4 Dead-Easy Steps to Protect Your WordPress Site Against Hackers

wp_lockNewsflash: If you run a WordPress website, you should absolutely take basic steps to secure it against hackers.

OK. This is not really news to you and me.

The problem is, that if you are like most people, you don’t consider website security to be an exciting topic. You acknowledge it’s important, but, hey, it’s also kinda boring and technical.

Also there’s that catchy old “It won’t happen to me” chorus playing at the back of your mind.

So website security languishes at the very bottom of of your to-do list, and never gets any attention.

But what if I told you could ramp up your website security right now, all by yourself, in 18 minutes or less, without spending a penny?

Now that’s news!

Just follow these 4 dead-easy steps, you’ll soon be free to get back to the other, more thrilling tasks on your to-do list:

(Note these steps refer specifically to WordPress sites, but can be applied to most other content management systems.)

1. Delete the username “admin”

The default username when creating a WordPress site is “admin.” Most people keep this username. This makes it dead easy for hackers to guess your username. Then they are already half logged in to your site.

So delete any account with the username “admin.”

Note: if the account with username “admin” is the only user that currently has Administrator-level access, you won’t be able to delete it until you first create and login with a different Administrator-level account. WordPress needs to ensure that there is some way to access Administrator functions for your site.

Time needed: 4 minutes

2. Strengthen Your Password

password_generatorHackers use software to instantaneously test every word in Wikipedia against your password. So anything that is a real word or name in any language should not be used. Any logical or significant number sequence should not be used.

That means don’t use your pet’s name, your kid’s birthday, or anything else that vaguely makes sense.

The best passwords include a random arrangement of uppercase and lowercase letters, as well as numbers and symbols. In other words, they should be gibberish.

You can use a password generator to help you do this – just make sure to save your passwords in a secure place.

So go now and change your website login password to something really incomprehensible. Ask other users to do the same.

Time needed: 2 mins

3. Delete and Update

WordPress has a bit of a bad rap for being “insecure.” In fact, a WordPress site only becomes insecure when you fail to keep it up to date. Any part of your site that is not updated to its latest version presents a security risk. Hackers find vulnerabilities in sites through outdated files, themes and plugins.

So go now and make sure that you are updated to:

  • The latest version of WordPress
  • The latest version of all installed plugins
  • The latest version of all installed themes

While you’re in there, it’s best to delete any plugins or themes that you don’t use or need. These are likely to become outdated without you noticing, creating future security risks.

Time needed: 8 mins

4. Limit Login Attempts

login_attemptsAt illuminea, we install a plugin like this on all our clients’ WordPress sites: the Limit Login Attempts plugin. It’s really a clever little thing-a-ma-jig.

One of the common ways that hackers attempt to gain access to a site is by using software that bombards the login page with an infinite number of username and password combinations, until they strike gold. And if you are not following steps 1 and 2, they will strike gold pretty fast. This was how the Brute Force attacks were so successful in destroying many WordPress sites in 2013.

That’s the beauty of this plugin: it limits the number of times that anyone can attempt to login to your site within one single hour to some reasonable human number, like five.

If you are the forgetful type, set it to 10 :)

So off you go to search for and install the “Limit Login Attempts” plugin on your site.

Time needed: 4 mins

OK. We’re done.

That’s all you need to do to take your website security up a notch.

But Wait, Will This Really Protect My Site Against Menacing “Hacktivists”?

You may ask yourself: Malicious hackers have taken down expertly-secured sites belonging to the US Government and PayPal. What chance do I have of protecting my site against them, with a few simple DIY measures?

In reality, these tips are not fool-proof but they do raise your security level over most of the sites on the web. The average hacker prefers to target the weakest among us, so by raising your site out of that category, you can really help to protect your site.

If you have reason to believe that your site could be a specific target of expert hackers, then you will need much stronger measures than this. The best way to know if you are in this high-risk category is if you have already been subject to more than one hacking attempt.

If this is you, you need to consult an expert.

For the rest of us, extreme measures are not usually necessary. At the same time, a few simple security steps could save huge headaches and a lot of money rebuilding a site that has been maliciously hacked.

So set a timer for 18 minutes and go for it!

  • Thanks for this information on security breach in word press. I have really been looking for more information on this.

    • Naomi Elbinger

      You’re welcome, Miriam

  • Thanks for this post, Naomi. I just installed the limit login attempts plugin you suggested. However, I don’t see where to fill in the number of attempts to be allowed. Ideas?

    • Naomi Elbinger

      Hi Ruth,
      In your WordPress dashboard in the left menu bar, go to Settings>Limit Login Attempts. Over there is gives you an option to specify the number of retries after the first failed login attempt. As a default, there are 4 retries allowed.
      Hope this helps

  • Ali


    First of all, I want to say that you have written very nice article on wordpress security. I have some suggestions as well to secure wordpress site:

    1: Change wp-login or wp-admin to some thing else.
    2: Always change database prefix when setting up new wordpress website.
    3: Make your files non-editable on wordpress.
    4: Install any good Captcha plugin.

    • Naomi Elbinger

      HI Ali,
      These are all great tips for someone with a bit higher skill level. Except the Captcha plugin – that is pretty simple for anyone to do.
      Thanks for the tips

  • Abdul Alim Khan

    Thanks for giving such a great info about wordpress security…..

  • Very well explained points on WordPress security. Quite enjoyed the post!

  • Hi!
    Thanks for this awesome tutorial. I really like this to help the beginners. I have hired Inmotion hosting but shared hosting is not good. So when I install security plugin my CPanel CPU usage was excessive. But due to your tutorial I am not worried about it. I have injected all above thing manually. And my site is also working well.
    -keep sharing like this.

  • The section in the last ‘But wait ….’ is exactly reading a reader’s mind. A similar thought crossed my mind at that point and suddenly I have the answer too. Great write-up. To go a little deeper and look for vulnerabilities in WordPress website, do look up to this article: https://goo.gl/di1gTL

  • freelancermap.com

    Great post. Beginners are particularly at risk not knowing the threats to their sites, but lists like these really help.

    We recently had a similar post that has over 19 ways to protect your site – would love you to check it out and see if there’s any points you hadn’t thought of!


  • SimraN NanwanI

    Great tips .. for limit login attempts you may want to try WP Cerber.. I read the reviews and Cerber seems to be better than limit login. thank you.

  • ruthy

    this is a lovely post, i have meet a lot of peeps who complain of their pages being compromise, this post is a very good eye opener…

    i have a a blog where we teach how to do various penetration to sites and apps too and also how to protect yourself against them too… you could check it out, there are interesting tips there…..