Learning never exhausts the mind
Home >  Web Design > WordPress > WordPress Security 101

Published 10th April 2012 by

Out the box, WordPress is a pretty secure platform, but there are several things you can do to harden WordPress security and protect your website.
Creating Your First Website Series
  1. What are the types of website available
  2. Introduction to Web Hosting
  3. Registering Domain Names and Configuration
  4. Installing Wordpress
  5. Setting Up New WordPress Site
  6. How To Install WordPress Themes and Plugins
  7. Using WordPress Custom Fields
  8. Creating WordPress Themes
  9. Create Custom WordPress Shortcodes
  10. Creating WordPress Widgets
  11. WordPress Security 101
  12. 10 Essential WordPress Plugins for 2018
  13. 12 Best Free SEO Plugins and Tools

One of the most vital steps you must take for WordPress Security is to keep your WordPress installation up to date. If a new security vulnerability is found in WordPress it is usually fixed pretty quickly and a new version released. In addition to this there are several other steps that you can take to improve WordPress security.

Database Table Prefix

When installing WordPress you have the option to specify a database table prefix. By default this is 'wp_' and it is an easy guess for would be attackers. By Changing this to something only you know you can harden the database from potential attacks.

Keep Wp-Admin Directory Protected

Although you need to enter a username and password to enter the WordPress administration pages, there are still respurces within the admin folder that an attacker could use to gain control of your website. You should enable server level password protection on this folder, which gives you an extra layer of protection over all the administration content. The following tutorial shows you how to do it in 7 easy steps.

Keep Backups of your Database and Files

Keeping a backup of your WordPress database and files is as important as keeping the site safe from hackers. If the latter fail, at least you still have the clean backup files to revert back to. Many hosting companies provide options to backup database and files, or there are a few plugins for WordPress that will backup your database and email it to you.

Disable XMLRPC

If you do not publish posts from an external application, you should disable XMLRPC which is a method for remotely logging in and publishing using desktop or mobile applications such as Windows Live Writer.

Disable or Remove Unused Plugins and Themes

If you have downloaded a few plugins or themes and decided not to use them, did you deactivate them? Did you delete the files? There is always a possibility that a vulnerability can be found in a plugin, or code that the plugin or theme uses. It's always best to remove any unused plugins or themes you have installed.

Remove or Rename the Admin User Account

A typical installation of WordPress comes with a default user account with the login nane admin. If that's what you are using to access your site, then you have just made a hackers job 50% easier. Now all he has to do is guess the password...

Here is how to change the admin login name:

  1. Login to WordPress admin panel
  2. Go to Users ->Add New
  3. Add a new user with Administrator role, make sure you use a strong password.
  4. Log out of WordPress, re-login with your new admin user.
  5. Go to Users
  6. Remove "admin" user
  7. If "admin" has written post or pages, remember to attribute all posts and links back to the new user.

Use a Strong Password

A strong password is one that you can remember easy enough, but very difficult for somebody else to guess. It should also be as long as you can make it. You should also try and avoid using common letter replacements in standard words, such as changing an o to a 0, a with an @ and so on.

Good passwords are often made up using phrases, for example think of a common phrase and use the first letter of each word. "The Quick Brown Fox Jumps Over The Lazy Dog". The password becomes 'tqbfjotld', which seems like a good password, but would only take the average desktop computer about 22 minutes to crack. You should also add a numbers as well as symbols to a password, again something which you can remember, but not something anybody else would know. And not your pin number either. A simple change to the password '1tqbfjotld!' (adding a ! and the number 1) takes the cracking time to 48 years. By adding another number to the end '1tqbfjotld!4462', should take cracking time to several hundred million years.

You can check how strong your current password is with howsecureismypassword.net.

Bad Password Examples

Easily guessed words, some numbers but still guessable.

Better Password Examples

Random letter generators are secure, but can you remember these? Chances are you would have to write this down somewhere. Random strings are also crackable using a brute force technique

Best Password Examples

Combinations of letters, numbers and symbols.


Plugins to help improve security


Akismet checks your comments against the Akismet web service to see if they look like spam or not. If a comment looks like spam it is automatically moved to the junk folder. Spam comments may contain script or other codes that can compromise your WordPress security.

Better WP Security

Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.

Tutorial Series

This post is part of the series Creating Your First Website. Use the links below to advance to the next tutorial in the couse, or go back and see the previous in the tutorial series.

Leave a Reply

Fields marked with * are mandatory.

We respect your privacy, and will not make your email public. Hashed email address may be checked against Gravatar service to retrieve avatars. This site uses Akismet to reduce spam. Learn how your comment data is processed.