Updated January 12, 2023
Reading Time: 3 minutesHardening Your WP Installation

WordPress security has come a long way since its inception back in 2003. Built on a foundation that’s free and open source, it’s content management system structure can make it a target for nefarious hackers especially if you don’t know what you’re doing. As part of every new website project, I make changes to the basic WordPress installation to keep the bad guys out and the good stuff in. If you’re a newbie to website management, here are several critical WordPress security principles to follow:
Change the Table Prefix
There is a default prefix that’s part of WordPress’ standard installation. If it’s a default, then you know it’s not a secret and therefore presents a WordPress security risk. I routinely change the table prefix; we recommend modifying the standard prefix of “wp_.”
Change Default Admin Account Login Info
If you have “admin” as your administrator username, then you’re hanging this sign on your website: “feel free to break in and mess stuff up.” We counsel our clients to use strong passwords that include numbers and special characters. Worried that you’ll forget this complicated password and get continually locked out? Then consider using a password vault like LastPass.
Keep WordPress Version Secret
My philosophy is to keep a website’s core up-to-date. Meaning, keep the WordPress code and plugins current with the latest possible versions. However, I keep the WordPress version hidden. Note: there are lots of plugins that let you do this simply.
Add 2-Step Authentication
Adding 2-step authentication provides yet another layer of protection. When logging into WordPress you enter the username and password; the user name can be guessed by simply looking at authorship on blog posts. Users often use easy-to-remember passwords that are easily cracked by brute force software. Requiring a security code makes it that much harder to break into your website. There are two 2-step plugins I recommend: Google Authenticator and Clef. Note: you only need one.
Use VaultPress’s Protect & Sucuri
Part of JetPack, VaultPress performs comprehensive security scans. For a nominal annual fee you get brute force attack protection, uptime monitoring, and priority support. Sucuri provides two paid services: cleaning up of a hacked site as well as protection for DDoS (Distributed Denial of Service) attacks, vulnerability exploit attempts and more brute force defense.
Automated Backups
When it comes to data, it pays to backup. One of my favorite plugins is WP-DBManager. As your database (which includes content, settings, etc) is the backbone of your website, I also recommend using a cloud backup service such as VaultPress. Using a belt and suspenders may be a fashion faux pas, but if you’ve ever had to restore a website after a catastrophic event, you’ll appreciate this redundant approach.
Use Plugins that Use Coding Best Practices
If you have commissioned a coder to develop a custom WordPress theme or plugin, make sure they follow WordPress Coding Standards. If their response is “huh?” when asked, then look for another developer. By not following the Codex’s best practices, you are putting WordPress security at risk.
What other practices do you use to keep your website safe?
An impressive share! I’ve just forwarded this onto a coworker who had been doing a little homework on this. And he actually bought me lunch because I found it for him… lol. So let me reword this…. Thank YOU for the meal!! But yeah, thanx for spending time to discuss this issue here on your site.
Glad we could help. Hope it was a good lunch 😉
Hey There. I came across your blog using search. That is a really well crafted
article. I’ll be sure to bookmark it and get back to learning much more of
your
useful information. Thanks a lot for the post.
I’ll be back 🙂