WordPress Security Essentials

It’s always important to keep your software up to date. According to web security company Securi, an estimated 78% of hacked websites run WordPress. That’s alot of hacked sites and all the more reason to keep your site secure.

In this article, I will demonstrate the different methods that you can use in order to protect your WordPress website from hackers.

1. Updates

This is where most people fall, they forget to update their plugins and themes. If you are quite forgetful then I would recommend installing the Companion Auto Update plugin which allows you to automatically update all of your plugins and themes.

Adding a reCAPTCHA to your Login

A reCAPTCHA is one of those annoying things that you usually have to tick when you’re logging into a website. Even though it’s annoying it’s here to help protect you and your website from being spammed with login requests.

Login No Captcha reCAPTACHA is a plugin which will add a reCAPTCHA to the login screens

Limiting login attempts

Another good idea is to limit the amount of login attempts that someone can do before they are stopped for a limited time period.

A plugin like Limit Login Attempts allows you to stop hackers from hitting your login screen multiple times a minute trying to gain access to your website.

2 Factor Authentication

This is a big one. For those of you who don’t know, Two Factor Authentication adds an extra layer of security to your account. So if someone managed to guess your password, answer the captcha, maths question and can login within 5 attempts they still can’t get into your WordPress website.

There are lots of 2FA plugins but I especially like:

Google Authenticator

Just activate it, get your code, pop it into Google Authenticator on your phone and you’re set. Just enter your code each time you login.

Authy Two Factor Authentication

I use Authy myself because I can use both my phone and tablet to Auth with. The WordPress plugin once installed allows you to set it up. Also if you have a few writers and really want to tighten up security you can force 2FA for all users.


HTTPS ensures that the website you are trying to use is who they say they are. This is important if you take any type of user details like email or credit card information. To install HTTPS you will need to contact your web host.

Username and Password Security

Do you use admin as your username and password as your password? Anyone? Com on, own up! I can’t emphasize how important it is that you change it right away.

Changing your username can only be done by editing the database. If you don’t have database access you can always create a new admin user and assign all of the old posts to the new user then remove the old user.

You should also check your current password and re-secure that. To change your password in WordPress head to your Profile, then scroll until you see this.

Your password should include caps, non-caps, numbers, symbols and it should be at least 8 characters long.

Removing publicly available WordPress details

WordPress is great for blogs and businesses and it’s also great for hackers. Do you know what makes it easy for hackers? Being able to find all the information they need to know about your WP install just by adding /readme.html to the end of your site url.

This displays the WordPress version your site is using. To remove this, connect into your server via FTP or SFTP and remove the /readme.html file from the root directory WP is installed into. Bear in mind that every time you update you will have to remove this again because it get’s overwritten.

Change your DataBase prefix

By default when you install WordPress your DB prefix will be wp_. Because this is standard, hackers can use this to exploit parts of your database and potentially break your website.

WP Prefix Changer changes your database prefix so it’s less vulnerable to hackers.

Security Plugins

You can never be too secure. There are many security plugins that will offer a lot of the functionality we mentioned earlier. Like limiting login attempts.

Sucuri Security includes a bunch of awesome features like File monitoring, malware scanning, security notifications and the list goes on. I would recommend fine-tuning this to your own preferences.


If you site does get hijacked, you should always be able to recover as soon as possible. This is where backups come in.

I have looked around for years to find a perfect backup solution for my websites. I ended up using the popular UpdraftPlus plugin. It automatically sends my DB and files to a Dropbox account everyday so I can easily restore.