Security For WordPress

There are many ways to tighten up the security for your WordPress site and one of the most important ones is to make sure your WordPress login screen is secured. Some options for this include:

  • Never using “admin” as your username
  • Require a captcha to access your WP Login page
  • Installing an SSL certificate and logging in over HTTPS
  • Installing a security plugin that will do many of these things for you

Better WP Security

A quick way to get a bunch of extra security installed on your site is with the Better WP Secuirty WordPress plugin. Better WP Security provides one-click protection that will turn on a lovely set of security features without riskying breaking any plugins or themes. There are additioanl advanced features which you may optionally enablefor added security, but the one-click protection is an excellent first step and we recommended it for all WordPress sites.

Recommended Advanced Settings

Some of the advanced settings can really cause some trouble if you don’t plan a head. For example, if you rename the wp-content folder it can break some plugins, themes, and causes images to not show up. On the other hand, there are a couple extra steps you should consider.

Hide Backed Options

Under the “Hide” tab (or Security -> Hide Backend in the admin menu) you have the option to change the URLs for loging in to your site. This is a more advance feature to enable because it requires permalinks to be enabled and it writes some rules to your .htaccess file. Having said that, there is almost no risk that enabling this feature will harm any of your plugins or your WordPress theme. You may want to change the default values to something unique for your site. Once enabled, access to your /wp-login.php page and the /wp-admin link will return as 404 Not Found. You can’t break in if you can’t find the doors, and this is a great and easy way to hide your entry points.

Secure wordpress by hiding backend URLs

Scheduled Backups

We’ll have more on backups later, but if you don’t have any scheduled backups, Better WP Security can help you with this as well. You can schedule backups of your database to be either stored on your server or emailed to you.

This is not a solution for backing up all the files on your site, this only backs up the database. Soon, I’ll show you a custom PHP script that you can run that will backup your site files and your database and store them on a different server. If you don’t have any other backups, you should at least enable this feature. You can even create an on-demand backup of your database which comes in handy for times when you are about to update some plugins or even update WordPress core to the latest version.

Rename Admin User And Change Admin ID

One last step you should consider is making sure that you change the admin username to something else and also changing the default ID for the admin user to something other than 1. Under Security => Admin User you will have the option to change the admin user name and also the admin user ID.

Other Advanced Security Options

You may want to ban certain bots, and it is a good idea to at least enabled the default banned blacklist from HackRepair.com. Also changing the prefix of your database tables from wp_ to something else is a good idea that probably won’t have much negative impact on your WordPress site unless you are running a multi-site WordPress setup. All of the security settings that Better WP Security offers are well worth your consideration, and the ones we just stepped through are certainly excellent choices for keeping your site secure.

Rolling Your Own Security For WordPress

If you choose not to install a security plugin to help your security for WordPress, here are a few things you can easily do on your own.

Never Use “admin” As Your Username

You have probably heard how important it is to have strong passwords that use upper and lower case characters, numbers, and symbols. There is also something to be said for having a strong username too.

Many times, when WordPress is installed it creates an Administrator user with admin as the username. Since this is such a common username and because it is a user that has the most powersful level of access it is a high value target for hackers. All they have to do is guess the password and they will have full control over your WordPress site. So make it harder on hackers by forcing them to guess BOTH your username AND your password.

Deny Access To Login Page

One quick way to provide a solid barrier is simply to only allow your IP address to access the login page wp-login.php. This is a quick and easy solution that is very secure. The only drawback is, if you have a dynamic IP address or need to access your site from multiple locations it can be annoying to maintain the white list of IP addresses that are allowed to access your login page.


order deny,allow
Deny from all

# Whitelist IPs That May Connect
allow from xxx.xxx.xxx.xxx
allow from yyy.yyy.yyy.yyy

Of course, change the Xs and Ys you your actual IP addresses.

How Do You Secure WordPress?

Do you have any other ideas that you’d like to share about security for WordPress? If so, please share them with us.