Securing your WordPress website

Today a large percentage of websites are run using WordPress. This is a great advancement for both the professional web developer and for the average computer user who wants to create their own little piece of the internet alike. The  problem is that as this platform becomes more prevalent it also attracts the attention  of hackers and other people who are up to no good so we need to be vigilant in securing our websites.

Before you think that no one will want to hack into your website, think again. Hackers are using automated systems to do the bulk of their hacking these days so how big the website is, or who is running it becomes irrelevant. Huge corporate sites and your grandmother’s genealogy site are equally attractive targets for the computer programs hackers are using.

To put this into perspective for you, I registered a new domain name and put up a site only to have forty two hacking attempts in the first twenty four hours. Those were only the ones the logs showed as invalid logins and were all from outside the United States which is where I am. The majority were from Russia and the Ukraine.

Again you may assume that your site is not a target because you have little to no visitors so surely they won’t spend the time and effort to attack it. Again, this is completely automated for them so the number of visitors you have doesn’t matter. They are playing a numbers game. If you have two visitors a month and they infect ten thousand sites like yours, they get twenty thousand new visitors a month. That isn’t too bad for letting their automated systems run while they are busy playing video games.

Why is this a problem to begin with?

So why are hackers trying to gain access to your site? They can use it to infect your visitors with malware, steal customer or visitors information to sell in spam lists, steal credit card information if you take credit cards, use exploits to potentially take over the entire computer and use it for many other nefarious uses.

According to one source, “approximately 7% of all adults [in the U.S.] have their identities misused with each instance resulting in approximately $3,500 in losses”.  That is each year! Virtually everyone I have ever met has had some problem with their credit card or bank account and this is one of the major ways the criminals get the data to carry out the fraudulent purchases.

Granted, much of what you hear about in the news is from larger websites of major stores such as Target, Wal-Mart and others but there is still a large percentage that happens from smaller websites, just like yours.

Lets just leave it as a really bad thing if they get in.

Securing your site

The first thing you can do to make your installation more secure is to not use the default admin user account. Probably seventy to eighty percent of all the login attempts to the websites I manage are using the username “admin” because this is the default that WordPress uses. Create a new admin account with a different name that does not contain any part of the website name, your name, or the word administrator. Be sure to make this new user the super admin with all administrator rights by logging in as that new user and making sure you can do everything. Now delete the “admin” user.

The second, third and fourth most popular attempts to log into my websites have been variations on the website name such as “”, “paperbirdtek” and “paperbirdtekadmin”. This is why I suggest you not use any form of the website name, your name or the word administrator in creating your new admin name. Making this name more obscure works just like making your password obscure in making it much harder for them to guess.

This brings us to passwords which should be as obscure and difficult as you can stand. What I mean is there is a fine line between a strong password and a password that is so strong you can not possibly remember it so you write it down making it easier for people to steal. You need to find where that line is and stay just to the side that allows you to remember it. Just like the user name do not use any part of the website name or your name. Dates, people and places that are important to you are also taboo.

You should also change your password every so often and not use something as obvious as tagging the year on the end. You could however tag things on the end like the number of months since you were born, number of months since your favorite movie came out, etc.

Even though it is not really WordPress related I will also mention that you should use the same guidelines for usernames and passwords to any other account administration tools, FTP accounts, etc. Having a very secure WordPress site and having your FTP account with a username of “ftp” and password of “ftp” doesn’t really do you much good, you need to secure all methods of gaining access to your website.

Now that we have basic protection out of the way we can discuss things that are a little more targeted towards WordPress. My first suggestion is to get a security package like Wordfence which is a free plugin that allows you to do things like block IP address manually or automatically after so many failed login attempts. It also can do scans to make sure you have not been infected.


Wordfence also has a pro version that costs money monthly but has advanced features, regular updates and support. I recommend that you pay for the pro version if your site is how you earn a living or is very popular. The free version is more than sufficient for the typical home user or very small businesses.

Wordfence is also the package that gives me the information I keep referring to such as the attempts people make to log into the admin console, the countries they are from, the usernames they use, how many attempts there were, the IP addresses they used and much more. If nothing else this information is worth the few minutes it takes to install and configure this plugin.

My next favorite plugin is iQ Block Country which allows you to block other countries from accessing all or part of your website. The first response people usually have is that they do not want people from other countries blocked, they was everyone to have access to their content, especially if they are a commercial website.


Fortunately what we want iQ Block Country for is to block access only to the login portion of the website where the administrator logs in. This allows anyone in the world to access the content, post comments, etc but restricts administrator logins to the country of your choice. In my case, the United States. This means all of those people in Russia or the Ukraine who seem to want in my websites so bad are locked out before they even try. This immediately eliminated seventy to eighty percent of the hacking attempts on my websites.

The one drawback to this is that iQ Block Country relies on a file called GeoIP.dat which is basically a database containing IP addresses and the country they belong to. Unfortunately these can change. If you have a small site then downloading this file every few months to a year and updating it is not a big deal. If you have a larger site you may want to automate this and for a few dollars a month you can subscribe to a service using this plugin that will keep everything up to date automatically.

The next thing we need to talk about is contact forms. In most cases it is not a good idea to post your email address out there for the entire world to see. Hackers will use email harvesters to grab that email address and then sell lists they create to spammers. This can expose you to thousands of spammers and millions of spam emails which can easily overwhelm most anti-spam programs. Much easier is to not post your email address on the website but to create a contact form where people can fill out information and send you an email without ever having access to your actual email address.

In order to do this you need another plugin, Contact Form 7. This free plugin is exactly what the overwhelming majority of my clients need. It is fast, easy to use, and of course free. You can even add fields if the normal email, subject and message fields are not enough or you want something more than just a contact form.

contact form 7



Comments for your site are something you need to consider protecting as well. It is common for people to spam comment (comment on any website they can just to get links to their content) and these links can sometimes lead to a website that can infect your users. While technically not your problem because you did not infect the user, it was your website that provided the link to the infection. I think we can all agree this is a bad thing.

There are many methods you can use to protect from this abuse including turning off commenting. It may be that your website has no use for comments and that certainly solves that problem. You can also set a lot of setting under Settings and Discussions such as holding comments for moderation, forcing someone to register before posting a comment and much more.


Next comes a plugin that has been installed by default in all WordPress installations for as long as I can remember, Akismet. Akismet protects your site by comparing it to their database and automatically filtering out those that appear to be spam. This is a great first line of defense against comment spammers and you should register for a free account and activate it immediately if you allow comments.


That should be enough to get you started, and I mean that literally. This is just a start to WordPress security but it will take your website from extremely vulnerable to reasonably well protected quickly and inexpensively.

Good luck!