WordPress Security

WordPress has become the most popular content management system for websites. It is estimated that a fifth of all websites are running on WordPress. The ease in using WordPress has made it possible for people without a tech background to maintain their own website. It is precisely for this reason that hackers are aware that security is not up to par for many websites.

Wordpress security

What can you do to improve WordPress security?



1. Remove the admin user

wp-admin and wp-login access points are popular targets for brute force attacks. These are attacks that try to identify the username and password. By leaving these as is, half the job is already done for the attacker. Remove the default admin/administrator username and replace it with something else you can remember. Do this by creating a new user with administrator rights then deleting the admin user.

2. Have a strong password

This is a basic tenet of improving WordPress security. Have a complex, long and unique password. It is advisable that you use at least 12 characters in a password. Have a combination of capital letters, numbers, and unique characters like ‘#, $, ^, (and %.’ You could use a password generator like Keypass to make a password that is up to 24 characters long.

3. Use two-factor authentication

Also called 2FA, this requires that you confirm the login using another method, for example, a mobile verification code. This is very effective in preventing brute force attacks as the attacker cannot get past the login even with the correct password. 2FA is already being used for popular services such as Gmail and PayPal.

4. Hide wp-config.php and .htaccess files

An attacker can do a lot of damage by accessing and edit these files. Improve your WordPress security by editing the .htaccess file and wp-config.php file.
Here is a helpful article that explains how to edit these files.

5. Have a security plugin

If you are not tech savvy, you can use one of the available WordPress plugins to patch your WordPress security. A good example is Wordfence (the most downloaded security plugin for WordPress). This plugin automatically locks out any bot or user trying to login after 3 unsuccessful attempts.

6. Stay updated

Always update your WordPress version when there is an upgrade. You will enjoy most of the WordPress security upgrades that have been updated. Your theme and plugins should also stay updated. Always choose reliable developers who are constantly doing upgrades.

7. Do not use untrusted developers

Only use WordPress approved themes and plugins. You can find a list at wordpress.org

There are many more steps you can take to secure your website, some of which can be tricky. If you are worried about your sites security your best bet would be to contact a developer.


We now offer security and maintenance plans for our wordpress sites. Take a look.