How To Keep WordPress Secure Like A Fortress

Written by Nick Leffler | | 9 min read

There’s lots of misinformation out there about WordPress not being secure. It seems that if you see a content management system hacked it’s likely going to be WordPress.

As is common with news and sensationalizing it, there’s some truth here but a whole lot of misinformation. WordPress isn’t insecure at all. In fact, WordPress is extremely secure.

WordPress is the most vulnerable simply because it’s the most used and the most known. There are more developers creating plugins and themes for WordPress than any other platform.

Along with that and the huge user base, there’s also more hackers trying to do harm.

Also with more developers comes more opportunists looking for ways to make a quick buck with little effort. That also leads to more shotty work from poorly written plugins (mostly) and themes too.

Because WordPress is a very much living environment that means care must also be taken to stay up-to-date.

The Methods That Will Keep WordPress Extra Secure

If you take care to manage your WordPress installation properly there’s little to no risk of ever getting infected or hacked. With proper care your WordPress website can be just as secure as any other content management system or even an HTML website (almost).

These practices will help keep your website nice and secure.

1) Use A Crazy Secure Password

This one goes for every platform, website, device or anything. A common and guessable password is the most harmful thing you can possibly do.

Please don’t use Blink-182 as a password, you’re just asking for trouble if you do.

Use a secure password generator to create as secure of a password as possible. There are many apps out there to manage passwords so you don’t have to remember them.

You can even use the one built right into your Apple device or even Chrome browser. I only have to remember one password and my password for everything else is unique and extremely difficult to hack.

Yes, use a different password for every. single. account. online.

That goes for WordPress too, every one of your installations should have a unique username and password. I’ll cover the username shortly.

2) Change Your Password Often

For those websites that deserve and demand the highest level of security (like your website!) then you should change your password often.

My recommendation is to change your password every 90 days but you can find what works for you. It’s better to change it every 6 months than to never change it at all.

3) Don’t Use The Username Admin

Just as important as using a secure password is to not pair your password with the username admin. It’s the most tried username for WordPress website hacks. I typically see anywhere from 3 to 20 tries every week to login with the username admin before the other end gets blocked.

It used to be the the default WordPress admin username was admin but that’s changing more and more. Generally WordPress installation tools don’t use that username anymore.

Just to be safe, verify you’re not using it either because it’s an invitation to get hacked. If your username is admin and you’d like to change it, read this.

How To Change A WordPress Username

It’s true, WordPress doesn’t let you change your username if you already created your account. It’s easy to switch to a new administrator account, though.

Create a new user in the WordPress admin dashboard under Users > Add New. Fill out your information and make sure you select Administrator from the role dropdown menu. Also, you have to use a different email address for this new user but you can change it once you delete your old account.

Once your new account is created, log out of your current account, log into the new one and head back to Users > Add New and delete your old account.

You’ll now be asked where to attribute all the old content and you can select your new account (probably the only one that shows up on the drop down menu).

Now you can change the email address of your new account back to your regular email address.

That’s it!

This will better protect you against automated scripts that try to hack into your WordPress account using the default username and a list of commonly used passwords. But you wouldn’t be using a commonly used password now, would you?

4) Keep WordPress Up-To-Date

Only 33.2% of WordPress installations are using the most recent version according to WordPress.org stats. That means a staggering 66.8% of WordPress websites are using an older and potentially more outdated version. That also means there’s a lot of WordPress websites out there that are vulnerable which is 100% on the shoulders of the owners of those websites and not at all on WordPress.

WordPress can lead people to a secure WordPress installation but they can’t make website owners drink it. That statistic shocks me every time because aside from having a crazy secure password, updating WordPress is next in line of importance.

There are no excuses for not updating WordPress. There are plenty of excellent WordPress maintenance services (that one’s us!) that can do it for you if you don’t have the time.

If your installation is so custom that you can’t update then you probably should be looking at better solutions to your problem.

WordPress is a dynamic environment and needs to be updated soon after there’s an updated. That especially true if it’s a security update.

5) Use Only Well-Known & Maintained Plugins & Themes

This is an important one after keeping your plugins and theme up-to-date. If you’re using a more obscure theme or plugin then they’re not updated as often nor are vulnerabilities found as quickly.

A popular plugin is more likely to hav a lot of eyes on it correcting issues and checking for vulnerabilities than an obscure plugin that nobody cares about. Of course this isn’t going to guarantee anything but it’s just a good idea.

If a plugin hasn’t been updated for more than 6 months then it’s safe to say you need to find an alternative quick.

There are some malicious plugins out there too which is why I am a firm believer in using well-known plugins and themes. If they have a reputation to uphold in order to bring in new customers then they will care a lot more.

You don’t want to be using a theme that can harvest user information and perform malicious activity themselves even if they say they’re not going to. Those kinds of plugins and themes are out there too.

Don’t believe me, look at the recent debacle that was outlined on the Wordfence blog.

6) Check For Plugin & Theme Updates Often

This is similar but not the same as actually updating your WordPress installation. If you’re going to update often then you need to be aware if there are updates to run.

If you install WordPress, set up your website and then leave it for six months without checking in then you’re going to have issues. Your updates aren’t going to run on their own, you have to actively check for them and run them.

So, check for updates at least once a week.

7) Security Plugin

Install a security plugin to keep your WordPress installation safer. These plugins do a number of things to WordPress that will help secure it.

Not all of them do the best job and some interfere with plugins but generally, you’re safer with a security plugin than without even if your host takes care of some security measures.

The security plugin I use and prefer is Wordfence but iThemes Security is another popular option. The reason I prefer Wordfence is that it is easy to configure and hasn’t caused any interference with other parts of my website while iThemes Security has.

8) Delete Unused Plugins

Not only do unused plugins waste space on your server, but they can also still leave vulnerabilities on your server while disabled. If you’re not using it or it hasn’t been updated in a long time, delete it!

This also goes for themes you’re not using too.

9) Setup Google Search Console

It’s free to set up and in your search console, you’ll be able to see if your website has been flagged as hacked.

Check it out here and sign up for a free account.

Older Recommendation/Security Myths That Aren’t That Important

I just rewrote this entire article in April 2019 because things (and my knowledge) change a lot. There are some items I had on the original list that were debunked as true security measure.

There are also other that I knew were bogus suggestions and I decided to include them here also. I still see a lot of people who don’t know any better but I cannot blame them because at one time I didn’t know any better either.

The best I can do is make it known like the rest of the security gurus have.

Now for the list of some older security recommendations and myths that are no longer useful.

1) Change the wp-admin URL

This isn’t a good way to do security at all. It’s going to do more harm than good because some WordPress plugins are hard coded to use the wp-admin URL for admin login.

In the long ru this isn’t going to help you, just make your life more difficult.

2) Delete readme.html

In the root directory of your website (usually the public_ftp folder on FTP) there’s a readme.html file that shows what version of WordPress you’re using.

Many websites have this file and it was previously recommended to delve it. No need, there are many other methods hackers can use to figure out your version of WordPress.

This also shouldn’t matter because you’re using the most updated version of WordPress, right!?

This method is also outdated because it’s a losing battle. No matter how many times you delete the file it’ll show back up. It’s like playing whack-a-mole!

8. Choose An Obscure Table Prefix

A recent article from Wordfence (a recommended security plugin above) debunks the benefit of this security method.

I recommend reading the article and of course fully implementing a security plugin such as Wordfence.

When you’re initially setting up your WordPress website and have to choose the table prefix, just leave it alone. There’s no reason to change it and it won’t protect you anyway.

What Else?

That’s all I have! Those are the most important security measure you can take to keep WordPress secure. There are more, I know, and I will add them but for now, if you see any important ones missing, leave them in the comments.

WordPress.org has a whole page about hardening WordPress. That’s just a fancy way of saying keep it more secure and make it less vulnerable to hackers.

This post was originally posted in 2015, updated in 2016 and majorly overhauled with a new date in April 2019.

This is posted in Web Design and tagged WordPress Plugins, WordPress Security

8 Comments

kakoma on February 17, 2016 at 9:04 am

Thanks for these Nick. In addition to displaying the current version number in the meta fields, it is also displayed in the RSS feed. I’m not certain which of these deleting the readme.html caters to but one can address both at a go by adding this to functions.php in the active theme:

function mytheme_remove_version() {
return ”;
}

add_filter(‘the_generator’, ‘mytheme_remove_version’);

Reply
- Nick Leffler on February 17, 2016 at 12:53 pm
  
  I’ve never seen the version number listed in any meta field or the RSS feed, only the plugin used for caching at the bottom of the RSS feed, no version number though.
  
  Removing the readme.html doesn’t cater to any of these, but if you are running an older version or don’t update your WordPress version to the latest, it does let people know what version you are running. If there are any bugs that haven’t been fixed in that version, there is a possible way in right there.
  
  Thanks for the code. Not sure this is still relevant though but maybe you know something I don’t know (probably :). Where can you find the version number in the RSS? The other location it removes seems to be the dashboard which only authorized users usually have access to. If you don’t just them then that could help you :)
  
  Reply
  - kakoma on February 18, 2016 at 9:46 am
    
    Here’s a screenshot of WP version in the meta tags:
    
    Reply
  - kakoma on February 18, 2016 at 9:48 am
    
    Here’s a screenshot of the version shown in the meta tags; without that code, that version is still view for anyone who knows where to look
    
    Reply
    - Nick Leffler on February 18, 2016 at 10:38 am
      
      Ah, I wonder if security plugins such as Wordfence or iThemes Security are the reason I don’t see it on any of my sites, or do you have to dig a bit deeper than just in the normal source code? Possible those plugins add that code for you in order to hide the version a little better. Deleting the readme.html file is definitely not the best defence but if you do have an older version of WordPress then it could be helpful and this will add another layer of safety although not nearly as much as a security plugin which I need to update this list to include.
      
      Thanks for the added method!
      
      Reply
      - kakoma on February 18, 2016 at 10:47 am
        
        You are welcome. Yes, please add some security plugins, even as recommendations. I’m certain they take care of a number of these things. Thanks for the article
        
        Reply
        
        Nick Leffler on February 18, 2016 at 7:55 pm
        
        Just updated the post with security plugins :-)
        
        Reply
        
        kakoma on February 18, 2016 at 8:05 pm
        
        awesome! great stuff
        
        Reply