November 18, 2016 - Web development

7 Absolute Must-Have’s for Improving Your WordPress Security

by Antoni Żółciak
More by this author

Don’t you worry about the security of your WordPress website! Here are some proven methods to get you started.

It’s not fair to say WordPress is not secure enough

In the wrong hands, Windows isn’t secure. OS X? Same. Just as your car, your home, your office, and the cash that you carry around with such pride.

It all comes down to what you do with it. What you do to protect it, and how aware you are of the consequences of not doing so.

Remember what Kevin Mitnick used to say, and what still is one of the most relevant statements of IT security?

Companies spend millions of dollars on firewalls and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems.

WordPress itself is just a beginning. It’s up to you, or your team of developers (or us, if you choose our offering!), to make sure that the core of the platform is guarded with the best possible technologies. Then comes the most important part: making yourself and your employees minimize the danger of someone else penetrating your CMS.

To be honest, we could write a whole book on how to make WordPress as impenetrable as possible (and we actually are writing it). For now, though, just make sure that you take advantage of these few basic practices.

Make brute force attacks futile

This is the simplest method of gaining access to a site. While being a cyber equivalent of, well, an idiot banging on your door,  it can be very effective. Especially if you’re using words that are in the dictionary, or passwords similar to “12345”, or “tree3”, or “whyme9”.

Just as the quality of the code on the site matters, the level of security does, as well.

Without further ado, here’s how to make brute force WordPress attacks less scary:

  • don’t use the admin username, and instead:
    • make a new account and transfer all the posts there while changing the status to a subscriber;
    • change the username;
  • password protect the wp-login page;
  • change the address of wp-login page into a custom one;
  • use good passwords with the help of:
    • Force Strong Password plugin;
    • LastPass generator;
  • restrict server access – for Apache, for example, you can limit the wp-admin access with .htaccess (head on to WordPress Codex for detailed instructions);
  • deny access to no referrer requests;
  • limit login attempts (either using a WordPress plugin or on server);
  • use cloud and proxy services, as long as they don’t slow down the performance.

Take care of that, and you’ve got the base covered. The base. There are plenty of other, more advanced solutions on the market, but that’s another story.

Use 2-factor authentification

You should go and enable the 2-factor authentification not only on your WordPress, but also inside the private Gmail account, on Facebook, LinkedIn, and everywhere you can. Here’s a handy list.

A two-factor authentification (2FA, which can also be considered a multi-factor authentification), is a simple method of confirming a user’s identity by using a combination of two different components. For example, if you try and login into LinkedIn using your password, the 2FA will ask you for an additional code that is going to be delivered via text.

Banks have been doing this for a while now. Some institutions ask you for a similar confirmation when concluding online payments.

What does it all have to do with WordPress?

Making sure that you use a complex password, and changing it regularly, is just the first step. Another one – implementing 2FA.

Install Clef, Duo, Authy, Rublon, or WordFence. Or any other you find suitable. These plugins will ensure that you benefit from a much stronger authentification method.

There are some drawbacks, obviously. First of all, the login process will take longer. You have to not only type in your password but also provide an additional login method. Second – if you choose to authenticate with your mobile phone, and forget to take the device from home, you end up… Well, not logged in.


Let’s say you want to buy a lightbulb. You just saw a beautiful one, like the most stylish light bulb ever. It’s amazing.

And you want to buy it online. The first thing you should do, is to make sure that the transaction will be secure – and that’s where SSL and HTTPS come in.

HTTPS encrypts the connection between your browser and the server of the shop that sells the lightbulbs.

SSL, on the other hand, is a cryptographic protocol for identification purposes. Each site is issued a different one. The main idea here is to have HTTPS and SSL “talk” to each other.

This is especially important for e-commerce businesses – not only due to requirements of payment providers but for the clients, as well. It even matters to Google concerning SEO/SERP results.

When it comes to setting up WordPress to use SSL and HTTPS, there’s a great tutorial on WPBeginner.

Use plugins from official resources

Seriously, stop installing pirated premium plugins.

And stop using the ones that came from strange sources.

WordPress’s core is lean, simple, and lightweight. Plugins enhance its capabilities, make it more versatile, and more suited to your and your client’s needs.

While a process of installing a plugin is simple enough, the real challenge is choosing the right ones and updating them regularly. Don’t go for plugins that are not looked after.

It’s also really smart to choose only the plugins that you know the origins of – and especially smart not to use pirated plugins. Here’s why:

Here’s why:

  • you’ll significantly decrease chances of getting hacked;
  • you won’t become an intellectual property thief.

Sucuri conducted a highly useful WordPress-oriented report on pirated plugins. Here’s an excerpt:

Everyone knows that using pirated software is bad. Not just ethically bad. It’s stupid. Why trust people who don’t respect property, and whose business is stealing? Just ask yourself a question, where did they get so many paid software titles, and why do they give it away for free?

Here’s another one:

Many themes and plugins consist of thousands of lines of code and it takes only one line to add a backdoor that can potentially devastate your site.

How many plugins is too much?

None, as long as they’re written correctly and they don’t get in each other’s way. Best way to avoid the latter would be to dig into the technical documentation of each plugin.

What are the results of implementing poorly coded add-ons? Just to name a few:

  • fewer conversions;
  • decreased SERP rankings due to longer per page loading times;
  • having a bunch of tools that you never use;
  • cluttered WordPress;
  • and much more.

When it comes to projects for our Clients, we’re using both the plugins (as many as necessary) and our own solutions. Custom features are suited exactly to our Clients’ needs, and premium add-ons are taking care of the most obvious stuff.

We don’t like using “too many” plugins, though, just to use 10% of its capabilities. Oftentimes it’s better, and more efficient, to write that several lines of code yourself.

Update WordPress regularly, but be smart about it

Over the last six years (and three as Insane Lab), we developed our own workflow when it comes to WordPress updates. Minor updates we implement right away. With the major ones, we prefer to wait for the first reviews to pop up; if everything’s fine, we install them as well. That way, we make sure that a website is running smoothly and we don’t encounter any issues.

As a rule, we perform all of the updates once per week (except for critical ones, which we implement right away). We’re using a dedicated software for that, such as ManageWP or InfiniteWP.

Take care of the backups

First of all, make sure that your hosting service will take care of the backups.

Second, create indepenent copies yourself – manually, once per week. If you’ll be creating lots of content, it might be a good idea to invest in an incremental backup with tools like ManageWP (again), VaultPress, or similar.

And that’s it for now.

7 things you need to know

  • A human being (yes, you) is the weakest link of all security-related things
  • It’s quite easy to make brute force attacks futile
  • Use 2-factor authentification
  • Use SSL
  • Use plugins from official resources and update them regularly
  • Remember about updating WordPress, too
  • Take care of the backups

What is your challenge?

Tell us with any means provided. We'd love to hear from you!