WordPress Security

Jan 24, 2022 • 7 min read

18 comments

5 Simple Steps to Achieve Better WordPress Security

Hackers attack websites every 39 seconds on average, a Clark School study at the University of Maryland shows. Since more than 40% of the web uses WordPress, it is one of the popular targets in danger of hacker attacks. What is more, as an open source software, which every developer can contribute to, there can be some potential vulnerabilities in the code. Cyber criminals take advantage of WordPress security vulnerabilities and other issues that can be easily avoided such as common usernames, weak passwords, outdated plugins, and others.

Thankfully, there are at least 5 easy things that you can do – usually without the help of a developer – to improve your WordPress security.

Most Common WordPress Security Issues and Vulnerabilities

But first, let’s take a look at some of the most common WordPress vulnerabilities and issues that cyber criminals tend to exploit when attacking a website:

  • Out-of-date core software

Having an out-of-date core software is one of the things that hackers look for in a website. That’s why you need to be on the watchout when an update comes out for a program or library.

  • Outdated themes and plugins

Make sure all your themes and plugins stay up to date, so that any existing bugs get fixed with the newest release.

  • Brute force attacks

You can stop brute force attacks in several ways such as using a security plugin or having brute force mitigation with your web hosting provider.

  • Malware

Prevent the injection of malicious software to your website by different means such as malware scanners and cleaning services on a regular basis.

  • Denial of service attacks (DoS) or Distributed denial of service attacks (DDoS)

One way to avoid these types of attacks is having a caching system or a DDoS mitigation system built in the infrastructure of your web hosting provider.

  • Poor hosting environment

When searching for a hosting partner, make sure they have a good reputation, deep WordPress knowledge, and above all, can be trusted.

This is just a small part of it. Watch the full video below for more in-depth information about these vulnerabilities, and the things you can do to protect your site.

Improve Your WordPress Security in Five Easy Steps

Are you ready to address these vulnerabilities on your own? To take the burden off your shoulders, I’ve got you covered with five easy steps to follow in order to make your WordPress website more secure in just a few clicks:

1. Change the Admin Username

This one is a no-brainer. If you are still using admin, administrator, or anything really easy to guess as your administrator’s username, STOP! To compromise your site, an attacker needs 2 things – a username and a password. If you use a default admin username, then you’ve given them half of what they need. Let’s make it a little harder, shall we?

To change the admin name manually, you need to:

  • Log in using your existing Admin account.
  • Under “Users” click “Add New”.
  • Create a new user account and make it an Admin. Make the username anything you want, except for Admin, Administrator, or your name.
  • Log out of WordPress and log back in using your new Admin account.
  • Click on Users to list the users, and under your original admin account, click “Delete”. Make sure you select “Attribute content to” and select your new admin account, so you don’t lose any content.

If you want to disable common usernames in just one click, install the SiteGround Security plugin. It’s a free tool that provides you with easy options to protect your site and will greatly improve your WordPress security. Use it to disable the creation of common usernames and if you already have one or more users with a weak username, it’ll ask you to provide new one(s). Additionally, when toggled, a pop-up window will appear where you’ll be able to choose a new username and automatically replace the existing weak one(s).

2. Enforce Strong Passwords

Yes, most people love using their birthday as their password. You know who likes it most of all? Attackers. See, weak passwords are easy to guess. If you post on social media: 

“ZOMG, My Little Pony II is my FAVOURITE MOVIE! Going to see it tomorrow for my birthday!”

You’ve just given an attacker a critical piece of information. At this point, they are going to start trying passwords and usernames related to the movie and/or your birthdate. Anything you’ve posted on social media gives attackers a little more information to work with. This isn’t necessarily a WordPress security issue, it’s a failing of humans.

HINT: l33tsp34k “Leet Speak” or replacing letters with numbers doesn’t fool attackers either. They figured that one out before you did.

So what works? Strong passwords. Long, random strings of letters and symbols are great. The problem with this is that, since they are hard to remember, we tend to write them down. If you lose the book you wrote them down in, then an attacker has the keys to the kingdom. (The book being physical OR electronic). If you are in the habit of doing that, I’d strongly advise you to check this article on securing passwords with Have I Been Pwned.

WordPress now has the functionality to generate strong passwords, but it doesn’t require them. There are plugins however that will enforce this for you. If you go to wordpress.org/plugins and enter ‘strong passwords’, you’ll find several to choose from. Install one of these plugins.

If you have regular users as well as admin, authors, etc., you may want to only enforce strong passwords on your higher-level accounts to reduce the friction your users have in registering and logging into your site.

If you are wondering how to deal with strong passwords without writing them down, invest in a password manager. Most modern ones work on both desktop and mobile and will sync your data across all your devices.

In case you want to learn more about the importance of WordPress security and to discover more than 20 tips on how to keep your WordPress website safe, get SiteGround’s free ultimate guide to WordPress security:

3. Implement Two-factor Authentication

‘Two-factor Authentication’, or 2FA is not a new security concept. For decades, financial institutions have relied on “Fobs” (small devices you can attach to your keyring that have a display and give an ever-changing number) as an additional factor in logging in.

The overarching security concept is “Something you know, something you have, something you are.” In 2FA, we pick two of these. When you log into a website without 2FA, you only use the “something you know” – the login and password. Regardless of how strong you think those are, there is a chance that they can be compromised. 2FA adds a layer on top of that, the “something you have”.

These days, instead of having to issue each admin user a fob, we have smartphones and software that can take the place of fobs. If you have a modern smartphone (one made in the last 5 years) it can run an app that functions as the “something you have”.

The most commonly used – although by no means the only – app for 2FA is “Google Authenticator”. It’s the most common because it is free. Before you go down the road of 2FA, make sure that Google Authenticator is available for your phone.

If you already use a plugin like the SiteGround Security plugin, you’ve got everything you need to set up 2FA. You just need to enable this option from the plugin’s dashboard and all admin and editor users will be asked to configure their two-factor authentication on their next login.

Once the 2FA is implemented and after your user clicks the login button, they will be taken to a second login screen that will ask them for their “token”. If they have set up their app properly, they will open the app, find your website in it, and type in the number on the screen. This number changes every 30 seconds. The number is called a “Time-based One Time Password” (TOTP). Your phone and the plugin you use both know how to calculate it, but no one else does. When they type in the token and press the button, the plugin will calculate the appropriate TOTP and then verify that it matches what the user typed in. Based on that it will either allow or deny the login.

Keep in mind that some 2FA systems are not based on apps but on text messages sent to your phone with the tokens. Beware that these are not secure, so you need to avoid them.

4. Enforce HTTPS

This one you should already be doing. If you’ve been living under a rock though, a couple of years ago, Google came right out and said that if your site isn’t running HTTPS, they will rank your site lower than other sites running HTTPS. SEO aside though, HTTPS keeps all your traffic encrypted and away from prying eyes. If you are not running HTTPS, any user sitting in a coffee shop is broadcasting everything to anyone who cares to watch. (technically, “sniff the wifi”)

If you are not using SiteGround, then this involves working with your hosting provider to purchase and install a secure certificate. Then, you need to tell WordPress to change its URL to HTTPS.

If SiteGround is your hosting partner, all you need to do is use the SSL Manager to get a free “Let’s Encrypt” certificate. Once SiteGround’s control panel obtains and installs the certificate for you, all you need to do is click “Enforce HTTPS” and voila, your entire site is now encrypted.

5. Keep Your Plugins up to Date

I don’t mean just the main ones, I mean every plugin you have installed on your site, every time there is an update. Why is it important to keep your plugins updated?

The main reason is of course WordPress security. Good plugin authors address security WordPress issues when they are reported and release patches as soon as they can. If you have auto update turned on, you don’t even have to do anything, you’ll get the new code. If you don’t, then, as soon as you log in, and notice that there are updates, go to Plugins, click on the update buttons, watch them all update, and then try and remember why you logged in in the first place.

If you are a SiteGround client, you can take advantage of SiteGround WordPress AutoUpdate tool. It keeps your WordPress sites safe and up-to-date at all times. Among other things, it also takes care of your plugins. In this tool, you could enable the plugin auto updates option from settings. If you do enable that option, on each WordPress update performed, SiteGround will check if your plugins are up-to-date too and if not, will update them for you.

If you can measure down-time in dollars, then it’s worth your time to make sure you are always on the latest and greatest version of everything and that the important plugins on your site are constantly being maintained. Make sure that your WordPress security updates are among your top priorities.

Extra Steps to Make Your WordPress Site More Secure

For some extra tips on making your WordPress website even more secure, watch the full video below and then follow the recommended steps. Keep in mind that many of these you can do yourself in just a few clicks, if you are using the free SiteGround Security plugin.

Final Thoughts

The secret about site security is that it’s not one big thing you do, it’s about doing a lot of little things. These few easy steps will help you improve your WordPress website security. Each layer of security you add to your site makes it a little harder for attackers to get in. You don’t have to have an absolutely secure site to be safe, you just have to create more work for the attacker than what is actually worth breaking in. Attackers eventually get tired and move on to easier targets…those sites whose owners haven’t read this blog post.

Access email sent!

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.

Thanks!

Please check your email to confirm your subscription.

Cal Evans

PHP Evangelist

One of the most admired people in the PHP community, who has dedicated more than 16 years to building the amazing PHP community and mentoring the next generation of developers. We are extremely honored that he is a very special friend of SiteGround too.

Comments ( 18 )

author avatar

Eric

Oct 17, 2020

I have set-up the SSL and enforced HTTPS, but both my sites show "Not Secure" in the brewers window. How do I get rid of "Not Secure" to Secure?

Reply
author avatar

Hristo Pandjarov Siteground Team

Oct 19, 2020

Use the SG Optimizer plugin, it will reconfigure your site to use https with one click :)

Reply
author avatar

Tim

Oct 22, 2020

what about changing the login url from wp-admin to something else?

Reply
author avatar

Hristo Pandjarov Siteground Team

Oct 26, 2020

Simple but effective solution to block the most basic attacks. You should do it :)

Reply
author avatar

Boris McWhiter

Oct 28, 2020

How do you do it?

Reply
author avatar

Joel

Oct 28, 2020

How do you change the login url?

Reply
author avatar

Hristo Pandjarov Siteground Team

Nov 02, 2020

You can use the custom login url plugin: https://wordpress.org/plugins/custom-login-url/

Reply
author avatar

RSA

Jan 27, 2021

FWIW, the Customer Login URL plugin hasn't been updated in over 5 years. Wordfence calls it out as abandoned.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 28, 2021

Thanks for reporting this :)

Reply
author avatar

Jan

Oct 29, 2020

Instructions available for Site Tools, but what about cPanel? Where is SSL manager for cPanel? Don't forget your longtime loyal customers who you haven't migrated to Site Tools. There are quite a few tutorials that don't include cPanel instructions. Very confusing and frustrating.

Reply
author avatar

Hristo Pandjarov Siteground Team

Nov 02, 2020

The SSL Manager is available for years in cPanel. You can follow this tutorial: https://www.siteground.com/tutorials/cpanel/cpanel/ssltls-manager/

Reply
author avatar

John Paul

Nov 09, 2020

4. Change the default login url.

Reply
author avatar

Gali

Nov 26, 2020

Hi, I was told to change the wp-admin to a less known and meaningful string, lets say 'bigjaw'. how do I do that?

Reply
author avatar

Hristo Pandjarov Siteground Team

Nov 30, 2020

You can use one of the many plugins for custom login url in the WordPress plugin repository :)

Reply
author avatar

Haris

Dec 04, 2020

Will changing the wp-login directory mess up with plugins or theme or in updates?

Reply
author avatar

Hristo Pandjarov Siteground Team

Dec 07, 2020

If done properly - no.

Reply
author avatar

Robbin

Dec 21, 2020

Good article. Keep posting informative posts. https://www.promocodeshub.com/hostgator-promo-codes

Reply
author avatar

Kathy

Feb 09, 2022

Really appreciate ALL your tips and advice, as I am a novice in this world of creating and maintaining a website. Great support, thank you. :-)

Reply

Start discussion