Boosting your WordPress website’s security

Take these essential steps to boost the security of your WordPress website. These easy steps shouldn't take long and will help to save lots of time and avoid problems in the future.

Wordpress is one of the most popular CMS's today but its popularity has attracted the unwanted attention of potential attackers who look for out of date installations and vulnerabilities to gain access to your website's admin area.

This can cause serious problems, including:

- Attackers gaining access to your website, posting their own content or defacing your content.

- Heavy load on the website server as thousands of attempts to access your website log in is made, resulting in your website being taken offline.

How to protect your WordPress website

There are ways to improve the security of your WordPress website so that you and your visitors can continue to enjoy its great features.

1. Update your WordPress installation, the plugins and the theme

This needs to be done first and foremost, before any of the items below. Always make sure you back-up your website before starting the updates. Keep an eye out for new software releases and update your WordPress website each time.

2. Change the 'admin' username

WordPress' default Administrator username on initial installation is 'admin'. If you haven't changed this it gives attackers a better chance of guessing your log-in details straight away. Make sure none of your user profiles have the username 'admin'. You need to change the Administrator username or create another user at 'Administrator' level (with alternative username), log in as this new user and delete the original user which has the 'admin' username. Please note that the new user profile must have Administrator level access.

3. Limit login attempts

There is a very useful plugin that allows you to set a number of log-in attempts before a user is blocked. If an attacker is trying to guess your username and password their IP will be blocked until your stipulated timeframe. The 'Limit Login Attempts' plugin can be installed and configured easily and was still working on Wordpress 4.1.1 at the time of writing this article.

4. Rename the wp-login URL

A potential attacker would usually try to find your log-in page from the default WordPress URL but this makes their job so much harder.
The 'WPS Hide Login' plugin allows you to change the standard log in URL from
Again, this is easy to install and set up. Although the plugin is no longer maintained it was still working on Wordpress 4.1.1 at the time of writing this article.

5. Add a '403 Forbidden' to your .htaccess file

As additional security to the above WP login rename you can add a small amount of code to your website's .htaccess file. If a hacker attempts to find your standard wp-login.php page they will run into a '403 Forbidden' rather than the '404 Page not found' on your website. Here's the code:

<FilesMatch "wp-login.php">
Deny from All
ErrorDocument 403 "Forbidden"

Please note: You should always back up your website before making changes such as these described above. These changes are suggestions only and we cannot be responsible for any problems with third party WordPress software, plugins or themes now or in the future. These changes shouldn't be attempted unless you understand their implications and have a good knowledge of WordPress. If you have a web designer who initially set up your WordPress website then you may wish to ask them to check and make these changes for you.

Additional steps - if your website has been compromised you may find the following useful.

6. Plugin Vulnerabilities

Plugin Vulnerabilities alerts you when installed plugins contain known security vulnerabilities. Also lists vulnerabilities that exist in other versions of installed plugins. This plugin checks the plugins you have installed against a list of verified security vulnerabilities. If the installed version of a plugin is vulnerable an alert is added to the Installed Plugins page, otherwise details of the vulnerabilities are included on the Plugin Vulnerabilities page.

7. WordFence

Wordfence starts by checking if your site is already infected. It will run a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. This is quite a powerful plugin and the options and settings are not intended for a complete novice but it will provide an additional layer of security if configured correctly.

If you need help

When signing up for one of our Green Hosting plans you can add the option of letting us install WordPress for you and implementing the steps above at your WordPress website for just £25.

If you already have a hosting account with us and do not have a web designer or are not able to check and update your WordPress website then we can help. Please send us a helpdesk support request and we can provide a quote for any work needed. It is much more cost effective to defend your website now than to recover a hacked or compromised website.

Related help topics

Other helps topic related to Boosting your WordPress website’s security