Last Updated on February 26, 2019
With WordPress powering nearly 25% of the Internet, it unfortunately puts your blog at a higher risk for hackers. This article shows you how to secure your WordPress admin site. Following a few basic rules, you can reduce the chances of your site being hacked.
Always Keep Your WordPress core, Plugins, and Themes Updated
The WordPress core, plugins, and theme files are constantly being updated with new features and bug fixes. Your first line of defense is to make sure that you are always running the latest versions of the software. You can check for updates by going to your WordPress Admin > Dashboard > Updates, or visiting http://example.com/wp-admin/update-core.php directly.
There are also plugins, such as Update Notifier, which notify you via email when there are newer versions of WordPress core, as well as plugins, and/or themes.
If you manage multiple WordPress blogs, you can also use services such as Jetpack’s Centralized Site Management module, WP Remote or ManageWP which let you update multiple blogs from a single dashboard.
Always Have Backups
Perhaps the most important suggestion in this list is to always have backups of your site in case anything happens (such as getting hacked, incompatible plugin/site update, accidentally deleting data). You can manually back up posts and pages in the WordPress Admin > Tools > Export, which will generate an XML file which you can save to your computer. This will just be a backup of your data, and won’t include all your WordPress settings and themes, so you may want to consider a more robust solution, such as VaultPress (by Automattic, the makers of WordPress), UpdraftPlus, or BackupBuddy.
Never Blog as an Administrator Account
As a general rule of thumb, you should never blog using your administrator account. You should only use your administrator account for changing themes, plugins, or other site settings. You should create a second user account with reduced permissions (such as “Author”) which you use to post new articles. This way, if your account is compromised and somebody manages to log in, they cannot access administrator level features.
Don’t Have an Account With the Username “admin”
Related to the previous tip, Never Blog as an Administrator Account, you should always make sure that you don’t have a user with the username of “admin” or “administrator”, as it is typically the first username that will be guessed (roughly 60% of the invalid login attempts on one of our sites were by people attempting to log in as “admin” or “administrator” usernames).
If you have an older WordPress install, or happen to be using a username such as “admin”, there are plugins such as Admin renamer extended which allow you to rename your username. Note that this can be somewhat risky, so make sure you create a site backup first and create a new administrator account just in case something goes wrong.
Never Share Logins
If you have multiple people blogging on the same blog, it’s best not to share usernames and passwords. If you are having somebody help you troubleshoot your WordPress blog, never give them your login information. Ideally you should be creating them a new WordPress User account (WordPress Admin > Users > Add New) and set their permissions to the lowest level needed, and then removing the account once you’re finished.
Similarly, you should try not to share usernames/password across sites and services. For example, don’t use the same username and password on your WordPress blog as you do on Amazon or your banking site.
Use Strong Passwords
When creating new User accounts in WordPress, you’ll notice that there is a handy “Strength indicator” which tells you how strong your password is. The WordPress admin offers the following excellent advice:
Hint: The password should be at least seven characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! ” ? $ % ^ & ).
Also, make sure you don’t use easy to guess passwords such as pet names, or “password” or “12345678” (or really any of these top 25 passwords).
If you need help generating a strong password, you can use something like strongpasswordgenerator.com and use a password manager to help you manage your passwords.
Limit Login Attempts
A useful plugin that we use on all of our sites is Limit Login Attempts which limits the number of retry attempts when logging in (for each IP address).
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
This plugin is highly configurable and you can easily set how many login retries a user/IP is allowed, how long the user is locked out if they exceed that login retry number, and then how many lockouts a user is allowed before their number of retries are reset. For example, if a user tries to log in 2 times you can lock them out for 2 hours, and if they get locked out two times, then lock them out for 2 days (after the 2 days the counter is reset).
Two-Factor Authentication
For additional login security, you may also want to enable two-factor authentication, which will require you to provide a code that is sent to your phone in order to be able to log into your WordPress admin site.
If you’re interested in using two-factor authentication with WordPress, there are several plugins including Google Authenticator, Authy Two Factor Authentication, and Clef Two-Factor Authentication.
For more information on additional apps that support two-factor authentication, see Here’s Everywhere You Should Enable Two-Factor Authentication Right Now and twofactorauth.org.
WordPress Security Monitoring
If you’re running a business blog, or have had your WordPress blog hacked, another solution is to sign up for a website antivirus/malware detection and cleanup service like Sucuri. They even offer a free website malware and security scanner which can check the website for known malware, blacklisting status, website errors, and out-of-date software.
Further Reading
If you’re interested in securing your WordPress site more, this is just the beginning and there are a lot more resources out there, including the following helpful links:
- Hardening WordPress (codex.wordpress.org)
- Brute Force Attacks (codex.wordpress.org)
- Secure WordPress (wpsecure.net)
- 11 Quick Tips: Securing Your WordPress Site (code.tutsplus.com)
- Improve your WordPress security with these 10 tips (woothemes.com)
- The Definitive Guide to WordPress Security (moz.com)
- WordPress Security 101: A Quick Guide to Locking Down Your Site (ithemes.com)
- [Book] Locking Down WordPress (build.codepoet.com)