5 Steps To Improve WordPress Security

Here are 5 basic security steps anyone can take to harden their WordPress.

In order to protect your WordPress hacked, getting malware, or having your admin account compromised, you should follow some basic security precautions.

1. Change your ‘admin’ username

To do this, Add a New user to your WordPress with administrator privileges, login with the new user, and then remove the exsiting ‘admin’ username account.

We have a tutorial here you can follow: How To Change Your WordPress Admin Username

2. Password protect the wp-login.htm page

You can create an additional login prompt when accessing your dashboard. This is done via Apache’s htpasswd feature.

It may sound daunting, but it is quite simple to setup. Here’s how.

1. Create and empty file called .htpasswd one level above your public_html.

2. Use this tool to create your username and password. It will look something like this:


Copy that line into your .htpasswd file.

3. Place the below code into the .htaccess file in your main WordPress directory (usually public_html). Put it at the very top above anything else that is there.

ErrorDocument 401 default

<Files wp-login.htm>
AuthName "WordPress Admin"
AuthType Basic
AuthUserFile /home/CPANELUSERNAME/.htpasswd
require valid-user

Replace CPANELUSERNAME with your actual username. Often it’s the username you use to login to cPanel.

Now whenever you try to access your /wp-admin or wp-login.htm page you will be presented with an additional login prompt. It only needs to be entered once per session, and you can even save the credentials in your browser so you don’t have to type it every time.

3. Use a strong secure password

Don’t be tempted to pick a basic password just because it is easy to remember. With the latest web browsers, you can set them to save or ‘remember’ your passwords, so there is no reason not to create a random string password, like Jgi&ud76G(yh-e.

If you must for some reason choose a password that you can remember, then you can easily increase the complexity of your password by using uncommon words, using at least one capital letter, numbers, and special characters (such as ! @ ^ * – ()).

For example if your online nickname is “tibby”, and you want to use that as your password because it’s easy to remember, then add a few extra bits to make it ^Tibby21^. It is nice, neat, easy to memorise, and fairly secure.

4. Always upgrade core, and plugins

When new minor version of WordPress are released, you should upgrade as soon as possible. Often the new releases are for fixing security issues. If you don’t upgrade then you leave your website open for malicious users to access.

The same applies to third party plugins that you are using. They should always be upgraded. If you have customised a plugin to make it work with your website, then you should upgrade it, then re-customise it.

5. Limit your plugin and theme usage

Old plugins that have been abandoned and not updated in years should not be used. These plugins may have unpatched security holes and is too great a risk for the majority of users. Any inactive plugins and themes should also be removed from your WordPress. No point in leaving something there that is not being used.

You should try to use only those plugins that are absolutely necessary. If your site can do without a particular plugin, then you should consider not using it. This will help to keep your resource usage low (meaning a faster site with less ‘bloat’) and has the added benefit of making cleanup (in case of hacks) much easier as your site has fewer complexities.

The fewer the plugins your website uses means the fewer potential security holes.

Additional things to consider

Always keep local backups. You can never have too many backups, and never rely solely on your web host’s backups. You should download your files via FTP, particularly everything in your /wp-content/uploads/, your customised theme files, and make a backup of your database using phpMyAdmin.

Choose a web host that takes security seriously. There is no point for you to make all the effort in securing your site only to realise that your web host has not locked down their systems enough and allow other clients access to your files. Pick a host that makes security a priority.

Never use 777 permissions. File permissions should be no more than 644. And folder permission should be 755. Using 777 file permissions is considered a security risk as it makes those files world-writable. You should never use 777 permissions for any WordPress files or folders. If your host requires this, please find a new one.