WordPress security

One of the downsides of WordPress is that, because it’s so popular as a site building tool, it’s also a really popular target for hackers and spammers. It’s never possible to keep a site perfectly secure (let’s face it – if NASA can’t keep their computers secure, what chance do we mortals stand?) but by protecting your site as best you can the hackers and spammers should pass you by for easier pickings.

Like most things, everyone has their own take on WordPress security, but if you do a quick Google search you’ll find that there are a few points virtually everyone agrees on:

1. Keep your WP login password secure

A hoary old chestnut, but it’s always worth repeating.

2. Make sure you use a different password for every website you’re registered on

Why? Because if a site that stores your password is hacked the hackers can then use that information to try logging in to other sites. This was the basis of the great Tesco hack of 2014.

But how can you remember all of those passwords? If you must, write your passwords down (it’s better than reusing them), but the best way to handle this dilemma is to come up with a repeatable algorithm. For example, you already have your favourite password, don’t you? Let’s say it’s the name of your first pet, Rover. Stick to this, maybe twiddle with it a bit (you could change it to roV3r for example), then tack on the name of the website, again twiddled with. How about turning the website name back to front? So your WordPress logon would be roV3rsserpdroW, or your Tesco logon would be rov3rocseT. Then all you need to do is remember your rule, and you’re away.

3. Make sure that your WP login name is not easily guessable

DON’T, whatever you do, use ‘admin’ or ‘info’, or even the name of the person who’s posting. Why not? Because of evil WordPress bots – the little bits of software that trawl the web looking for WordPress sites and then trying to log in. Because they’re bits of software and not real people, they’ll pick a popular logon id (like ‘admin’) and just keep regenerating passwords until they get the right one. And they never get tired. If you’re stuck for a name, there are tons of sites out there that will randomly generate passwords and logon ids, or you could use Rover again!

4. Make sure you have some good security plugins installed

I’m not in the game of reviewing or recommending plugins, but for what it’s worth here are my favourites, and they’re all free:

Limit logon attempts

By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords to be bruteforce cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
You can specify how many retries are allowed (three is the usual standard) and for how long an IP is locked out after hitting the limit.


Wordfence starts by checking if your site is already infected. It does a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster. You can also set Wordfence to scan your site regularly and report any problems it finds.
Wordfence also offers a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing and it can even check if your website IP address is being used to Spamvertize.

Update 2016: Wordfence now includes a firewall that comes with a Threat Defense Feed which updates the firewall as new threats emerge. It also continuously updates the malware scan as they discover new malware patterns through their forensic research.

Stop spammers

This is an aggressive anti-spam plugin that eliminates comment spam, trackback spam, contact form spam and registration spam. It basically protects against malicious attacks.
It works brilliantly but needs to be installed with care because if it thinks that your IP or email address is dodgy it will block you.

5. Keep your software up to date

By ‘software’ I mean WordPress core files, plugins and themes. Why should you do this? Because WP software is often updated simply because a loophole has been found which allows those evil bots to enter your site via a back door. If you keep everything updated, you’ll keep that back door locked shut.
It’s easy to tell what needs updating and when. Simply login to your WP dashboard and if there are any updates needed you’ll get a little number next to ‘Updates’ in the top left corner. Click on Updates and it will tell you what you need to do.

6. Get your settings right, particularly the ones in Discussion settings

WordPress was (and still is) a blogging tool, so its default is to allow people to comment on posts and pages, however you can override this in Settings>Discussion. You can let anyone comment, even if they’re not registered on your site, or you can block comments completely – or various shades in between.  The more open your site is, the more doors you’re creating to let hackers and spammers in, so this has to be a balance between security and openness.  It’s your choice where to set the balance.

If you’re puzzled about what all the settings mean, check out this article https://codex.wordpress.org/Settings_Discussion_Screen.

7. Make sure your site is backed up regularly – at least once a day

If your host doesn’t do backups as part of your hosting package you will need to arrange this for yourself (or pay more to your host). If you do have a good host you should still do your own backups to a completely different location so that if your host has problems you still have your own backups to revert to. There are loads of backup plugins around, though they can take a bit of planning to make sure they’re scheduled at the right time and backing up to the correct location.

And finally, don’t panic – even if your site is hacked it can often be fixed. Any questions or problems, feel free to give me a call on 07762 140 433.