WordPress is one of the most popular content management systems (CMS) of all time. It has evolved from a simple blogging platform to a complex and fully capable web development platform. Many of our clients uses WordPress, and we do our primary web development within it though that will be changing soon.

Due to its popularity, this makes WordPress a target for malicious persons and bots in their ongoing quest to steal data, high jack websites, and spread mayhem. WordPress Security is something we take serious and have incorporated a number of security protocols built into our servers as a result. But security is also a cooperative effort between us and our clients. While we do our job at the server level, we would like to see our clients do their job at the site level. This article will show you three steps that you can take to improve the security of your WordPress site and help us sleep better at night!


Step One: Change the Admin Username and use a Strong Password

Think about this step for a moment. What does a hacker need to crack your WordPress site? A username and password. Two elements that stand between your site and the hordes of evil doers that want to do your website harm. Don’t let them in! How?

Change your admin username to something complex. JohnDoe is no longer acceptable. Name combinations are easy to figure out and in many WordPress websites, your blog author lines or About Us pages gives that information away for free. Our automated WordPress installers automatically incorporates complex usernames when installing a WordPress site for a client. So make sure your admin user is complex such as ‘FHdie*8fFDnl4nsl’. It may look ugly but when it comes to WordPress security, ugly is the new beautiful.

Now the next one is a no-brainer. Use a strong password. Please for the love of all that is good and secure, use a complex password for your WordPress login. Please don’t use ‘password’ as your password. DO NOT BE THAT PERSON! Don’t use dictionary words. Don’t use dates. Your password should look like something that a Klingon would find it impossible to pronounce.

A final note, don’t use username/passwords that you use with other websites/systems. Many reputable organizations have had data breaches. If your login is on file with one of these compromised companies, then your login IS compromised. Use a unique login for each website you log into including your WordPress website. Use a password manager application to keep track of them. I highly recommend Bitwarden. You can also use https://haveibeenpwned.com to see if you have been compromised.

Here is a quick tutorial on how to use a secure WordPress username:

  1. Log in using your existing Admin account.
  2. Under “Users” click “Add New”.
  3. Create a new user account and make it an Admin. Make the username complex as recommended above.
  4. Log out of WordPress and log back in using your new Admin account.
  5. Click on Users to list the users, and under your original admin account, click “Delete” Make sure you select “Attribute content to” and select your new admin account, so you don’t lose any content.

2. Enforce HTTPS

We have written a number of blog articles on the benefits of SSL, not just for security but for SEO as well. We also implemented a number of new features that makes it straightforward for clients of EMWD to enable SSL on their websites. We even went as far as providing FREE SSL certificates for clients to use with their websites. Yet, in light of our consistent efforts, we are still coming across clients who have not enabled WordPress to use SSL.

So, what is the bottleneck here? It’s not us. You have to tell WordPress to use SSL and it is effortless to do so:

  1. Log into your WordPress dashboard.
  2. Click on Settings and select General on the Left-hand menu.
  3. In the WordPress Address and Site Address settings, change http:// to https://
  4. Click the Save Changes button.

That is it. You now have a more secure WordPress website and your site visitors will love you for it. But wait a minute! You notice the padlock still broken in the URL window of your browser. What gives! The number one reason why a page still doesn’t earn the coveted Padlock badge is due to linking to page elements, particularly, images, using an insecure URL (non-SSL such as http://). If this is the case for you then open up a support ticket via your EMWD client and let us know, and we can probably fix that for you.

3. Keep Your WordPress Software, Themes, and Plugins Up To Date

WordPress is simply not a one size fits all approach to running a website. Many WordPress owners uses a third-party theme and/or plugins for  their WordPress site. So, this can become a problem when it comes to WordPress security. You are counting on these developers to keep their applications (theme and plugins) secured and up to date. You also have a responsibility to make sure you are running the latest versions of the themes and plugins you are using.

The developers of WordPress do a fantastic job at keeping WordPress secure and modern. They continually search and find security vulnerabilities as part of their development process. When they do find a security problem, they fix it and issue a new version (most likely a minor version update) to WordPress users. They did their job. It is up to you to do yours. You have to make sure you install those updates. The good thing is you can now configure WordPress to automatically install minor WordPress updates. The major ones you still have to manually apply via your WordPress dashboard.

With themes and plugins, this is a different story. You have to manually apply updates via your WordPress dashboard to make sure you are running the latest versions. This is significant. I have seen WordPress sites hacked due to running outdated official WordPress themes. In fact, every single WordPress site compromised job I worked on, have ALL been running outdated WordPress software, themes, and plugins.

On the other hand, sometimes developers stop updating their theme and/or plugin. If your theme or plugin has not been updated in a year by its developer, then you need to get rid of it. It doesn’t matter how much you love it, that theme or plugin will eventually be hacked or break your website when you go to update WordPress itself. The good news is that the best themes and plugins that are in use today all have years of consistent development behind them.

If you find it very difficult to keep your WordPress up to date or even improve its security, then I highly recommend our WordPress maintenance service. For $10 a month, we will keep everything within your WordPress site up to date. We can even make sure all three steps in this blog post are being followed. Interested? Great. Click ‘WordPress Maintenance Service‘ to find out more information and better yet, to order it.

I hope this post will keep your very valuable WordPress site secure. It is in everyone’s best interest to initiate common-sense security protocols in place to deter the majority of hacking attempts.