How to Secure Your WordPress Site

Why You Need to Secure Your WordPress Site

Imagine this: a small, flying robot is moving through a well-to-do neighborhood, checking for open windows and unlocked doors, testing each lock with every known key at its disposal. When it gains entry, it plants a small device that will enable its owner to re-enter at will, and then moves on. Kind of creepy, huh?

A similar scenario is going on non-stop. The “neighborhood” is the internet, and the “robot” is a little piece of software known as a bot. It travels all over the internet looking for vulnerabilities in web applications and testing logins with every known login and password known to man. When it manages to submit the right combination, it gains illegal entry and proceeds to do its dirty work.

I can tell you from personal experience, it gives you a very sick feeling to realize that someone has broken into your website and used it for their own means–and even locked you out of it! It used to be hacking into a site was done by a human, and the target was usually a very high profile website. No more. Now the hacking is automated and the target is the next site the bot happens to come across, and that site could easily be yours. Here’s what you need to do to protect yourself.

Get Rid Of The admin Login

If you installed WordPress before June 17, 2010 when version 3.0 was released, you created a user account called admin when you first set things up, because WordPress made you do it. Furthermore, for several years WordPress didn’t permit you to change it or delete it, and even when that was changed, many, many people never created another user name at all. There are countless WordPress sites where the only user name is admin. Are you one of them? You don’t really want to make it easier for that nasty little bot to figure out how to break into your site, now do you?

Create Two New Accounts

You need to create two new accounts, one to manage your WordPress site with and another to write with. Why? Because as I learned from Shawn of Es Developed,

the username of the author also can be seen in classes on the body tag when you view source. WordPress by default inserts various classes to the body tag. This is so you can target pages and posts via CSS. One of the classes WordPress creates and inserts into the body tag is the author’s username (not the nickname).

What this means is that by looking at the code of a published post or page, anyone can figure out the username of the author. So you don’t want the author of the post to have administrator privileges.

Create A New Administrator Account

First, you’re going to create a new administrator account that you’re not going to use very often, because it’s the most powerful account and should only be for administration, not writing. Give it a user name that indicates its status, such as myblogadmin, and a very secure password that you write down. (More about passwords in a minute.) And make sure you assign it administrator privileges. Login to that account to make sure you can do it.

Create An Editor Account

Now create another account with a user name that you will remember easily and a password that is secure but that you can remember in your head. This is the user account you will be accessing all the time to do your posting and publishing. Give it editor privileges. If someone should hack into this account, they will not have full control of your website. Of course, while you are logged into it, neither will you.

Delete the Old Admin Account

While you are still in your brand new administrator account, find the old admin account and delete it. It will ask you who should all the posts be assigned to. Tell it your new editor account. Now log out of your new administrator account and log into your editor account. Do all your posting from this account, for an extra measure of safety.

Upgrade Your Passwords

You have probably been nagged to death about the need for strong, secure passwords, with good reason. According to the Wikipedia article on password cracking,

around 40% of user-chosen passwords are readily guessable by sophisticated cracking programs armed with dictionaries.

That malicious bot trolling the internet has an entire dictionary of common words at its disposal, and is programmed to try them all out in rapid succession. Janith over at Blogussion did the math that shows how every additional digit makes the bot’s job that much harder.

The only problem is the very password that is difficult for a bot to crack may also be hard for you to remember. The Strong Password Generator generates a strong password and also gives suggestions on how to remember it, but frankly, I don’t find the suggestions that helpful. A better way may be to think of a phrase and then modify it, using the suggestions from one of these sources:

Keep WordPress Updated

WordPress developers do their best to write code that is inherently secure. But they are only human, and there are other humans out there looking for any place the developers might have slipped up. When a security breach is discovered, the WordPress development team addresses the problem and issues a “patch,” an updated version of WordPress that has resolved the security problem. Don’t ignore these upgrades. Many malicious bots are programmed to take advantage of these security breaches, or vulnerabilities. It’s as if all the thieves in town learned that a certain brand of window didn’t latch properly. An older version of WordPress just makes it easier for your site to be hacked.

Back Up Your Database

Even after you’ve taken the above precautions, your site could still be hacked. And even if it never is, other problems could occur with your site that you couldn’t anticipate. That’s why it’s essential to back up your database. Did you know you had one? All of your posts, pages, comments, and settings are stored in a database, and WordPress fetches what it needs out of that database to create your website pages. No database, no website.

WP-DB-Backup and WP-DBManager are two plugins that enable you to back up your database and send the file to an email address. You only need one of them. WP-DB-Backup is easier to use, while WP-DBManager has more features. Use a web-based email account with a generous amount of storage, and have the plugin send the backups there on a regular basis. If nothing else, when you are prompted to upgrade your version of WordPress you will know your database is already backed up.

More About Security


WordPress Security Video
Lorelle on Hack-Proofing Your WordPress Blog
Keep WordPress Secure (WordPress News Blog)
Hardening WordPress (making it more secure) a Codex article
How to Connect to Your WordPress Account With Secure FTP


Password Checker by Microsoft
Five Best Password Managers (Lifehacker)

Comments on this entry are closed.

  • Thank you, Kathy. Very useful information.

  • Why oh why is this info not at the top of each page in Wordpress documentation? I’m just about to start a new WP project and the timing of finding this could not have been better. Thanks for the good info! Bonnie