Updated December 28, 2016 with new instructions for number 8.
There are tons of things you can do to secure WordPress and save yourself from the headache of dealing with hackers and the destruction they can cause on your website.
These are some of the easiest one’s that will let you forget about your website and know it’s safe from intruders.
1. Create A Unique Username
When you set up your WordPress site, you’re asked to create an admin user. Never use obvious names for this such as admin or administrator. Make this name unique.
The reason for this is because hackers will use the obvious names (such as admin) in their hacking attempt with a huge list of passwords. If the username admin isn’t valid, their attempts will never succeed even if they have your password.
When creating your username, think of something obscure but easy for you to remember, it doesn’t have to be too complex. A few numbers followed by your name inverted would be obscure enough for a username (ie. 45doejohn).
This isn’t a foolproof method because your username is available elsewhere on the site (mouse over my name and look at the URL). It does help prevent (or slow down) automated hacking attempts.
I Already Created My Username
It’s true, WordPress doesn’t let you change your username if you already created your account. It’s easy to switch to a new administrator account, though.
Create a new user in the WordPress admin dashboard under Users > Add New. Fill out your information and make sure you select Administrator from the role dropdown menu. Also, you have to use a different email address for this new user but you can change it once you delete your old account.
Once your new account is created, log out of your current account, log into the new one and head back to Users > Add New and delete your old account.
You’ll now be asked where to attribute all the old content and you can select your new account (probably the only one that shows up on the drop down menu).
Now you can change the email address of your new account back to your regular email address.
This will better protect you against automated scripts that try to hack into your WordPress account using the default username and a list of passwords.
2. Create A Strong Password
This goes for any website, you need something extremely strong and you should never use the same password on multiple websites.
That’s kind of hard to do, though, I can’t even remember a phone number!
Good thing most of us have smartphones now! I use a password manager that lets me have one password (that I can remember) for the app only, which gives me access to all the other passwords on my various accounts.
You’re at a low chance of leaking that password from a phishing scam or something else because it goes to only one app, no websites.
It can even make some crazy strong passwords for you that would never in a million years be guessed.
I’ve even done this for my bank passwords so they each use a different (very strong) password.
It also helps if I was becoming a victim of a phishing scam it gives me a lot of time to have to retrieve my password to think about it and hopefully realize I’m giving my password to a complete stranger.
3. Security Plugin
Install a security plugin to keep your WordPress installation secure. These plugins do a number of things to WordPress to make it more secure.
The security plugin I use and prefer is Wordfence but iThemes Security is another great option. The reason I prefer Wordfence is that it is easy to configure and hasn’t caused any interference with other parts of my website. iThemes Security has created a few glitches in my site so I’ve stuck with Wordfence.
iThemes Security is a great plugin, though, so if you want to give it a try please do, just be on the watch for interference with other plugins.
4. Delete readme.html
Simple. In the root directory of your website (usually the public_ftp folder on FTP) just delete the readme.html folder. You don’t need it, you already know what version of WordPress you’re running!
If you don’t update your website to the newest version right away then this won’t give away to hackers your exact WordPress version so they know what weaknesses to focus on.
Check out some major websites out there that use WordPress by adding readme.html after them, there’s a good chance you’ll find out what version they’re running and just how vulnerable they are.
5. Setup Google Webmaster Tools
This is a great free service from Google that gives you some great tools to use, the best one being that it has a security vulnerability section that tells you if you have anything bad running on your website.
Check it out here and sign up for a free account.
6. Delete Unused Plugins
Not only do they waste space on your server, they could be sitting there with outdated files which are vulnerable to hackers. If you’re not using it or it hasn’t been updated in a long time, delete it!
This also goes for themes you’re not using though I like to keep at least one other (the WordPress default theme) around for troubleshooting.
7. Update WordPress
Make sure you log into the WordPress admin panel at least once a week to check for updates. Do minor updates and theme updates as soon as they’re available. Major updates can wait a bit until you’re sure all your plugins and your theme are compatible with it.
To update WordPress just head over the Dashboard > Updates in the admin section. Be sure when you’re updating anything on your site you do a full backup, though! Don’t want to lose valuable information.
8. Choose An Obscure Table Prefix (updated)
This security option has been updated because it does not actually provide any level of security. A recent article from Wordfence (a recommended security plugin above) debunks the benefit of this security method.
I recommend reading the article and of course fully implementing a security plugin such as Wordfence.
When you’re initially setting up your WordPress website and have to choose the table prefix, make sure you change it from the default wp_ to something more secure. WordPress.org calls this security by obscurity.
That’s all I have! Those are the easy one’s, but I’m sure I’m missing some so I invite you to also tell me what else you can do to easily make your WordPress website more secure.
Join in the conversation in the comments section and add your 2 cents on what people should be doing to protect themselves.
Some of these suggestions came from my own head (meaning I picked them up somewhere online) or the following article: Hardening WordPress.
Updated 2/18/2016: Removed Cloudflare tip #3 and replaced with security plugin.