make wordpress more secure in 30 minutes

Make WordPress more secure in just 30 minutes.

I’m embarassed to admit that I once had three WordPress websites hacked in a single day.

This is a redirected post

This post originally appeared on our old blog at Please note that some links may be outdated and may not work.

My mother-in-law called: “Why is the family photo site not working?” she asked, “There’s a strange message there.”

The site had been hacked and defaced. The strange message she saw was in promotion of the hackers‘ cause:

make wordpress more secure
From one of my hacked websitesa few years ago

This didn’t endear me to their cause. They interrupted my customers’ businesses and they defaced our websites.

So I took down the message and cleaned up the sites.

To say I “cleaned up the sites” makes it sound pretty straightforward; it wasn’t! It took days to get things back to normal, even with the backups I had.

Two of the sites belonged to customers of mine.  These were customers who had refused my offers of site maintenance. They had not kept their sites up to date nor secured them in any way.

And, I’m ashamed to admit, there was also the family site. I had done nothing to secure it. My attitude was “no-one’s coming to this site so why worry about security?”

A Pipe Dream

I used to dream of the day when I could wake up with the happy knowledge that all my customers’ WordPress sites were samoehow as safe as houses. Completely hacker-proof. Impervious to all but the most determined attacks.

keeping wordpress more secure
Photo by King’s Church International on Unsplash

Years of experience tell me that such a state is impossible. This is partly due to the very nature of websites in general and of WordPress in particular:

  • the code is visible to anyone who wants to look (right-click in your browser and select view source or similar)
  • most of the software used is free, which is a good thing, so …
  • the problems in the software are public knowledge. Not such a good thing because hackers will pounce on a problem as soon as they hear about it.  They know people will NOT always do the work they should to keep things safe, like updating software.

As easy as it is to keep a site up to date, it is also easy NOT to keep it up to date.

But it’s human nature after all to take the easy path. So, here’s an easy routine to make you feel instantly safer.But it’s human nature after all to take the easy path. So, here’s an easy routine to make you feel instantly safer.

This routine is easy because:

  • Anyone can do it
  • Each step takes about 5 minutes or less
  • Everything you need is FREE

So, if you want a more secure WordPress website 30 minutes from now, read on …

Some Advice – Be Among the 3% Who Take Action

97% of people will read this information and do nothing else.
Information is only potentially useful.  It must be put to use.
Be one of the 3% who take action on each step of this guide and reap the benefits by having a more secure WordPress website 30 minutes from now.

5 Steps To A More Secure WordPress Website

I don’t in any way want to trivialise the whole complex topic of website security. But you can improve your own site security by following this step-by-step guide.

can you have too much security?
You can’t be too secure, right?

Step 1. BackUp WordPress

Do I need to spell this one out?

Before you ever do anything to secure your WordPress website, back up your site files and database.  If anything goes wrong you can just restore instead of pulling your hair out.

Most hosting providers will have a feature to backup and/or download your website. Unfortunately, you cannot rely on these. Most people don’t realise that hosting providers are NOT responsible for backing up your site.

The easiest way to take charge of your own WordPress backups is to use a reputable plugin like the free version of Updraft Plus.

use updraftplus to backup wordpress

The 5-Minute Steps

  • Log on to your website via
  • Install the plugin as you would any other.  (If you don’t know how to install a plugin then see this article from WPBeginner.)
  • Once the plugin is activated, in your WordPress dashboard select menu Settings > UpdraftPlus Backups
  • Select the schedule for your backups.
use updraftplus to backup wordpress

Files backup schedule refers to the actual files of your WordPress installation.  These files contain all the code needed to run your website and includes your themes and plugins.
Database backup schedule refers to the underlying database this installation of WordPress is using. It is where the site stores all its posts, pages, users etc..

  • Select where you want to save the backups.  

There is a wide choice of where to save your backup, from Dropbox, Google Drive or an FTP server. You can even opt to have it emailed to you. Use this latter only if your site isn’t very big.  (Note that some of these options, like UpdraftPlus vault, require payment.)

  • Scroll to the foot of the page and click Save Changes.

And that’s it for backups!

(Did you know that as part of looking after your website, our service here at WPStrands includes backups as well as WordPress updates, security scans and much more.  Take a look at our plans here.)

Step 2. Update WordPress

The next step is to make sure your WordPress installation has all the latest updates.  This helps to plug any security problems found since the last release. It also makes sure your site has all the latest and greatest features.
Updating is the single best thing you can do to keep your WordPress website secure.

The 5-minute Steps

  • Log on to your website via
  • To check all available updates at once click the Update menu item.
wordpress update menu

You’ll be taken to a page where all WordPress, Plugin and Theme updates are listed. It’ll also tell you if you’re up to date and what version you have installed.

WordPress updates page

Click Update buttons wherever you see them on this Updates page and you’re done!

  • If you want to check around for the updates yourself, there will be a notice at the top of the page saying something like “WordPress version 4.9.x is available. Update now”
  • Click Update Now and the WordPress files will be updated now.  If you’ve been regularly updating then the process will usually be smooth and pain-free.
  • If there are updates for any of your Plugins you’ll see a small red circle beside the Plugins menu on the left. This tells you how many plugins have updates available.
plugin updates available
  • Again, click to see what plugins you should update.

Step 3 Make It Harder For The Bad Guys

This is where you’ll set your site apart from the majority of WordPess installations out there.

Change Your Administrator Username

WordPress hackers know the inner workings of WordPress very well. They know the default administrator username is admin. So they already have half of your username/password combination.

The solution is simple: change the administrator username to something non-standard. You’ll make it much harder for the bad guys to guess your login by brute force or other methods.

This advice from WordPress co-founder Matt Mullenweg from several years ago is still sound today.

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password … and of course make sure you’re up-to-date on the latest version of WordPress.

Do this and you’ll be ahead of 99% of sites out there.

The 5-minute Steps

  • Click on Users in your Dashboard menu
  • Make a new administrator user: click Add New and enter a new administrator username that’s not easily guessed, something like “altadmin”.  But you’ll pick a much better name, right?

You’ll need to provide an email address (one that’s not already being used for a user on this site; it can be changed later) and a password (which can also be changed later)

  • Make sure you select Role:administrator for this new user.
  • Now hover your mouse over the default administrator account and select Delete.
  • Before deleting the user, WordPress will ask what to do with Posts and Pages created by this user, if any. Usually, you’ll want to keep them so select “Attribute all content to:” and select the new administrator user you’ve just created. (You can also select another user if you prefer.)

Hide The Login Form

You can assume those knowledgeable hackers also know the address of your site’s login page –

So, again, you can get sneaky and change the address of this page. The bad guys can’t break in this way if they can’t even find your site’s front door.

The simplest way to do this is with an unobtrusive little plugin called WPS Hide Login.

The 5-minute Steps

Install according to the instructions. In the settings enter whatever you want to name the new login page e.g. “newlogin”.  But again, pick a better name.
Now, to logon to your site you’ll go to instead of to

(Note that some authorities don’t encourage changing the login URL. See this video for reasons why.)

Now your WordPress site is already more secure. It’s safely backed up, up to date and safe from most automated hacker attacks.  We’re getting there and we’re just 10 minutes in!

Now we’ll get more serious. In these next steps, we’ll scan all the files in your website to check if there is any known malicious code in them. Then we’ll install a plugin that will block hackers using common techniques to try logging into your site.

Step 3 Run A Security Scan

The 1 Minute Step

Go to and enter your website URL.

Sucuri will scan your website files against many different security databases. These include those from Google, McAfee, Norton and others.
(Sucuri is a very well-respected firm in the WordPress security field.)

So, assuming your site gets the green light from Sucuri, it’s time to move on to the last stretch.

If you didn’t pass the Sucuri scan you will most likely need the services of a professional to clean up your site. You can send us a message including your site URL and we’ll take a look for you and let you know what your next step should be.)

Step 4 Install Intrusion Detection

Hackers often use programs called bots to attempt a login to your website. These attempts will fail many times as the program guesses a bad password or username.  These brute force attacks are much more common than you might think. Once your site notices these attacks happening, the best thing is to block those login attempts for a set period of time.

(See this post from Sucuri for more details on brute force attacks and how to stop them.

In this step, we’ll install a plugin which will alert you if someone repeatedly tries and fails to login to your website.

Again, there are many plugins to choose from but I’ll recommend WordFence. It has a nice balance of features and ease-of-use. It’s one of the more popular security plugins for WordPress. Once you use it for this step, you can explore and use it to configure further aspects of your WordPress site’s security. e.g. set up a software firewall.
It’s also free, of course.

(We use Sucuri for all our customers at WPStrands and here is why. But Wordfence will give a quick and effective result for this step.)

Wordfence is a comprehensive and feature-rich plugin which can do much more than detect intruders. For our simple plan simple intrusion detection is all we want.
If you’d rather use a simpler plugin for this job then see a list of them in the WordPress repository.

The 5 Minute Steps

  • Go to the Wordfence options page: click the Wordfence menu, then All Options.
  • Under Firewall Options > Brute Force Protection,  make sure the checkbox at Enable Brute Force Protection is ticked.
wordfence brute force options
  • Set the Lock out after how many login failures number to block login attempts after a certain number of failures.  The default of 20 should be fine.

Now, whenever someone tries unsuccessfully to login to your site over and over again they will be blocked from accessing the login page after 20 attempts.

Coupled with hiding the login page in Step 3 above, this will hugely reduce the problems you have with repeated login attempts from hackers.
Learn more about Wordfence from their knowledge base or in their forums.

Step 5 Put Your Feet Up

Thought you had more work to do?  Nope, take a break and apply a smile – you’re now more secure than the vast majority of WordPress websites out there.

Congratulate Yourself For Taking Action!

If you actually took action on each of these steps you now have a website that is much safer than it was 30 minutes ago.

You can feel safe instead of afraid, confident instead of doubtful, calm instead of panic.

You can, of course, go further by configuring a robust security setup like Sucuri. But that would take more than 30 minutes and make the title of this post a lie!

Do you have any tips of your own to share?  Have you tried ours? Tell us more in the comments.


No website can be guaranteed 100% secure.  Your website host, software and unique configuration are all elements of your setup. The best plan is to have regular updates and backups and to plan for when you might need them.
This article is just a guide and WPStrands cannot be held responsible for any problems you have with your website as a result of following the advice on our site.

That said, if you do encounter problems, we can certainly help – just contact us.


Click Here to Leave a Comment Below

Leave a Comment: