Make WordPress more secure in just 30 minutes.
I’m embarassed to admit that I once had three WordPress websites hacked in a single day.
My mother-in-law called: “Why is the family photo site not working?” she asked, “There’s a strange message there.”
The site had been hacked and defaced. The strange message she saw was in promotion of the hackers
This didn’t endear me to their cause. They interrupted my customers’ businesses and they defaced our websites.
So I took down the message and cleaned up the sites.
To say I “cleaned up the sites” makes it sound pretty straightforward; it wasn’t! It took days to get things back to normal, even with the backups I had.
Two of the sites belonged to customers of mine. These were customers who had refused my offers of site maintenance. They had not kept their sites up to date nor secured them in any way.
And, I’m ashamed to admit, there was also the family site. I had done nothing to secure it. My attitude was “no-one’s coming to this site so why worry about security?”
A Pipe Dream
I used to dream of the day when I could wake up with the happy knowledge that all my customers’ WordPress sites were samoehow as safe as houses. Completely hacker-proof. Impervious to all but the most determined attacks.
Years of experience tell me that such a state is impossible. This is partly due to the very nature of websites in general and of WordPress in
- the code is visible to anyone who wants to look (right-click in your browser and select view source or similar)
- most of the software used is free, which is a good thing, so …
- the problems in the software are public knowledge. Not such a good thing because hackers will pounce on a problem as soon as they hear about it. They know people will NOT always do the work they should to keep things safe, like updating software.
As easy as it is to keep a site up to date, it is also easy NOT to keep it up to date.
But it’s human nature after all to take the easy path. So, here’s an easy routine to make you feel instantly safer.But it’s human nature after all to take the easy path. So, here’s an easy routine to make you feel instantly safer.
This routine is easy because:
- Anyone can do it
- Each step takes about 5 minutes or less
- Everything you need is FREE
So, if you want a more secure WordPress website 30 minutes from now, read on …
Some Advice – Be Among the 3% Who Take Action
97% of people will read this information and do nothing else.
Information is only potentially useful. It must be put to use.
Be one of the 3% who
5 Steps To A More Secure WordPress Website
I don’t in any way want to trivialise the whole complex topic of website security. But you can improve your own site security by following this step-by-step guide.
Step 1. BackUp WordPress
Do I need to spell this one out?
Before you ever do anything to secure your WordPress website, back up your site files and database. If anything goes wrong you can just restore instead of pulling your hair out.
Most hosting providers will have a feature to backup and/or download your website. Unfortunately, you cannot rely on these. Most people don’t realise that hosting providers are NOT responsible for backing up your site.
The easiest way to take charge of your own WordPress backups is to use a reputable plugin like the free version of Updraft Plus.
The 5-Minute Steps
- Log on to your website via http://yoursite.com/wp-admin
- Install the plugin as you would any other. (If you don’t know how to install a plugin then see this article from WPBeginner.)
- Once the plugin is activated, in your WordPress dashboard select menu Settings > UpdraftPlus Backups
- Select the schedule for your backups.
Files backup schedule refers to the actual files of your WordPress installation. These files contain all the code needed to run your website and includes your themes and plugins.
Database backup schedule refers to the underlying database this installation of WordPress is using. It is where the site stores all its posts, pages, users etc..
- Select where you want to save the backups.
There is a wide choice of where to save your backup, from Dropbox, Google Drive or an FTP server. You can even opt to have it emailed to you. Use this latter only if your site isn’t very big. (Note that some of these options, like UpdraftPlus vault, require payment.)
- Scroll to the foot of the page and click Save Changes.
And that’s it for backups!
(Did you know that as part of looking after your website, our service here at WPStrands includes backups as well as WordPress updates, security scans and much more. Take a look at our plans here.)
Step 2. Update WordPress
The next step is to make sure your WordPress installation has all the latest updates. This helps to plug any security problems found since the last release. It also makes sure your site has all the latest and greatest features.
Updating is the single best thing you can do to keep your WordPress website secure.
The 5-minute Steps
- Log on to your website via http://yoursite.com/wp-admin
- To check all available updates at once click the Update menu item.
You’ll be taken to a page where all WordPress, Plugin and Theme updates are listed. It’ll also tell you if you’re up to date and what version you have installed.
Click Update buttons wherever you see them on this Updates page and you’re done!
- If you want to check around for the updates yourself, there will be a notice at the top of the page saying something like “WordPress version 4.9.x is available. Update now”
- Click Update Now and the WordPress files will be updated now. If you’ve been regularly updating then the process will usually be smooth and pain-free.
- If there are updates for any of your Plugins you’ll see a small red circle beside the Plugins menu on the left. This tells you how many plugins have updates available.
- Again, click to see what plugins you should update.
Step 3 Make It Harder For The Bad Guys
This is where you’ll set your site apart from the majority of WordPess installations out there.
Change Your Administrator Username
WordPress hackers know the inner workings of WordPress very well. They know the default administrator username is
The solution is simple: change the administrator username to something non-standard. You’ll make it much harder for the bad guys to guess your login by brute force or other methods.
This advice from WordPress co-founder Matt Mullenweg from several years ago is still sound today.
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password … and of course make sure you’re up-to-date on the latest version of WordPress.
Do this and you’ll be ahead of 99% of sites out there.
The 5-minute Steps
- Click on Users in your Dashboard menu
- Make a new administrator user: click Add New and enter a new administrator username that’s not easily guessed, something like “altadmin”. But you’ll pick a much better name, right?
You’ll need to provide an email address (one that’s not already being used for a user on this site; it can be changed later) and a password (which can also be changed later)
- Make sure you select Role
:administratorfor this new user.
- Now hover your mouse over the default administrator account and select Delete.
- Before deleting the user, WordPress will ask what to do with Posts and Pages created by this user, if any. Usually, you’ll want to keep them so select “Attribute all content to:” and select the new administrator user you’ve just created. (You can also select another user if you prefer.)
Hide The Login Form
You can assume those knowledgeable hackers also know the address of your site’s login page – http://yoursite.com/wp-admin
So, again, you can get sneaky and change the address of this page. The bad guys can’t break in this way if they can’t even find your site’s front door.
The simplest way to do this is with an unobtrusive little plugin called WPS Hide Login.
The 5-minute Steps
Install according to the instructions. In the settings enter whatever you want to name the new login page e.g. “
(Note that some authorities don’t encourage changing the login URL. See this video for reasons why.)
Now your WordPress site is already more secure. It’s safely backed up, up to date and safe from most automated hacker attacks. We’re getting there and we’re just 10 minutes in!
Now we’ll get more serious. In these next steps, we’ll scan all the files in your website to check if there is any known malicious code in them. Then we’ll install a plugin that will block hackers using common techniques to try logging into your site.
Step 3 Run A Security Scan
The 1 Minute Step
Go to https://sitecheck.sucuri.net and enter your website URL.
Sucuri will scan your website files against many different security databases. These include those from Google, McAfee, Norton and others.
(Sucuri is a very well-respected firm in the WordPress security field.)
So, assuming your site gets the green light from Sucuri, it’s time to move on to the last stretch.
If you didn’t pass the Sucuri scan you will most likely need the services of a professional to clean up your site. You can send us a message including your site URL and we’ll take a look for you and let you know what your next step should be.)
Step 4 Install Intrusion Detection
Hackers often use programs called bots to attempt a login to your website. These attempts will fail many times as the program guesses a bad password or username. These brute force attacks are much more common than you might think. Once your site notices these attacks happening, the best thing is to block those login attempts for a set period of time.
(See this post from Sucuri for more details on brute force attacks and how to stop them. https://blog.sucuri.net/2016/12/ask-
In this step, we’ll install a plugin which will alert you if someone repeatedly tries and fails to login to your website.
Again, there are many plugins to choose from but I’ll recommend WordFence. It has a nice balance of features and ease-of-use. It’s one of the more popular security plugins for WordPress. Once you use it for this step, you can explore and use it to configure further aspects of your WordPress site’s security. e.g. set up a software firewall.
It’s also free, of course.
(We use Sucuri for all our customers at WPStrands and here is why. But Wordfence will give a quick and effective result for this step.)
Wordfence is a comprehensive and feature-rich plugin which can do much more than detect intruders. For our simple
If you’d rather use a simpler plugin for this job then see a list of them in the WordPress repository.
The 5 Minute Steps
- Install the plugin according to the developers’ instructions.
- Go to the Wordfence options page: click the Wordfence menu, then All Options.
- Under Firewall Options > Brute Force Protection, make sure the checkbox at Enable Brute Force Protection is ticked.
- Set the Lock out after how many login failures number to block login attempts after a certain number of failures. The default of 20 should be fine.
Now, whenever someone tries unsuccessfully to login to your site over and over again they will be blocked from accessing the login page after 20 attempts.
Coupled with hiding the login page in Step 3 above, this will hugely reduce the problems you have with repeated login attempts from hackers.
Learn more about Wordfence from their knowledge base or in their forums.
Step 5 Put Your Feet Up
Thought you had more work to do? Nope, take a break and apply a smile – you’re now more secure than the vast majority of WordPress websites out there.
Congratulate Yourself For Taking Action!
If you actually took action on each of these steps you now have a website that is much safer than it was 30 minutes ago.
You can feel safe instead of afraid, confident instead of doubtful, calm instead of panic
You can, of course, go further by configuring a robust security setup like Sucuri. But that would take more than 30 minutes and make the title of this post a lie!
Do you have any tips of your own to share? Have you tried ours? Tell us more in the comments.
No website can be guaranteed 100% secure. Your website host, software and unique configuration are all elements of your setup. The best plan is to have regular updates and backups and to plan for when you might need them.
This article is just a guide and WPStrands cannot be held responsible for any problems you have with your website as a result of following the advice on our site.
That said, if you do encounter problems, we can certainly help – just contact us.