Top 5 WordPress Security Tips Done In Under 5 Minutes

I recently had the privilege of giving my WordPress Security presentation at WordCamp Boston a few weeks ago. My presentation covered a lot of great WordPress Security tips, so I wanted to share with everyone the easiest security tips they could implement on any WordPress website. Below is that list!

1. Don’t use the admin account – The default user account that is created with every installation of WordPress is the admin account. Unfortunately the entire world knows this, including hackers, and can easily launch a dictionary attack on your website to try and guess your password. If a hacker already knows your username that’s half the battle. It’s highly recommended to delete or change the admin account username.  To remove the admin account follow these steps:

• Create a new WordPress user account.  Make the username very unique
• Assign account to the Administrator role
• Log out of WordPress and back in with the newly created account
• Delete the admin account

2. Use Secret Keys – A secret key is a hashing salt that is used against your password to make it even stronger. Secret keys are set in your wp-config.php file. Simply visit https://api.wordpress.org/secret-key/1.1 to have a set of randomly generated secret keys created for you. Copy the 4 secret keys to your wp-config.php file and save. You can add/change these keys at any time, the only thing that will happen is all current WordPress cookies will be invalidated and your users will have to log in again.

3. htaccess lockdown – Using a .htaccess file you can lockdown your wp-admin directory by IP address. This means only IP addresses you specify can access your admin dashboard URLs. This makes it impossible for anyone else to try and hack your WordPress backend. To do this simply create a file called .htaccess and add the following code to your file, replacing xxx.xxx.xxx.xxx with your IP address:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx

4. Force SSL login and admin access – SSL (https) is a method of encrypting data that is transmitted from a website. To easily enable (and enforce) WordPress administration over SSL, there are two constants that need to be set in wp-config.php. Be sure that SSL is setup properly on your server before enabling this feature.

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);


5. Install WordPress Security Plugins – Installing the below recommended plugins will help keep your website secure from hackers and exploits.

• WP Security Scan – scans your folder/file permissions and verifies they are correct.  Also displays other security related advice based on your configuration
• WordPress Exploit Scanner – scans your source files and database content for malicious code
• WordPress File Monitor – monitors all source files in your WordPress installation and emails you if any files are modified
• Login Lockdown – locks out any user who has too many failed login attempts

Be sure to join my WordPress Tips and Tricks Newsletter to get awesome WP news and information delivered weekly right to your inbox!

You can view my full WordPress Security presentation from WordCamp Boston and also view my slides (Colts horseshoes and all!) on here