10+ Ways to Improve WordPress Security

Marketing Grin - Website Security

This post looks at 10 ways you can increase WordPress security and significantly reduce the chance of your site being hacked. The tips are simple to implement and will enhance your online security dramatically.

The security of your website is often something that most people don’t think about until it is compromised. Unfortunately by then you have already been negatively affected. All of the websites that we build for clients come with a good level of security which prevents most attacks and this post is designed to get people thinking about their sites security so any issues can be addressed and potential attacks stopped.

I have written this post specifically for WordPress users as it is one of the most used platforms and it was sensible to concentrate on one platform for the post however most of these security principles can be applied to any website. Should you have any questions about a different platform, please drop a comment below and I will answer it as quickly as I can.


1). Run Regular Updates

Updates to WordPress and plugins are often made to fix a security issue. If you don’t download these updates, you are potentially leaving in these vulnerabilities, making your site susceptible. Updating both WordPress and your plugins is very quick and easy – simply hit the update button in the navigation bar in the admin page (usually highlighted when there is an update available) or click Dashboard > Updates in your admin panel.


2). Download a Security Plugin

There are plenty of websites out there without a security plugin. This is arguably the first step to making your website secure. At Marketing Grin, we use All in One WP Security but there are several good ones out there. We use All in One WP Security mainly because it is free and does everything that I want it to do as well as being easy to use – I have tried several and this is the one that I like the most. It has a security score allowing you to gauge how secure your website is and gives you essential things to improve.


3). Pick a Strong Password and Don’t Share it with Anyone

Obvious but something that a lot of people don’t do. Try to create a password with 8+ characters and one that combines numbers and letters, lower and upper-case and symbols where possible. Keep this password secret and don’t share it with anyone. If you need to give access to your site to someone, create a new user account – Users > Add New and assign the appropriate access level. This will make sure that your security is kept tight.


4). Disable Password hints

This just makes it easier for people to guess your password and it really isn’t necessary. If you have forgotten your password, simply click the ‘forgotten password’ link and get a new password emailed to you or get an administrator to assign one to you which you can then change. Disable hints in the functions.php page.


5). Remove Admin Usernames

One of the most common usernames is admin. This coupled with the standard login page (point 6) gives hackers 2 out of the 3 things that they need to hack into your site. By removing admin as a username, you are reducing the chance of someone hacking into your site. That being said, it will probably only be mass scale attacks that would use the username ‘admin’. If they were deliberately targeting your site, they would probably scroll through the usernames in your blog posts and quickly be able to find a username to login with. Unfortunately you can’t easily change this as the username of a blog post is basically the slug allocated to the user. What you can do though is write blog posts with a lower grade role – author for example. That way hackers don’t have administrative access if they do successfully hack into your site. This though is personal preference as of course there would need to an administrative user as well so two usernames and passwords to remember. As an agency, we don’t have a hard and fast rule on whether to give the client one, administrative username, or to allocate them lower roles and keep the administrative username safe. It really depends on what the client wants. Some prefer not to have full, administrative access, so they don’t mess things up accidentally, others want to have full control.


6). Change the Login Page

You can access 99% of WordPress admin panels by going to By modifying the login page to a none standard URL, you are drastically improving the security of your site. There is a plugin called Protect My Admin and this allows you to change the URL of the login page. It doesn’t really matter what you change the URL to, just something that isn’t standard and something that you will remember.


7). Turn Off User Signups and Set Default User to Subscriber

Under Settings > General, there is section asking if anyone can be a member of your site and what the new user default role is. Make sure you un-tick the membership box and set the default role to subscriber. Although a new user shouldn’t be able to make any changes to your site as a subscriber, unless the membership box is un-ticked, you will get thousands of spammers signing up. This is asking for trouble, plus it is annoying then having to go in and delete the spammy users.

Marketing Grin - WordPress membership


8). Only Download Trusted Plugins and Themes and Delete Unused Plugins

You are asking for trouble downloading anything from an unknown source. Try to only download the most popular plugins and ones from a trusted source. If a plugin or theme has thousands of downloads and lots of positive reviews, the chances are it is from a safe source. If it doesn’t, stay clear unless you are certain it is from a safe source.

It is important to keep your site clean and to delete plugins and themes that you are not using. If you’re not using them, there is no point on having them on your site and you are keeping a vulnerability on your site without any benefit. Also people have a tendency not to update plugins that are not in use.

Marketing Grin - WordPress Plugin Active Installs and Reviews


9). Limit the Number of Login Attempts and Block IP Addresses That You Do Not Recognise

All in One WP Security will do this for you and will notify you by email when there is a site lock down (where someone has been locked out of your site). Go to WP Security > User Login and enter the number of login in attempts before the user is locked out (I allow 3 attempts).

Marketing Grin - WordPress Security User Login

I was amazed by the number of attempts there were to log into the Marketing Grin site and it really does open your eyes to the number of hackers out there. The site lock down email gives you their IP address and I personally block all IP Address that have tried to log into my site that I do not recognise as this reduces the chance of my site being hacked. You do this by going to WP Security > Blacklist Manager and entering the IP Address.


10). Use Secure FTP

When updating files on your site, be sure to use secure FTP and not normal FTP as this will reduce the chance of someone intercepting files and exploiting vulnerabilities. To use SFTP you will need slightly different details from your host (normally an SSH key which you will need to add to your SFTP client) but most hosting providers now provide this as it is in their interest to help you to keep your site secure as there is then less chance their server will be hacked into.


Further Website Security Measures

If you action the points above, the level of security of your site will increase dramatically. We try and promote these 10 points as much as we can as they are relatively easy to implement and will stop most hackers. At Marketing Grin, we now include these steps as standard during the website build (where applicable), and teach these security best-practises where we can. Some businesses like to increase there security even further. As a general rule, the more secure your site is, the better, but often increased security comes with reduced usability so you do need to strike the right balance for your website. Additional security steps include:


SSL (Secure Socket Layer)

Instead of http in front of your domain name, you use https. You need to buy a certificate to do this, normally available from your hosting provider. They are not expensive and it is a good thing to have as it will improve your security as it uses secure socket layer to encrypt data that is transferred between client and server. Traditionally this tends only to be used on e-Commerce sites where card information is taken but it is being encouraged on all sites now. Personally I think it is a good idea to use it but not absolutely essential for most sites.

2 Step Authentication

This adds an extra layer of security when loging in by making you confirm your identity by username and password (first level which is standard) and by confirmong your login via email or a mobile device (second level) where you will be sent a pin number to enter. There are several free plugins that will do this, Rublon is a popular one. This is a good idea and it will improve security however it is a bit of a pain – personal preference whether you add it or not.

Amending File Permissions

You can amend file permissions, adjusting what can be changed within the admin panel so should anyone get in, you’re limiting the damage that they can do. This increases your security so is a good idea but again comes down to personal preference and need.


For more free digital marketing advise, signup to our newsletter below: