Boosting your WordPress website’s security

Take these essential steps to boost the security of your WordPress website. These easy steps shouldn't take long and will help to save lots of time and avoid problems in the future.

Wordpress is one of the most popular CMS's today but its popularity has attracted the unwanted attention of potential attackers who look for out of date installations and vulnerabilities to gain access to your website's admin area.

This can cause serious problems, including:

- Attackers gaining access to your website, posting their own content or defacing your content.

- Heavy load on the website server as thousands of attempts to access your website log in is made, resulting in your website being taken offline.

How to protect your WordPress website

There are ways to improve the security of your WordPress website so that you and your visitors can continue to enjoy its great features.

1. Update your WordPress installation, the plugins and the theme

This needs to be done first and foremost, before any of the items below. Always make sure you back-up your website before starting the updates. Keep an eye out for new software releases and update your WordPress website each time. You can also set automatic updates for your WordPress installation.

2. Change the 'admin' username

WordPress' default Administrator username on initial installation is 'admin'. If you haven't changed this it gives attackers a better chance of guessing your log-in details. Make sure none of your user profiles have the username 'admin'. You need to change the Administrator username or create another user at 'Administrator' level (with alternative username), log in as this new user and delete the original user which has the 'admin' username. Please note that the new user profile must have Administrator level access.

3. Limit login attempts

Find and install a plugin that will allow you to set a number of failed log-in attempts before a user is blocked. We don't suggest a specific plugin here as there may be different options and availability at any time.

4. Rename the wp-login URL

A potential attacker would usually try to find your log-in page from the default WordPress URL but this makes their job so much harder.
The 'WPS Hide Login' plugin allows you to change the standard log in URL from
www.yourwordpresswebsite/wp-login.php
to
www.yourwordpresswebsite/login-of-your-choice/

There may be other similar plugins available. Make sure plugins you use are up to date and compatible with the version of WordPress you are using. This should be the latest version wherever possible.

5. Add a '403 Forbidden' to your .htaccess file

As additional security to the above WP login rename you can add a small amount of code to your website's .htaccess file. If a hacker attempts to find your standard wp-login.php page they will run into a '403 Forbidden' rather than the '404 Page not found' on your website. Here's the code:


Deny from All
ErrorDocument 403 "Forbidden"

Please note: You should always back up your website before making changes such as these described above. These changes are suggestions only and we cannot be responsible for any problems with third party WordPress software, plugins or themes now or in the future. These changes shouldn't be attempted unless you understand their implications and have a good knowledge of WordPress. If you have a web designer who initially set up your WordPress website then you may wish to ask them to check and make these changes for you.

Additional steps - if your website has been compromised you may find the following useful.

6. WordFence

Wordfence starts by checking if your site is already infected. It will run a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. This is quite a powerful plugin and the options and settings are not intended for a complete novice but it will provide an additional layer of security if configured correctly.

If you need help

When signing up for one of our Green Hosting plans you can add the option of letting us install WordPress for you and implementing the steps above at your WordPress website from £25.

If you already have a hosting account with us and do not have a web designer or are not able to check and update your WordPress website then we can help. Please send us a helpdesk support request and we can provide a quote for any work needed. It is much more cost effective to defend your website now than to recover a hacked or compromised website.


Related help topics

Other helps topic related to Boosting your WordPress website’s security