when an attack is happening, or at least that it has happened. Some attacks won’t be obvious, and involve the injection of hidden code on your website. Use a Security sweeping service like Sucuri to monitor your site for malicious code or intrusions.

Once you have detected a breach, you will want to know where it come from and how to prevent it happening again. Sucuri can be useful in this respect, and also a plugin like WordFence.

10. Back Up!

This is the most important tip. You must have a back up plan in the event that some catastrophic damage is done to your website. Maintain a backup at least once per month. Increase this to once per week if you typically add a page or post this often too.

Keep the Back up in remote storage, or on your personal computer. There is no point in having the backup sitting in the same place as the website your attempting to protect.


That’s our top ten WordPress Security Tips. There are many other things to consider for better security. If you want to stop a wannabe hacker, a competitor or automated bot from damaging your site, these will most likely be enough to get you through. If you want to prevent very determined, resourceful, and skilled individuals from hacking your website, then you should consult with a WordPress Security Professional.

Share this article...


Related Articles...