3 Simple Steps to a More Secure WordPress

WordPress is a complex system that has developed over time. As such, there are a lot of nooks and crannies in the code where potential vulnerabilities can hide. To their credit, the WordPress core developers are very good at ferreting these out and patching them. Still, no software is bug-proof.

Because no software is bug-proof, it is incumbent upon us, the site owners, to do all that we can to make our WordPress secure. Thankfully, there are three easy things that every site owner can do – usually without the help of a developer – to make their site more secure.

1. Change the Admin Username

This one is a no-brainer. If you are still using admin, administrator, or anything really easy to guess as your administrator’s username, STOP! Look, to compromise your site, an attacker needs two things, a username, and a password. If you use a default admin username, then you’ve given them half of what they need. Let’s make it a little harder, shall we?

To change the admin name, you can do it manually, or you can install a plugin. Since plugins slow your site down and you only need it to do this one thing, let’s do it manually.

  • Log in using your existing Admin account.
  • Under “Users” click “Add New”.
  • Create a new user account and make it an Admin. Make the user name anything you want EXCEPT for Admin, Administrator, or your name. (Yeah, attackers probably know that since your company’s Facebook account is linked off of the homepage.
  • Log out of WordPress and log back in using your new Admin account.
  • Click on Users to list the users, and under your original admin account, click “Delete” Make sure you select “Attribute content to” and select your new admin account, so you don’t lose any content.

There, now you have a new admin account with a name that isn’t “admin”. Your site is already a little more secure. Also, to upgrade the security level when it comes to your site login, make sure to enable 2-factor authentication on your WordPress.

2. Enforce Strong Passwords

Yes, everybody loves using their birthday as their password. You know who likes it most of all? Attackers. See, weak passwords are easy to guess.

“ZOMG, My Little Pony II is my FAVORITE MOVIE! Going to see it tomorrow for my birthday!”

Anything you’ve posted on Social Media gives attackers a little more information to work with. HINT: l33tsp34k (Leet Speak) or replacing letters with numbers doesn’t’ fool attackers either. They figured that one out before you did.

So what works? Strong passwords. Long, random strings of letters and symbols are great. The problem with this is that we tend to write them down since they are hard to remember. If you lose the book you wrote them down in, an attacker has the keys to the kingdom. (Book being physical OR electronic). Other times we generate strong passwords but we keep using them over and over, so sooner or later they end up leaking online. If you are in the habit of doing that, I’d strongly advise you to check this article on securing passwords with Have I Been Pwned.

WordPress now has the functionality to generate strong passwords, but it doesn’t require them. There are plugins, however, that will enforce this for you. I’m not in the habit of recommending WordPress security plugins, but if you go to wordpress.org/plugins and enter Strong Passwords, you’ll find several to choose from.

Install one of these plugins.

If you have regular users as well as admin, authors, etc., you may want to only enforce strong passwords on your higher-level accounts to reduce the friction your users have in registering and logging into your site.

Oh, if you are wondering how to deal with strong passwords without writing them down, invest in a password manager. Most modern ones work on both desktop and mobile and will sync your data across all your devices.

3. Enforce HTTPS

Honestly, this one you should already be doing. If you’ve been living under a rock, though, a couple of years ago, Google came right out and said that if your site isn’t running https, they will rank your site lower than other sites running https. SEO aside, though, https keeps all your traffic encrypted and away from prying eyes, and it’s an essential part of any WordPress security strategy. If you are not running HTTPS, any user sitting in a coffee shop is broadcasting everything to anyone who cares to watch. (technically, “sniff the wifi”)

If you do not use SiteGround, this involves working with your hosting provider to purchase and install a secure certificate. Then you need to tell WordPress to change its URL to HTTPS.

If SiteGround is your hosting partner, all you need to do is use the SSL Manager to get a free “Let’s Encrypt” certificate. Once SiteGround’s control panel obtains and installs the certificate for you, all you need to do is click “Enforce HTTPS” and voila, your entire site is now encrypted.

These three easy tasks will help you keep your site a little more secure. The secret about website security is that it’s not one big thing you do, it’s about doing many little things. Each layer of security you add to your site makes it a little harder for attackers to get in. You don’t have to have an absolutely secure WordPress to be safe, you just have to create more work for the attacker than it is worth breaking in. Attackers eventually get tired and move on to easier targets… those sites whose owners haven’t read this article.

Cal Evans

PHP Evangelist

One of the most admired people in the PHP community, who has dedicated more than 16 years to building the amazing PHP community and mentoring the next generation of developers. We are extremely honored that he is a very special friend of SiteGround too.

WordPress

Comments ( 12 )

Eric

Oct 17, 2020

I have set-up the SSL and enforced HTTPS, but both my sites show "Not Secure" in the brewers window. How do I get rid of "Not Secure" to Secure?

Reply

Hristo Pandjarov Siteground Team

Oct 19, 2020

Use the SG Optimizer plugin, it will reconfigure your site to use https with one click :)

Reply

Tim

Oct 22, 2020

what about changing the login url from wp-admin to something else?

Reply

Hristo Pandjarov Siteground Team

Oct 26, 2020

Simple but effective solution to block the most basic attacks. You should do it :)

Reply

Boris McWhiter

Oct 28, 2020

How do you do it?

Reply

Joel

Oct 28, 2020

How do you change the login url?

Reply

Hristo Pandjarov Siteground Team

Nov 02, 2020

You can use the custom login url plugin: https://wordpress.org/plugins/custom-login-url/

Reply

Jan

Oct 29, 2020

Instructions available for Site Tools, but what about cPanel? Where is SSL manager for cPanel? Don't forget your longtime loyal customers who you haven't migrated to Site Tools. There are quite a few tutorials that don't include cPanel instructions. Very confusing and frustrating.

Reply

Hristo Pandjarov Siteground Team

Nov 02, 2020

The SSL Manager is available for years in cPanel. You can follow this tutorial: https://www.siteground.com/tutorials/cpanel/cpanel/ssltls-manager/

Reply

John Paul

Nov 09, 2020

4. Change the default login url.

Reply

Gali

Nov 26, 2020

Hi, I was told to change the wp-admin to a less known and meaningful string, lets say 'bigjaw'. how do I do that?

Reply

Hristo Pandjarov Siteground Team

Nov 30, 2020

You can use one of the many plugins for custom login url in the WordPress plugin repository :)

Reply

Start discussion

Ready to get your website started?

Choose a hosting plan, start or migrate your site in a few clicks, and grow your online presence!

Get Started Chat with an expert