8 Simple Ways To Secure Your WordPress Website

Written by Nick Leffler | 8 Comments | 6 min read

Home » The Online Presence Blog » Web Design » 8 Simple Ways To Secure Your WordPress Website

Updated December 28, 2016 with new instructions for number 8.

There are tons of things you can do to secure WordPress and save yourself from the headache of dealing with hackers and the destruction they can cause on your website.

These are some of the easiest one’s that will let you forget about your website and know it’s safe from intruders.

1. Create A Unique Username

When you set up your WordPress site, you’re asked to create an admin user. Never use obvious names for this such as admin or administrator. Make this name unique.

The reason for this is because hackers will use the obvious names (such as admin) in their hacking attempt with a huge list of passwords. If the username admin isn’t valid, their attempts will never succeed even if they have your password.

When creating your username, think of something obscure but easy for you to remember, it doesn’t have to be too complex. A few numbers followed by your name inverted would be obscure enough for a username (ie. 45doejohn).

Receive free info to turn website visitors into customers, subscribe to The Online Presence Newsletter.

This isn’t a foolproof method because your username is available elsewhere on the site (mouse over my name and look at the URL). It does help prevent (or slow down) automated hacking attempts.

I Already Created My Username

It’s true, WordPress doesn’t let you change your username if you already created your account. It’s easy to switch to a new administrator account, though.

Create a new user in the WordPress admin dashboard under Users > Add New. Fill out your information and make sure you select Administrator from the role dropdown menu. Also, you have to use a different email address for this new user but you can change it once you delete your old account.

Once your new account is created, log out of your current account, log into the new one and head back to UsersAdd New and delete your old account.

You’ll now be asked where to attribute all the old content and you can select your new account (probably the only one that shows up on the drop down menu).

Now you can change the email address of your new account back to your regular email address.

That’s it!

This will better protect you against automated scripts that try to hack into your WordPress account using the default username and a list of passwords.

2. Create A Strong Password

This goes for any website, you need something extremely strong and you should never use the same password on multiple websites.

That’s kind of hard to do, though, I can’t even remember a phone number!

Good thing most of us have smartphones now! I use a password manager that lets me have one password (that I can remember) for the app only, which gives me access to all the other passwords on my various accounts.

You’re at a low chance of leaking that password from a phishing scam or something else because it goes to only one app, no websites.

It can even make some crazy strong passwords for you that would never in a million years be guessed.

I’ve even done this for my bank passwords so they each use a different (very strong) password.

It also helps if I was becoming a victim of a phishing scam it gives me a lot of time to have to retrieve my password to think about it and hopefully realize I’m giving my password to a complete stranger.

3. Security Plugin

Install a security plugin to keep your WordPress installation secure. These plugins do a number of things to WordPress to make it more secure.

The security plugin I use and prefer is Wordfence but iThemes Security is another great option. The reason I prefer Wordfence is that it is easy to configure and hasn’t caused any interference with other parts of my website. iThemes Security has created a few glitches in my site so I’ve stuck with Wordfence.

iThemes Security is a great plugin, though, so if you want to give it a try please do, just be on the watch for interference with other plugins.

4. Delete readme.html

Simple. In the root directory of your website (usually the public_ftp folder on FTP) just delete the readme.html folder. You don’t need it, you already know what version of WordPress you’re running!

If you don’t update your website to the newest version right away then this won’t give away to hackers your exact WordPress version so they know what weaknesses to focus on.

Check out some major websites out there that use WordPress by adding readme.html after them, there’s a good chance you’ll find out what version they’re running and just how vulnerable they are.

5. Setup Google Webmaster Tools

This is a great free service from Google that gives you some great tools to use, the best one being that it has a security vulnerability section that tells you if you have anything bad running on your website.

Check it out here and sign up for a free account.

6. Delete Unused Plugins

Not only do they waste space on your server, they could be sitting there with outdated files which are vulnerable to hackers. If you’re not using it or it hasn’t been updated in a long time, delete it!

This also goes for themes you’re not using though I like to keep at least one other (the WordPress default theme) around for troubleshooting.

7. Update WordPress

Make sure you log into the WordPress admin panel at least once a week to check for updates. Do minor updates and theme updates as soon as they’re available. Major updates can wait a bit until you’re sure all your plugins and your theme are compatible with it.

To update WordPress just head over the Dashboard > Updates in the admin section. Be sure when you’re updating anything on your site you do a full backup, though! Don’t want to lose valuable information.

8. Choose An Obscure Table Prefix (updated)

This security option has been updated because it does not actually provide any level of security. A recent article from Wordfence (a recommended security plugin above) debunks the benefit of this security method.

I recommend reading the article and of course fully implementing a security plugin such as Wordfence.

When you’re initially setting up your WordPress website and have to choose the table prefix, make sure you change it from the default wp_ to something more secure. WordPress.org calls this security by obscurity.

What Else?

That’s all I have! Those are the easy one’s, but I’m sure I’m missing some so I invite you to also tell me what else you can do to easily make your WordPress website more secure.

Join in the conversation in the comments section and add your 2 cents on what people should be doing to protect themselves.

Some of these suggestions came from my own head (meaning I picked them up somewhere online) or the following article: Hardening WordPress.

Updated 2/18/2016: Removed Cloudflare tip #3 and replaced with security plugin.

Subscribe To Grow Your Business Online

Website SEO Scan Audit Comparison
See How Your Website Compares

Get a complimentary website SEO audit and report. We'll show you how your website compares to your competitor.


Check Out Other Posts From The Blog

Ready to get more customers for your business?

Start with a local SEO audit and report if you're a local business, otherwise get a website search engine optimization report card.

Website SEO Report Card Laptop

Author Bio:


Nick Leffler

Nick Leffler is the owner of Exprance, a Sacramento web design and digital marketing agency which helps businesses reach their customer online. Nick has grown his online presence with a small marketing budget by blogging, organic social media posting, and email marketing.


  1. kakoma on February 17, 2016 at 9:04 am

    Thanks for these Nick. In addition to displaying the current version number in the meta fields, it is also displayed in the RSS feed. I’m not certain which of these deleting the readme.html caters to but one can address both at a go by adding this to functions.php in the active theme:

    function mytheme_remove_version() {
    return ”;

    add_filter(‘the_generator’, ‘mytheme_remove_version’);

    • Nick Leffler on February 17, 2016 at 12:53 pm

      I’ve never seen the version number listed in any meta field or the RSS feed, only the plugin used for caching at the bottom of the RSS feed, no version number though.

      Removing the readme.html doesn’t cater to any of these, but if you are running an older version or don’t update your WordPress version to the latest, it does let people know what version you are running. If there are any bugs that haven’t been fixed in that version, there is a possible way in right there.

      Thanks for the code. Not sure this is still relevant though but maybe you know something I don’t know (probably :). Where can you find the version number in the RSS? The other location it removes seems to be the dashboard which only authorized users usually have access to. If you don’t just them then that could help you :)

      • kakoma on February 18, 2016 at 9:46 am

        Here’s a screenshot of WP version in the meta tags:

      • kakoma on February 18, 2016 at 9:48 am

        Here’s a screenshot of the version shown in the meta tags; without that code, that version is still view for anyone who knows where to look

        • Nick Leffler on February 18, 2016 at 10:38 am

          Ah, I wonder if security plugins such as Wordfence or iThemes Security are the reason I don’t see it on any of my sites, or do you have to dig a bit deeper than just in the normal source code? Possible those plugins add that code for you in order to hide the version a little better. Deleting the readme.html file is definitely not the best defence but if you do have an older version of WordPress then it could be helpful and this will add another layer of safety although not nearly as much as a security plugin which I need to update this list to include.

          Thanks for the added method!

          • kakoma on February 18, 2016 at 10:47 am

            You are welcome. Yes, please add some security plugins, even as recommendations. I’m certain they take care of a number of these things. Thanks for the article

            • Nick Leffler on February 18, 2016 at 7:55 pm

              Just updated the post with security plugins :-)

              • kakoma on February 18, 2016 at 8:05 pm

                awesome! great stuff

Leave a Comment

Want a free website SEO scan and report?

See how your website compares to your competitors in less than 10 minutes!

No Thank You
Website SEO Report Card Laptop

Sign up for email updates

Get helpful tips to grow your business in your inbox every other week.

Sign up for email updates

Thank you for your submission. Check your email (and spam folder) to verify your subscription and gain access to lots of free documents.


Want to get more local customers?

How much are you willing to invest in your business each month?

Sometimes doing it yourself is the best option to save money.

Would you like to learn more about a company we work with that has the tools you need to succeed?