Updated on June 11, 2022
I thought it might be helpful to write a post offering basic tips for how to secure a self-hosted WordPress install. While more advanced/”geeky” users will probably already know this (or want to find more thorough instructions elsewhere online), I hope the list below covers the basics. The following advice also applies to users of the ClassicPress fork.
Use a secure password
It’s best to create a password at least 16 characters long. The password should have a mix of letters, upper- and lower-case, numbers, and punctuation. And, of course, don’t use the same password from elsewhere online.
Some have suggested using passphrases (like in this xkcd strip). While I’ve not tried this, some suggest it’s an easier way to remember passwords.
I also recommend using a password manager, to avoid the reasons for weak and reused passwords. There’s frankly too many sites the average person uses for them to create unique, hard-to-crack lengthy passwords for all of them. While using Facebook/Twitter/etc. login features for some sites helps cut down on the number of passwords to remember, a password manager can still help. One good password manager is Bitwarden, which is also open source software. If you prefer a local-only password manager, another option is KeePass.
Keep everything updated
Promptly install all WordPress updates when indicated, including for any plugins, themes, etc. Make sure themes and plugins are only installed through WordPress’s archives for such (Plugins > Add New or Appearance > Themes > click “Add New Themes”). Do not install plugins/themes found from third-party websites, via Google searches, etc.
It also helps to delete any unused plugins or themes.
Remove “admin” user name
By default, WordPress installations use the “admin” as the administrative account user name. This, however, makes it an easy target for brute-force attempts by hackers to break into one’s WordPress site, as they can merely guess multiple password combinations with the user name part already assumed.
My advice? Create a new administrative account with an unique user name (preferably not just your first name), then delete the “admin” account. To make sure the new user name isn’t displayed on your site, go to Users > Your Profile, scroll down to “Display name publicly as,” and select another option (your first name, full name, etc.).
An extra security option is to create a second user account without full account permissions (at the “editor” level), and just use that account for writing posts. The administrative account can be used solely for installing updates or for site maintenance.
Install security plugins
There’s also various plugins that, along with the above tips, will help keep things secured or make up for WordPress’ default shortcomings. Some plugins offer a full host of security options, doing a wide range of functions. If such is considered overkill (or at the risk of conflicting with other plugins), there’s also various other plugins that do one particular function.
Here’s some WordPress security plugins I’d recommend. All are available through WordPress’ plugin installer:
- Akismet: Akismet comes with WordPress installs by default, and does an excellent job of managing/preventing spam in blog comments (as well as trackbacks/pingbacks spam).
- Antispam Bee: An alternative to Akismet is Antispam Bee, a plugin that performs similar functions, but is completely free. Akismet is only free for personal sites; commercial sites are required to pay a fee for Akismet usage.
- WordFence: An all-purpose security plugin. WordFence handles various basic and advanced security functions, including blocking brute force password attempts.
- UpdraftPlus. UpdraftPlus automatically creates backups of one’s WordPress site, including plugins, themes, posts, and images. UpdraftPlus can email backups or upload them to cloud storage (Dropbox, Google Drive, etc.).
For more security tips, WordPress’ site has a section covering hardening security.
Image by StickerGiant (Flickr / CC BY)