Hacks happen. Whether you have the most popular blog on the block or tiny little private little piece of the Internet, you should be concerned about unauthorized access of your site. The biggest misconception is that no one would want to hack your site but that’s untrue. There isn’t always a clear cut motive. So it’s your job to make your site less hackable, no matter what the size.
1.) Use Secure Passwords:
Improved password security is probably the most basic way to protect your WordPress blog and yet, it’s often overlooked. Start with a strong password that combines letters, numbers, and special characters. Avoid anything obvious, such as the names of relatives, significant others, and pets. Definitely don’t let it be “password.” And stay away from using “Admin” as the username.
Now, it may not be your password that’s the problem. Your users and administrators also have to follow secure password protocol. You should have an understood password policy that they follow. And for added security, consider installing a plugin that chooses secure passwords for them. For example, Force Strong Passwords prevents your users from using weak passwords. Simple User Password Generatoris another plugin that takes the guesswork out of it by generating strong passwords for your users.
2.) Two Step Authentication:
Two step authentication is a security measure that asks for a secondary verification when a user tries to log into your site from an unknown device. It’s a common way to prevent unauthorized use because it limits the damage someone can do with your password. Let’s say someone tries to use your password away from your device, they would also have to enter a PIN that comes through text, email, or authenticator app.
Of course, it also creates an extra step if you’re trying to access your site from another computer. And it doesn’t do much if your device is compromised but that’s a separate concern. Google, Apple, Facebook, and Twitter all use it to protect their users information.
3.) Custom Login URL:
On default setup, the login URL for a WordPress websites is
/wp-login.php. Knowing that puts unauthorized users at a huge advantage. The default username is Admin. All they have to figure out is the password.
Changing your login URL will make it a little tougher to get into the site. Although there are several plugins on the market to help you do this, it’s actually quite easy to modify the code yourself. Start by accessing your .htaccess file. On line one, just before the WordPress rewrite rule, add the following code:
RewriteRule ^[your new login URL]$ http://yourdomain.com/wp-login.php [NC, L]
Now your login URL is
4.) Limit Login Attempts:
Brute force hacks occur when someone uses a script to try to guess your password. This involves attempting to log into your site over and over again. Even randomized passwords can eventually be discovered using this method. You can combat this by preventing unlimited password attempts. on your site. Brute Force Login Protection is a plugin that can help you do this. You can choose the number of available attempts for an IP address system wide and the amount of time you’ll allow before unblocking.
5.) Backup, Backup, Backup:
No matter how secure your site may be, it’s still vulnerable to attacks. Should something happen, having a current backup of your site should help you get back on track quickly. You can do so through your hosting provider, but don’t assume they are doing it for you. It also may not be included in the cost of your hosting plan.
If you’d rather take the backups into your own hands, there are a plethora of WordPress plugins you can use. Most allow you to decide when and how much to back up. The best ones also give you a choice of where and how to store them. Remember to avoid storing backup files on your WordPress installation. That just defeats the entire purpose of creating backups. And even though many of the plugins are of the “set it and forget it” variety, you should perform regular checks of the system to ensure that it’s still working properly.