Latest security tips to improve WordPress

Security tips

Are you making it easy for someone to steal your data? Perhaps these security tips would be useful.


WordPress themes and plugins are frequently updated and contain critical fixes that are crucial for a secure website. There are plenty of plugins to help you upgrade automatically. For simplicity, I use Easy Plugins Manager. The operation is self explanatory.

WordPress 4.7.0 has a security hole which leaves your site susceptible to a defacing attack. These security holes are a common occurrence, so ensure you’re updating automatically.

Use a Password Manager.

If you’re not using a Password manager, I would be asking why not?

I’m using Dashlane. The non-syncing version is free to use. I’m still trying to decide if I really need to sync my passwords between devices. I use only an iPhone and a Macbook. If I change one password, I just need to copy and paste the password from the Dashlane App and paste. If this is too much for you,  then you can buy Dashlane Premium for $39 a year. It allows you to sync your passwords between devices.

security tips for 2016Using Dashlane only requires you to remember one large, strong password. This password allows you to enter the Dashlane password database. You can manage your passwords here and generate new ones for every site you visit. After installing, your login credentials are auto-populated for every site you visit. When creating new logins, strong passwords are generated automatically. You don’t see these passwords or need to remember them!

Don’t use admin.

Choose a random username for your admin account. Using “admin” will leave your site open to attack. This is probably the first account name a hacker will attempt to break.

Change the users “display name” to something different from your login name. Hiding your username will mean a potential hacker will need to guess the username as well as the password.

Hide the wp-login.php file by renaming it and making it harder for someone to access your site. There is a “Rename wp-login.php” plugin to do this for you. Enable this by choosing a different login file name. Bookmark this so you don’t forget it !


Ensure your backups are reliable. Check your backup files are accessible and test you can decompress them. Ensure your database is recoverable too. All hosts can backup your files and database for you, but some hosts might need you pay a little extra. (Coral Web Design is £15 a month for comprehensive hosting with updates.) You will also want to ensure your backups are resilient enough to protect you against Ransomware. These type of attacks are encrypting network backup drives too. So you might think you’re protected only to find that your personal files have been encrypted and that your backup files have been too!

Install a firewall

security tips for 2016You won’t realise how much unscrupulous traffic your website is exposed to until you install a firewall. Enabling Wordfence to guard against brute force attacks is on of my top security tips! This #1 security plugin continuously prevents, patrols and protects your WordPress websites against today’s ultra-advanced cyber attacks, hacks and online security threats.

Configure the firewall

After installing Wordfence, head to the Wordfence options, and look for “Immediately block the IP of users who try to sign in as these usernames,” Assuming you’re NOT using “admin” for your administration account, you should add “admin” in the box provided. This will block anybody attempting to reach your site using this account. This is a great way to block one of the hackers first attempts. There will be other account names which hackers may use…. consider adding variations of the site name here. Obviously, this needs to be an unused account.

Disable error reporting

Error messages should be disabled if your WordPress site is Live. If you have a sister site in Development then error messages should be enabled there to aid debugging.

Allowing hackers to view error messages can be really harmful to your site. Add the following code to the bottom of your wp_config.php. This will make sure logging is enabled and stored to the log file but not displayed on the screen.

ini_set('log_errors','On'); ini_set('display_errors','Off'); ini_set('error_reporting', E_ALL ); define('WP_DEBUG', false); define('WP_DEBUG_LOG', true); define('WP_DEBUG_DISPLAY', false);
Enhance your security

security tips for 2016You can go further than these security tips above by adding Google Authenticator or a similar 2 step verification product for your admin account. The Google Authenticator plugin is probably the most popular security authentication tool available for WordPress. This plugin gives you two-factor authentication using the Google Authenticator app for iPhone, Android and Blackberry. It adds another field to your login page for those accounts you have it enabled. The Google Authenticator app displays a code which constantly changes every 15-20 seconds and makes it near impossible for a hacker to enter your site this way. I would only recommend do this on an Admin account, not an account you use every day for blogging, Logging in can be slow and you need a smartphone or computer to generate the code each time.

Leave a Comment