Newsflash: If you run a WordPress website, you should absolutely take basic steps to secure it against hackers.
OK. This is not really news to you and me, but when it comes to WordPress security, many website owners still overlook essential precautions.
The problem is, that if you are like most people, you don’t consider website security, including WordPress security, to be an exciting topic. You acknowledge it’s important, but, hey, it’s also kinda boring and technical.
Also, there’s that catchy old “It won’t happen to me” chorus playing at the back of your mind.
So website security languishes at the very bottom of your to-do list, and never gets any attention.
But what if I told you could ramp up your website security, specifically WordPress security, right now, all by yourself, in 18 minutes or less, without spending a penny?
Now that’s news!
Just follow these 4 dead-easy steps, and you’ll soon be free to get back to the other, more thrilling tasks on your to-do list:
(Note these steps refer specifically to WordPress sites, but can be applied to most other content management systems.)
1. Delete the username “admin”
The default username when creating a WordPress site is “admin.” Most people keep this username. This makes it dead easy for hackers to guess your username. Then they are already half logged in to your site.
So delete any account with the username “admin.”
Note: if the account with username “admin” is the only user that currently has Administrator-level access, you won’t be able to delete it until you first create and log in with a different Administrator-level account. WordPress needs to ensure that there is some way to access Administrator functions for your site, which is crucial for maintaining strong WordPress security.
Time needed: 4 minutes
2. Strengthen Your Password
Hackers use software to instantaneously test every word in Wikipedia against your password. So anything that is a real word or name in any language should not be used. Any logical or significant number sequence should not be used, especially when considering WordPress security. That means don’t use your pet’s name, your kid’s birthday, or anything else that vaguely makes sense.
The best passwords include a random arrangement of uppercase and lowercase letters, as well as numbers and symbols. In other words, they should be gibberish.
You can use a password generator to help you do this – just make sure to save your passwords in a secure place.
So go now and change your website login password to something really incomprehensible. Ask other users to do the same.
Time needed: 2 mins
3. Delete and Update
WordPress has a bit of a bad rap for being “insecure.” In fact, a WordPress site only becomes insecure when you fail to keep it up to date. Any part of your site that is not updated to its latest version presents a security risk. Hackers find vulnerabilities in sites through outdated files, themes, and plugins, which is why ensuring robust WordPress security through regular updates is essential.
So go now and make sure that you are updated to:
- The latest version of WordPress
- The latest version of all installed plugins
- The latest version of all installed themes
While you’re in there, it’s best to delete any plugins or themes that you don’t use or need. These are likely to become outdated without you noticing, creating future security risks.
Time needed: 8 mins
4. Limit Login Attempts
At Illuminea, we install a plugin like this on all our clients’ WordPress sites: the Limit Login Attempts plugin. It’s really a clever little thing-a-ma-jig.
One of the common ways that hackers attempt to gain access to a site is by using software that bombards the login page with an infinite number of username and password combinations, until they strike gold. And if you are not following steps 1 and 2, they will strike gold pretty fast. This was how the Brute Force attacks were so successful in destroying many WordPress sites in 2013.
That’s the beauty of this plugin: it limits the number of times that anyone can attempt to log in to your site within one single hour to some reasonable human number, like five.
If you are the forgetful type, set it to 10 🙂
So off you go to search for and install the “Limit Login Attempts” plugin on your site.
Time needed: 4 mins
OK. We’re done.
That’s all you need to do to take your website security up a notch.
But Wait, Will This Protect My Site Against Menacing “Hacktivists”?
You may ask yourself: Malicious hackers have taken down expertly-secured sites belonging to the US Government and PayPal. What chance do I have of protecting my site against them, with a few simple DIY measures?
In reality, these tips are not fool-proof but they do raise your security level over most of the sites on the web. The average hacker prefers to target the weakest among us, so by raising your site out of that category, you can really help to protect your site.
If you have reason to believe that your site could be a specific target of expert hackers, then you will need much stronger measures than this. The best way to know if you are in this high-risk category is if you have already been subject to more than one hacking attempt.
If this is you, you need to consult an expert.
For the rest of us, extreme measures are not usually necessary. At the same time, a few simple security steps could save huge headaches and a lot of money in rebuilding a site that has been maliciously hacked.
So set a timer for 18 minutes and go for it!
Frequently Asked Questions
How can I improve my WordPress security without spending money?
Improving your WordPress security doesn’t have to be expensive. You can follow a few simple, free steps such as deleting the default “admin” username, strengthening your password, updating WordPress core, plugins, and themes, and installing a plugin to limit login attempts. These basic precautions significantly enhance your WordPress security.
What are the common threats to WordPress security?
Common threats to WordPress security include brute-force attacks, outdated plugins and themes, weak passwords, and exploiting the default “admin” username. Hackers can use automated tools to break into your site by targeting these weaknesses, so it’s crucial to take action to protect your WordPress website.
Why should I delete the default “admin” username for better WordPress security?
The default “admin” username is an easy target for hackers. Many cybercriminals attempt to guess usernames and passwords using automated tools and having “admin” as your username gives them a head start. Deleting this username and creating a custom one is a simple and effective way to improve WordPress security.
What is the best way to create a strong password for WordPress security?
A strong password is crucial for WordPress security. It should include a mix of uppercase and lowercase letters, numbers, and symbols, creating a password that’s nearly impossible to guess. Avoid using obvious words like pet names or birthdays. Password generators can help you create a random, secure password for your WordPress account.
How often should I update my WordPress website for security?
Regular updates are essential for WordPress security. Always ensure you’re using the latest version of WordPress, plugins, and themes. Hackers often exploit outdated software, so staying current helps prevent security vulnerabilities. Set a schedule to check for updates frequently.
