A beginner’s guide to WordPress security

Self-hosted WordPress websites are powerful marketing tools for business. Being an open source platform, WordPress offers endless possibilities, the most profesional looks and the latest functions. But, as some would say, with great power comes great responsibility and this case is no exception. Security should be your number 1 priority when working on your website. The platform already takes care of a great part of it but there is still a lot you can do to shield your site from unauthorized access. Here you have a list of basic actions you can take in order to improve your WordPress website security.


Use a secure hosting company

First, make sure your hosting provider is up to date with the latest requirements.  If they’re not, hackers and spammers will take advantage and target any security vulnerabilities.  Look for these features when considering your options:

  • Support for the latest PHP and MySQL versions
  • Account isolation
  • Web Application Firewall
  • Intrusion detecting system

A couple of the best hosting providers out there are Bluehost* and Siteground.

This is an affiliate link.


Change the default username

Avoid using “admin” as your username. Most of the attack attempts that affect an average WordPress website come from the /wp-admin or /wp-login pages.  They are called brute-force attacks and what they will do is trying numerous combinations of passwords with the “admin” username. Changing that saves you a lot of trouble. I also recommend you not to use your domain name as username, as it is the second most obvious guess.


Set a strong password

To complement the previous point, avoid using weak passwords that only include recognisable words. Instead, go for a strong combination of lowercase and uppercase letters, numbers and special characters.  Try to make it 15-20 characters. That way, it will be virtually impossible for a bot to hit the right combination.  I also recommend updating your password once every couple of months.

How to set a new password: Visit  Users > Your Profile in the sidebar.


Add secret keys

WordPress secret keys add an extra layer of protection.  They are not set up by default so you will need to do it yourself.  Simply access your wp-config file via file manager or FTP and look for the following line of code:

define(‘AUTH_KEY’, ‘put your unique phrase key’);

That’s the first line of a group of eight lines with a similar structure. Use this WordPress secret key generator to get a random set of keys.  Copy the result you get there and replace the eight lines in your file.  Don’t forget to save the changes!


Change the database table prefix

Another way to protect your database from unauthorised access and modifications is to change the default table prefix, wp_. If you haven’t set up your WordPress website yet, you will be able to do this during the installation process, when you modify the wp-config file to connect your database.  If you already have your website running or if all this sounds like a foreign language, you can also achieve the same result by using a plugin such as WP Prefix Changer.


Install Limit Login Attempts + Whitelist My IP

These two plugins will help you prevent in part those brute-force attacks mentioned above.  The first one will limit the number of times an IP can try to access your dashboard via your login page by blocking that IP after a certain number of unsuccessful login attempts.  The second plugin will prevent you from getting locked out of your own site. It is not very common but it happens sometimes. To prevent that, you just need to add your own IP to the safe list.


Always update!

This is the easiest step!  Keep everything up-to-date.  Being an open source platform, WordPress is constantly evolving to improve site performance, introduce new features and fix bugs and security issues.  If your website is running on an old WordPress version, or your theme and plugins are outdated, you are more vulnerable to attacks.  It’s crucial to use the latest version of WordPress and to keep your themes and plugins updated too.

Additionally, when choosing a theme for your website, make sure it has been updated recently (at least, after the latest WordPress version release) and that it gets updated regularly. Avoid using themes and plugins that are not used by a large number of people, or that look like they have been abandoned by their creators.


Backup often

It’s crucial that you back up your site regularly.  If you do not want to update the site manually by using FTP and downloading a copy of the database, use a plugin.

Nobody is completely safe from security issues on the internet, even if you take all the actions on this post. The problem doesn’t necessarily need to come from outside. Sometimes when updating elements or modifying options, we can arrive at a point when restoring the latest backup is the easiest fix. If you have a pretty static site, one backup per month should be ok. If you are constantly uploading new content, or have an online shop that receives daily/weekly orders, you should definitely backup at least once per week.


I hope you find this post useful! What other actions have you taken to make your WordPress website more secure? Feel free to post your experiences and questions on the comments.

If you need further help, I offer personal WordPress lessons via Skype so you can learn by working on your own project, without the need of programming skills and at your own pace.



This post was originally published at Lovely Blog Academy.

Cris Castro Moral

Hi! My name is Cristina and I am a freelance graphic designer and illustrator. I blog about small businesses, marketing, social media and design under all its forms.

1 Comment
  • Lindsay
    February 13, 2017 at 5:43 pm

    Thanks so much for breaking this down for me! It all gets overwhelming pretty quickly so it’s lovely to have a step-by-step list. I will definitely be using this advice!