10 Ways to Make Your WordPress Site More Secure Today

JoeSecurity, Tips, Wordpress

Wordpress Dashboard

1. Choose a Secure Password

This is a no-brainer. The more complex your password is, the harder it is to guess. Recent versions of WordPress have the ability to generate strong passwords, and tell you how strong / weak your chosen password is. Use this as a guide to choosing a good password. You can find this in your Admin Dashboard under Users > Your Profile

Strong Password

Weak Password

2. Keep Your WordPress Updated

Don’t ignore those new version notifications for too long. You should generally update your WordPress shortly after a new version comes out. Lots of people like to ignore those – mainly because sometimes updates can break something. However updates are there for a reason. They typically fix security holes and bugs, in addition to adding in new features.

3. Keep Your Plugins and Themes Updated

Just like keeping your core WordPress updated, you should also keep up with updates to your plugins and themes. You will generally be alerted in in your Admin Dashboard when updates are available.

Wordpress Updates Toolbar

Wordpress Menu Update Notifcation

Don’t ignore these. Plugins and themes typically have more updates than the core. We’ve seen (and have recovered) quite a few sites that were hacked through exploited security holes in both plugins and themes.

4. Install a Security Plugin

There are quite a few security plugins out there. Here are our personal favorites that we use on both our sites and sites we create for clients:

iThemes Security
iThemes Security Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.

Wordffence Security
WordfenceWordfence alerts you quickly in the event your site is compromised. Wordfence Security is 100% free and open source. They also have a premium upgrade.

Note: With security plugins, you should only have one installed to avoid conflicts.

5. Limit Login Attempts

Install a plugin like WP Limit Login Attempts to put limits on how often someone can try to log into your admin. Note: a lot of security plugins have some sort of login limit included. If yours doesn’t, there are a lot of stand-alone options.

5. Avoid Using Your Nickname on Your Blog

If your username is your WordPress author name, then you are letting hackers know almost 50% of your login information. So, choose a new nickname and use it as your author name. You can go to settings and search for the “Nickname Field” under “Your Profile”.

6. Disable Pingbacks

Pingbacks and Trackbacks are used to get notifications whenever someone links to your post. However, pingbacks can also compromise your  security. Enabled pingbacks can be used in Distributed Denial-of-Service (DDoS) attacks. The easiest way to avoid that is to disable them in under Settings > Discussions.

Disable Pingbacks

7. Avoid Malicious Themes & Plugins

Only install themes and plugins from trusted sources, such as the official WordPress Directories for Themes and Plugins. We also like a lot of the premium marketplaces out there, such as ThemeForest and CodeCanyon. Never download and install pirated themes or plugins. You should also avoid free themes if they are not in the official WordPress Directory. Malicious themes and plugins can contain hidden code to steal login information, display hidden backlinks to spam sites, and generally compromise your site’s security.

8. Delete Old Themes and Plugins

If you’re not using a plugin or a theme, delete it. Simple as that. Keep your WordPress lean and clean. You can always re-install things again later, if needed.

9. Change your Password Periodically

It’s good practice to change your admin password every 3-6 months on average. If your site has been compromised (or you suspect it has been) then change your password ASAP.

10. Restrict WordPress Admin Login through IP

If you’re an advanced user and your IP address does not change, you can go into your server and edit the .htaccess file to only allow logins from your IP and deny everyone else. Enter the following code in your .htaccess file – be sure to change the allow from IP’s to your IP address.

## Restrict WordPress Login Pages to Your Own IPs ##
<Files wp-login.php>
order deny,allow
deny from all
allow from
allow from
<Files login>
order deny,allow
deny from all
allow from
allow from

Hopefully these tips will help you secure your site and keep them hack-free!

Want more?

Get instant access to our free online library and toolbox full of helpful time-saving ebooks, printable checklists, royalty-free graphics, training videos, templates, shareable social media images, and much more! We’re pretty confident you’ll find something useful in there that will help you build your business online!

Free Digital Resource Library

Already a member? Awesome! Login >>