Securing WordPress

Do you have a WordPress site? Do you worry about getting hacked? Then read on…

There are many ways to beef up the security of your WordPress site, but there’s a bewildering array of plugins (both paid and free) to help secure your site. Here are a few tips which you should use to secure your WordPress site:

What’s in a name?

Firstly, you should really pick a better username than ‘admin’. This will be the first port of call for hackers using brute force login scripts. A random username is a first layer of ‘security through obscurity’. And no, my username isn’t ‘admin’, or ‘liam’ 🙂

Keep up

I’ll say it 3 times: update, update… update! Although this sounds obvious, it doesn’t just refer to keeping your WordPress installation up-to-date. WordPress runs on PHP, so keeping your PHP version up-to-date is just as important – but many people are lagging behind, prompting the developers of WordPress to start nudging users to update their version of PHP. This is sometimes as simple as choosing your PHP version in your wen host’s control panel, but it may require contacting your hosts to ask them to do this for you. Learn more below…

Get a faster, more secure website: update your PHP today

Stop the bots

The majority of malicious traffic out there is generated by automated scripts (AKA bots), which will try to sign up many fake accounts on a site, or simply try to break into the admin account by guessing your password a million times. Some of the recommended plugins (some of which come bundled with WordPress) handle this by taking steps to discourage bots, but there’s more you do. Personally, I use the following 2 plugins to secure my admin login. The first is used to detect if you are really a human accessing the login page:

Google Captcha (reCAPTCHA) by BestWebSoft

And the second implements 2-factor authentication, so that having my password isn’t going to help you 🙂

Google 2-Step Verification by BestWebSoft

I am in no way affiliated with those 2 plugins, but they are just part of the security set up of my own site. An easy way to install them (rather than downloading from those pages) is simply to go to you WordPress admin dashboard, select ‘Plugins’ > ‘Add new’ then search for the names of those plugins and click install from there.

What else?

2 more security plugins which I recommend you install are:

iThemes Security (formerly Better WP Security)

Note that some of the advanced settings within iThemes Security can cause problems with some other configuration of your site or certain plugins – so I recommend thoroughly testing each feature that you enable, or just leaving the default settings enabled, if you’re worried about breaking your site.

The next plugin is a herd-maintained list of registrants which a lot of sites blacklist collectively – so you should too 🙂

JP User Registration Blacklist

The 4 plugins mentioned so far are just my recommendations. But you should also already have the following plugins as part of your WordPress installation – if not, install them! These are mostly (but not all) about stopping spam bots:

Jetpack by

Akismet Anti-Spam

Bad Behaviour

Advanced tactics

One of the more advanced tricks which I use to secure sites is to only allow certain IP addresses to access the administrative login at all. This way you’re going to have hell trying to hack me or any of the sites I secure 🙂

One way to achieve this is by adding an htaccess policy file to you ‘wp-admin’ folder. If you don’t know what that means, then I wouldn’t recommend messing with it yourself. But, for those confident enough to add or edit an htaccess file, the example below shows what the htaccess might look like. This works best if your ISP gives you a fixed IP address at your home or office, otherwise you’ll need to add a range of your possible IP addresses (you IP may change each time your router reconnects) or keep updating it. Let’s say your IP address is, your htaccess would look like:

Order Deny,Allow 
Allow from
Deny from all 

What if you want to grant only a range of IP addresses to log into your site at all? You could use the rewrite engine and add this to the bottom of your blog’s root htaccess to allow only IP addresses of the form 1.2.3.* to log into any account on your WordPress site:

  RewriteEngine On
  RewriteCond %{REMOTE_ADDR} !^1\.2\.3\.\d+$
  RewriteRule ^/?wp-(admin|login) - [R=404,L]

You can check what your current IP address is here. If you’d like to hire me for a more comprehensive audit of your site’s security, just drop me a line.

Leave a Reply