5 Tips to Quickly Secure Your WordPress Site


WordPress sites are under attack. It makes complete sense if you think about it. Some of the more recent stats I was able to find say that almost 23% of the internet runs on WordPress and that number is growing quickly. I previously covered how to get WordPress up and running on Amazon EC2 in under 5 minutes. Let’s stick with the 5 number. Below I am going to cover 5 tips to help you secure WordPress.

via wpengine.com – Having trouble viewing this? Click here.

Security is a moving target. I am not a security expert. The tips I am sharing are easy wins that should help keep you safe from the most common bots and exploits. With so many WordPress would be attackers have too many available targets to worry about customizing their script to hack your site specifically. Most time an attacker is going to look for the path of least resistance.

If you are running a small niche site or personal blog you might wonder if you need to take steps to secure WordPress. The answer is yes. Jon had one of his niche SaaS sites hacked via his WordPress blog. This lead to Google de-indexing the site and disabling his adwords account. Don’t let something similar happen to you, let’s secure WordPress in five somewhat easy steps!

1. Do not use common usernames and passwords.

I know you have heard it before and you will hear it again. You should not use admin as a username or password. I know keeping track of all of your passwords is a pain, but it just is not worth the headache of getting hacked.

In addition to not using admin in usernames or passwords you should also avoid using the name of your website or url in your username or password as well.  The bots that I have observed typically move from using admin as a username to variations of the URL and site name.

What if you are currently using admin as your username, are you doomed? Probably 🙂 But we can just create a new admin user and then delete the original admin user. Login to your WordPress installation. Click on Users on the left hand side of your screen.

Users in WordPress Admin Secure WordPress


Then click on Add New.

Add New User WordPress Admin Secure WordPress

Now complete the Add New User form. This time you are going to come up with a unique and not easily guessable username. You are also going to use a strong password. I will not lecture you on the benefit of using strong passwords, but for the love of humanity please do not use admin as the password, or any other simple word.

Most of the bots attempting to hijack your site are going to run a dictionary attack to guess the username password combination.  You guessed it, that means they are going to run through a dictionary attempting each word. Use special characters and add numbers. You just made your password infinitely harder to guess.

On this form you want to make sure that you select administrator as the role. It is the last dropdown on the form.

Add new user form secure wordpress

At this point you should make a backup for your WordPress database. Just in case. Now logout of WordPress and log back in using your new account. Head back to the users screen. Find your original admin user and while hovering over the name select delete.

Extremely important. On the delete users confirmation page you want to make sure that you attribute all of the admin users post to your new user. Do do this click on the last radio button Attribute all content to: and then select your new user.

User Delete WordPress Security

Do not delete all of your hard work!

This is pretty straightforward and should take you a long way in your quest to secure wordpress. The next step will help you understand how frequently your WordPress site is actually under attack.

2. Install Sucuri Security

The guys over at Sucuri have an amazing WordPress plugin that will help you secure WordPress. The plugin is called Sucuri Security. This plugin does more than just secure WordPress. It will also open your eyes to how frequently bots try to login to your WordPress admin. The plugin will send you notifications on failed login attempts and brute force attack attempts. Fun fun!

In your WordPress admin head over to the plugins tab and click on add new. Search for Sucuri Security. You want to install the plugin called Sucuri Security – Auditing, Malware Scanner and Security Hardening.

Install Sucuri to Secure WordPress

If you only do one thing. Do this!

Once downloaded and installed, activate the plugin. Let’s have some fun. Click on the Sucuri Security link from your dashboard. Near the top of the screen click on the Malware Scan. Let’s scan the site now. Hold your breathe and let the plugin do it’s thing.

If your scan completed with issues try and fix them yourself. If you have major issues and you are not quite sure where to start I strongly recommend their cleanup service. Jon actually used this service to cleanup the malware infection he had on his site and he swears by it. The Sucuri team is extremely responsive and had his site back up and running within a few hours.

If your scan is complete and there are no issues, exhale and let’s move on to the next step. Click on the hardening tab. If you have been looking for tips on securing your WordPress installation, you have most likely run into the term hardening. Hardening is the process of improving your site’s security by removing or addressing issues that attackers will use to gain access to your site.

None of these items are required, but why not make it as difficult as possible for anyone to break into your WordPress site? This plugin also makes hardening your WordPress installation a cinch as most of the hardening best practices are on one screen.  You can take all of these steps manually.  This plugin organizes them all on one screen.

Use Sucuri to Harden WordPress

I go down the list one by one and do all of the one’s that do not require me to pay anything extra. Sucuri offers a firewall service that I have not used yet, I typically use CloudFlare, which offers similar functionality.

I also do not change the default database table prefix. When I setup WordPress I will typically change the prefix, but if it was not done at that time I typically will not move away from it. If you feel comfortable having Sucuri make the changes then by all means you should do so.  I just typically do not.

If you have reached this point in the article and are happy with all of the progress you have made securing WordPress you can sit back, relax and bookmark this page for a later date. You will want to take the next few steps after you get a few emails from Sucuri with all of the failed attempts to login to your admin.

3. Add basic authentication to the admin area.

I am assuming that you are coming back to this page after sitting back for a few days and feeling pretty good about all of the steps you have taken to secure WordPress.  Then all of the sudden you got an email about a failed login attempt. It looks something like this:

Sucuri Failed Login Attempt Secure WordPress

Good thing you installed Sucuri right? This bot tried to get into my site and they failed, ha! Then maybe a day later you get a brute force attempt email, it looks much scarier.  Here is a sample.

Sucuri Brute Force Attack

Oh boy. Maybe now you understand what I have been trying to tell you.  Your WordPress sites are constantly under attack. You have taken some steps to secure WordPress. At least now if someone happens to get into your WordPress site you will know about it. You can still do more.

This step is a bit more advanced and will require modifying files. If you are not comfortable modifying these files you can send your tech guy this article to follow along.

We are going to add basic authentication to our login area. Basic authentication relies on the browser to authenticate the request. Here is what basic authentication looks like in Google Chrome.

Basic Authentication for WordPress Security

Basic authentication depends upon checking a username and password you provide the browser against an encrypted file on the server. Let’s create this file first. If you are relying on an FTP client for access to your server, you are probably going to want to use this service, Htpasswd Generator. It will create the files you need to upload to your server.

If you have SSH access to your server you can use a command line tool to create the file. Enter the following command:

sudo httpasswd -c /location/of/file/.htpasswd myusername

Replace location of file and myusername with where you would like the file placed and your username, respectively.

Let’s now tell your web server to require authentication to the WordPress admin. Navigate to your wp-admin folder. If there is an .htaccess file download / open it. If you are modifying your .htaccess file you are going to want to add the following to your file.  For those of you making a new file you can paste in the below.

ErrorDocument 401 “Denied”

ErrorDocument 403 “Denied”


<Files admin-ajax.php>

Order allow,deny

Allow from all

Satisfy any



AuthType Basic

AuthName “Secure Area”

AuthUserFile “my-file-location”

require valid-user

Basically you are telling your server to tell the user “denied” if they are unable to correctly login. The files section keeps the admin-ajax.php file open. Access to this file is required by WordPress and a bunch of other plugins.

In the next block of code you are telling the server to require basic authentication. Then you are giving it the name of your secure area.  Whatever value you enter in AuthName will show on the dialog box presented to the user. Then you tell the server which file to check the information against. You want to make sure you enter the correct location here. If you do not you will not be able to access your admin.  Finally, you are telling the server to require a valid user to access the folder.

As a footnote, these instructions are for sites being served on Apache. If you are using a different server you are probably an advanced user and don’t need my help. Most other servers have a similar configuration. Nginx for example even uses the apache httpasswd tool to create the file.

Now try to access your admin again. If you configured everything correctly, you browser should present you with an authentication window.

4. Restrict access to admin by IP address

After adding basic authentication to your WordPress admin you should notice a serious decline in failed attempts to your admin area. You will also notice that there are still a few bots making it through and attempting to login to your WordPress admin.  What the heck!

I know it’s frustrating. These guys just won’t stop. No worries, you can take additional steps. This step is accomplished using an .htaccess file just like our previous tip. Now we are going to restrict access to our admin by IP address.

Is this step drastic? Not really. Think about it. Where do you typically access your WordPress admin. From your home or office? You are typically accessing your admin from the same physical location. If this is not the case for you, you should probably avoid this step.

Navigate to the root folder of your WordPress installation. Find the .htaccess file. We are going to add the following code to the file. Please insert the code outside of the WordPress block. It start with # BEGIN WordPress and ends with # END WordPress. If you enter this code within those blocks WordPress will overwrite it.

AddHandler php5-script .php

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^$

RewriteCond %{REMOTE_ADDR} !^$

RewriteCond %{REMOTE_ADDR} !^333.333.333.333$

RewriteRule ^(.*)$ - [R=403,L]


This code is telling the server to check the IP address of requests to wp-login or wp-admin.  If the IP address is not listed, in my example I am checking against three fake IP address,, etc. If the IP address does not match the server is redirecting the user to the 403 page, which is the access forbidden page. You want to modify the IP addresses in the %{REMOTE_ADDR} to match your IP address.

Try logging into your WordPress admin again.  If you are at one of the IP addresses that you just entered you should have no problem. Try again from an IP address that is not on the list. This step is typically the nail in the coffin for most of the off the shelf bots attacking WordPress sites. After restricting access by IP address you probably will not receive any more brute force attack notifications from Sucuri.

5. Keep WordPress updated

The last two tips were rather dense. This tip is not. Keep your WordPress install and all of the plugins / themes updated. Since version 3.7 of WordPress automatic updates have been available. So there is no longer an excuse not to update your site. Your attention is required for major updates, so you are not out of the woods quite yet.

You should also keep all of your plugins and themes as up to date as possible also. You do not have to do much as WordPress will typically direct you to the updates page if there are any pending updates.

So those are my five steps to secure WordPress. Please keep in my that this is not an all inclusive list. There is still much more you can do to secure your WordPress site. In my experience I have found that these 5 steps offer tremendous bang for your buck. Common sense is also extremely important. Do not share your login information, etc.

If you are not convinced that you need to make WordPress security a priority please install Sucuri and sit back for a few days. I promise the frequency that your WordPress site is attacked / probed will astonish you.

Like what you read?

Start An Online Store Crash Course

Sign up now to get our list of 50 secret resources we have used to make over $1,000,000 Dollars online. We feel ridiculous saying it, but its true. The good news is, it is not that hard and is actually fun most of the time. We want to share everything we have learned along the way.

  • Free Resource Guide with over 50 secret tools we use
  • Stay up to date with our latest posts
  • We never share your email address!
  • If you are not entertained you can unsubscribe at any time.
  • Type in your fancy email address below: