10 WordPress security tips you can implement right now

WordPress Security Tips

Get prepared for them hackers!

Implementing these WordPress security tips will help secure your site and save you the stress of having to repair a hacked website.

Invest 15 minutes now going through this list and implement as many of them as you can and rest easy knowing your site is hardened against the most common forms of WordPress attacks.

Beyond clear-cut blackhat webspam, the second-biggest category of spam that Google deals with is hacked sites.Matt Cutts head of Google’s Webspam team

10 WordPress security tips you can implement now

1. Setup scheduled backups

This might not sound like a security tip but it’s actually the most important one. If anything goes wrong with your site, even if it’s not a security issue, you’ll be able to revert back to your backups.

Find out how to schedule WordPress backups.

2. Get the right web hosting

Having professional web hosting makes a huge difference, not only to how vulnerable your site is but in how it recovers if it is hacked. A quality hosting company will have good security as a first line of defence and a strong response when something does go wrong.

This is one reason why I recommend Hostgator. They also have an excellent free migration service if you decide to move to them.

3. Strong passwords

Weak passwords are one of the key ways that hackers gain access to your website.

I use a secure text document for all my websites, where I type a crazy password first and then paste it into the login screen, allowing Firefox to save it into the browser where I can retrieve it instantly later with the Secure Login addon.

This means I can use incredibly difficult passwords without having to remember them. Google Chrome does the same thing without any addons.

You can change your WordPress login password by visiting Users >> Your Profile and scrolling down to the About Yourself section.

4. Install the Limit Login Attempts plugin

The Limit Login Attempts plugin provides an extra layer of security on your now strong passwords system by blocking anyone from trying to guess them.

After a number of attempts the plugin will block their IP address (every computer network has this unique signature) and prevent them from accessing your website for a set time.

These settings can be changed from Settings >> Limit Login Attempts. Having setup a failsafe passwords system in the previous steps, we’re free to harden the settings considerably.

Limit Login Attempts WordPress plugin

You can return here to review any blocked attempts – It’ll make you glad you installed this plugin!

5. Change your login username ‘admin’

If when you login your username is ‘admin’ then any hacking attempts only have to guess your password. After changing this to something more complex it puts up yet another barrier to the most common hacking attempts.

Install and activate the Admin username changer plugin and visit the new menu item of the same name in WordPress.

Admin Username Change

Enter a new username and click the Change button. You will have to login again straight away with your new username and password.

6. Keep WordPress updated

The single best piece of advice I can give to prevent website hacking is “keep your web server software up-to-date and fully patched.” That prevention is much better than the hassle of cleaning up a hack. – Matt Cutts

Whenever you login to your self-hosted WordPress site, you can check for available updates by going to Dashboard >> Updates. Keeping the core WordPress software, theme and plugins updated is an important security measure.

If you’re using a plugin or theme that hasn’t been updated in a while you may want to search for one that is better supported.

Update Warning!

If your theme files have been directly edited by yourself or a developer, then updating will wipe over those changes. If however you’ve made changes from an interface on the theme admin then you should be fine as this information is stored on your sites database.

7. Install the Sucuri Sitecheck Malware Scanner plugin

The Sucuri SiteCheck plugin will check your WordPress site for malware, spam, and other issues.

Scan your site for malware and spam

After activation you can perform a scan of your site by going to Sucuri Free >> Sucuri Scanning and clicking the Scan this site now! button. It should return an all green and clear report. If not then the plugin gives you some options for getting it clean again.

Harden your WordPress install

This is another important tool that secures some of the vulnerable folders on your WordPress site. Go to Sucuri Free >> 1-click Hardening and click the Harden it! buttons until they are all secured.

Keep this plugin activated for continued protection.

8. Scan your theme for malicious code

If you’re using a theme from the official WordPress directory, or one from a reputable provider you can skip this step. Many free themes though, are copied and can have evil code in them.

The Theme Authenticity Checker (TAC) plugin will scan your theme files to make sure there is nothing threatening your sites integrity. After activation visit Appearance >> TAC and the plugin will automatically scan your currently active theme.

If there are any issues, I would recommend using a different theme. Explore some excellent premium WordPress themes.

9. Remove inactive plugins and themes

Inactive plugins and themes present potential entry points for hacking attempts. Deleting all of them removes these holes as well as avoiding unnecessary updates.

Go to Appearance >> Themes or Plugins >> Installed Plugins to review and delete them.

10. Install the WP Security Scan plugin

The WP Security Scan plugin checks your site for various security vulnerabilities and suggests ways to fix them.

Scan folders for correct permissions

Start a scan by visiting WSD security >> Scanner. The plugin will alert you to any changes that need to be made.

Password Tool

The plugin provides a quick way to change your WordPress password by going to WSD security >> Password Tool.

Backup and change your database prefix

The database sits on the server and stores your theme and plugin settings as well all the content of your posts and pages.

Start by visiting WSD security >> Database and in the Database Backup section, click the Backup now! button. You can click the database links on the right hand side to download them to your computer.

Every WordPress install creates a database with a specific prefix (usually wp_).  To fix this security vulnerability enter a short string of random characters into the field and click the Start Renaming button.

Change Database Prefix - WordPress Security

Keep this plugin activated for ongoing protection.

Comment Spam

This isn’t necessarily a security issue but certainly one that comes up very often.

How to eliminate comment spam in WordPress.

Rejoice my friends!

You’re now prepared for the most common attacks on your WordPress domain.

Any issues or questions please let us know in the comments! :-)

photo credit

6 Responses to “10 WordPress security tips you can implement right now”

  1. Leigh Robshaw February 15, 2013 at 7:20 pm #

    Thanks for this awesome list Herrin, very useful. I will implement all of these strategies immediately.

  2. Ranan March 12, 2013 at 11:43 pm #

    Thanks for the tricks.
    I have recently attacked and from now, I use “antivirus” to scan the authenticity of my theme, “website defender” to scan the integrity of the core wordpress.
    From the FTP server, I restrict the IP address from where I made the uploads.

  3. Alex Jones March 25, 2013 at 1:56 am #

    My friend,

    You shared some awesome stuff here. I was looking for some tips and this post is just amazing. Most of us really don’t care about those small things but by implementing these small tweaks, we can really make WordPress more secure.

    Thanks a lot.

  4. Tamanna March 31, 2013 at 3:21 pm #

    Thanks for the great tips. I am using Better WP Security. It does most of the things you have told on it’s own.

    • Herrin Larkan March 31, 2013 at 7:19 pm #

      Hi Tammanna – That’s probably true I just found the Sucuri cleaning system to be a good thing for people to know about, plus the two of them being a bit simpler to use it caters more to my audience. i.e. users that want to get a result with a minimum of fuss. However it is a very powerful plugin with a great reputation. Perhaps I could add this as an alternative. Thanks for your comments! :-)

  5. Rishikant April 17, 2013 at 2:17 pm #

    Thanks for this wonderful tips.

We'd love to know your thoughts...