Ultimate Guide to WordPress Security

wordpress security

Your website is your hardest working employee. It works for you 24 hours a day – 7 days a week  – 365 days per year. It doesn’t need to take lunch breaks, vacations, and it doesn't even complain. Websites are fantastic when you get them setup so that they automate parts of your business. Since roughly 25% of the internet runs on WordPress I feel like I need to address some WordPress security aspects. It’s a shame that most WordPress websites are not secure. Bloggers, entrepreneurs and business owners unknowingly leave their website open to attack all the time. These kinds of cyber attacks happen everyday and I’ve even been a victim of these malicious attacks firsthand. Some hacker took over one of my sites and nuked my whole site besides a new homepage that he created where he put a image  on the homepage with some heavy metal music that played automatically. Here's an example of what these attacks look like.

wordpress website hacked

Unfortunately, it happens all the time – if you don't believe me then check out these horror stories that happen everyday in the WordPress forums. In this post I want to show you how you can secure your website so that when a hacker or bot tries to attack your site you can prevent it. I don't want to make any suggestions about WordPress security plugins you should use like WordFence, Ithemes Security, All in one WP Security, and 6Scan Security in this post. Here are some WordPress security best practices I have learned from years of using WordPress websites and of course from getting hacked.

1. Default Login Credentialstyping on keyborad

Don't use the default “admin” username and please use a strong password. According to splash data here are a list of the most common passwords for 2015 so if you are using one of these passwords you need to change it immediately.

Top 10 Most Common Passwords for 2015

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball

Another good trick is hiding your admin level username. In order to hide it you need to change some settings inside your site. Login into your site and go to Users -> Your Profile and change your “Display Name publicly as” to a Nickname so that you don’t broadcast your admin username. This is very important because hackers will need to know your admin username to gain access to your site but this makes it 100x harder for them to find it.

2. Move Your Default Login URL

default wordpress login screen

The default login url on any WordPress website is the website name with /login/ or /admin/ at the end of it. For example




Entering either of these variations into your browser will redirect you to login page for your website as pictured above. The reason you want to move your default login url is that hackers and bots know about the default login url and they will attempt to hack your website by using this security vulnerability to their advantage. Please be aware that you do not have to be targeted specifically for one of these attacks.These bots scan websites for vulnerabilities and if you have the default login url then you could become a target. Bots are out there crawling the internet every second attempting to hack your website and cause mayhem for the fun of it so consider this your warning. 

3. Protect Against Brute Force Attacks

Screen Shot 2016-07-04 at 1.37.02 PM

A brute force attack is an attack that uses a trial and error method used by applications to decode encrypted data such as passwords, through extensive effort rather than employing intellectual strategies like social engineering. Basically hackers use programs that try millions on combinations to try and hack into your website.

So how do you protect against these types of attacks? Here are a few ways to protect your site

  • Limit login attempts
  • IP blocking
  • Login Captcha / Puzzles
  • Real-time notifications

Limit Login Attempts

This is a pretty simple one but it's surprisingly efficient. You can set certain rules like if a user tries to login to your site 3x then they are blocked for a certain amount of time. I would be hesitant to make it less than 3x because a user could accidentally type their password once or twice in this scenario so be mindful of that.

IP Blocking

Did you know that you can block certain IP addresses? Yes, this is a fantastic feature of some WordPress security plugins. You can set certain limits for example if a certain IP address tries to gain access to your site 5 times you can block it for 24 hours.

Login Captcha / Puzzles

Upon site login users will be presented with Captcha and have to fill out a form with a puzzle to login into the site. This is helpful because bots will not be able to do this and then you can block them in conjunction with IP blocking features. Sometimes this will be a simple math problem or other times it can be pictures. 

Real-time Notifications

Did you know that you can get notified in real time when an unauthorized user is trying to access your site? With certain WordPress security plugins you can have emails sent to you detailing the IP address, time, and nature of the attack.


Now, you know what it takes to secure your website from bots and hackers. Remember don't make silly mistakes. Don't use the default “admin” username and be sure to have a secure password. Also be sure to move your default login url to a new location of your choice. Have a security tip I didn't mention? Let me know about it in the comments below!

Leave a Comment