Secure Your WordPress Website

There are many things you can do to help secure a WordPress website. This list isn’t exhaustive, but it’s a good start. 🙂

Easy Steps | Every Site Should Do These!

  1. Keep WordPress, themes, and plugins updated!
  2. Use strong passwords – long, unique, kind of random. For example, misspell a word in a phrase: I!rockz2MakeFire%maaybe isn’t a terrible password. (A password manager like KeePass is a brilliant help here!)
  3. Never use “admin” for an Administrator level username
  4. Guard those administrator level logins – don’t share them willy nilly.
  5. Install a security plugin.
    I use WP Defender by WPMU.
  6. Run backups on a schedule.
    I use Snapshot by WPMU.
  7. Do not leave the database named “wp_”. Change that “wp” to anything else. Example: “jinglebells_” (I usually pick something somewhat related to the website in question.)

Moderate Steps | Not a Bad Idea

  1. Setup and utilize 2-factor authentication
  2. SSL certification (required for e-commerce sites)
  3. Google reCaptcha on the login page (also used on other forms)
  4. Remove error messages on failed login attempts
  5. Disable Login Hints
  6. Limit login attempts
  7. Limit login length (log them out after a time)

Advanced Steps | Lock it Down!

  1. If no SSL certification, then encrypt the passwords on login
  2. Limit access by IP address (.htaccess file)
  3. Custom login page and wp-admin redirect
  4. Password protect wp-admin directory
  5. Limit dashboard access

Leave a Reply