3 Simple Steps to a More Secure WordPress
WordPress is a complex system that has developed over time. As such, there are a lot of nooks and crannies in the code where potential vulnerabilities can hide. To their credit, the WordPress core developers are very good at ferreting these out and patching them. Still, no software is bug-proof.
Because no software is bug-proof, it is incumbent upon us, the site owners, to do all that we can to make our WordPress secure. Thankfully, there are three easy things that every site owner can do – usually without the help of a developer – to make their site more secure.
1. Change the Admin Username
This one is a no-brainer. If you are still using admin, administrator, or anything really easy to guess as your administrator’s username, STOP! Look, to compromise your site, an attacker needs two things, a username, and a password. If you use a default admin username, then you’ve given them half of what they need. Let’s make it a little harder, shall we?
To change the admin name, you can do it manually, or you can install a plugin. Since plugins slow your site down and you only need it to do this one thing, let’s do it manually.
- Log in using your existing Admin account.
- Under “Users” click “Add New”.
- Create a new user account and make it an Admin. Make the user name anything you want EXCEPT for Admin, Administrator, or your name. (Yeah, attackers probably know that since your company’s Facebook account is linked off of the homepage.
- Log out of WordPress and log back in using your new Admin account.
- Click on Users to list the users, and under your original admin account, click “Delete” Make sure you select “Attribute content to” and select your new admin account, so you don’t lose any content.
There, now you have a new admin account with a name that isn’t “admin”. Your site is already a little more secure. Also, to upgrade the security level when it comes to your site login, make sure to enable 2-factor authentication on your WordPress.
Comments ( 17 )
Thanks! Your comment will be held for moderation and will be shortly published.
Eric
I have set-up the SSL and enforced HTTPS, but both my sites show "Not Secure" in the brewers window. How do I get rid of "Not Secure" to Secure?
Hristo Pandjarov Siteground Team
Use the SG Optimizer plugin, it will reconfigure your site to use https with one click :)
Tim
what about changing the login url from wp-admin to something else?
Hristo Pandjarov Siteground Team
Simple but effective solution to block the most basic attacks. You should do it :)
Boris McWhiter
How do you do it?
Joel
How do you change the login url?
Hristo Pandjarov Siteground Team
You can use the custom login url plugin: https://wordpress.org/plugins/custom-login-url/
RSA
FWIW, the Customer Login URL plugin hasn't been updated in over 5 years. Wordfence calls it out as abandoned.
Hristo Pandjarov Siteground Team
Thanks for reporting this :)
Jan
Instructions available for Site Tools, but what about cPanel? Where is SSL manager for cPanel? Don't forget your longtime loyal customers who you haven't migrated to Site Tools. There are quite a few tutorials that don't include cPanel instructions. Very confusing and frustrating.
Hristo Pandjarov Siteground Team
The SSL Manager is available for years in cPanel. You can follow this tutorial: https://www.siteground.com/tutorials/cpanel/cpanel/ssltls-manager/
John Paul
4. Change the default login url.
Gali
Hi, I was told to change the wp-admin to a less known and meaningful string, lets say 'bigjaw'. how do I do that?
Hristo Pandjarov Siteground Team
You can use one of the many plugins for custom login url in the WordPress plugin repository :)
Haris
Will changing the wp-login directory mess up with plugins or theme or in updates?
Hristo Pandjarov Siteground Team
If done properly - no.
Robbin
Good article. Keep posting informative posts. https://www.promocodeshub.com/hostgator-promo-codes
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published.