Summary of security tips for 2016


Do you feel lost when it comes to WordPress security? Here is a summary of WordPress security tips for 2016.

security tips for 2016


Keep your WordPress site updated. WordPress themes and plugins are frequently updated and contain critical fixes that are crucial for a secure website. There are plenty of plugins to help upgrade automatically.

Enhance your security

security tips for 2016Use Google Authenticator or a similar 2 step verification product for your admin account. The Google Authenticator plugin is probably the most popular security authentication tool available for WordPress. This plugin gives you two-factor authentication using the Google Authenticator app for iPhone, Android and Blackberry. It adds another field to your login page for those accounts you have it enabled. The Google Authenticator app displays a code which constantly changes every 15-20 seconds and makes it near impossible for a hacker to enter your site this way.

Use a Password Manager. I’m currently testing Dashlane. The non-syncing version is free to use. I’m still trying to decide if I really need to sync my passwords between devices. I use only an iPhone and a Macbook. If I change one password, I just need to copy and paste the password from the Dashlane App and paste. If this is too much for you,  then you can buy Dashlane Premium for $39 a year. It allows you to sync your passwords between devices.

security tips for 2016Using Dashlane only requires you to remember one large, strong password. This password allows you to enter the Dashlane password database. You can manage your passwords here and generate new ones for every site you visit. After installing, your login credentials are auto-populated for every site you visit. When creating new logins, strong passwords are generated automatically. You don’t see these or need to remember them!

Don’t use admin.

Choose a random username for your admin account. Using “admin”will leave your site open to attack. This is probably the first account name a hacker will attempt to break.

Change the users “display name” to something different from your login name. Hiding your username will mean a potential hacker will need to guess the username as well as the password.

Hide the wp-login.php file by renaming it. There is a “Rename wp-login.php” plugin to do this for you. Enable this by choosing a different login file name. Bookmark this so you don’t forget it !


Ensure your backups are reliable. Check your backup files are accessible and test you can decompress them. Ensure your database is recoverable too. All hosts can backup your files and database for you, but some hosts might need you pay a little extra. (Coral Web Design is £15 a month for comprehensive hosting with updates.)

Install a firewall

security tips for 2016You won’t realise how much unscrupulous traffic your website is exposed until you install a firewall. Enable Wordfence to guard against bruteforce attacks is one of the best security tips for 2016. This #1 security plugin continuously prevents, patrols and protects your WordPress websites against today’s ultra-advanced cyber attacks, hacks and online security threats.

Configure the firewall

After installing Wordfence, head to the Wordfence options, and look for “Immediately block the IP of users who try to sign in as these usernames,” Assuming you’re NOT using “admin” for your administration account, you should add “admin” in the box provided. This will block anybody attempting to reach your site using this account. This is a great way to block one of the hackers first attempts. There will be other account names which hackers may use…. consider adding the site name here. Obviously this needs to be an unused account.

Disable error reporting

Error messages should be disabled if your WordPress site is Live. If you have a sister site in Development then error messages should be enabled there to aid debugging.

Allowing hackers to view error messages can be really harmful to your site.  Add the following code to the bottom of your wp_config.php . This will make sure logging is enabled and stored to the log file but not displayed on the screen.

ini_set('error_reporting', E_ALL );
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);

I update these security tips for 2016 constantly. Please follow @coralwebdesign on Twitter to get notifications of updates. Many thanks!


  1. Sophia Briggs on 5th July 2016 at 12:04 pm

    Great List, already using dashlane. it works good but I would like to suggest Single sign-on technology for secure authentication. It not only provides safe login but also keep the user’s credential safe and secure on cloud storage. Using SSO also saves users time and effort to get registered to a website, thus improves productivity.
    Thank you for the article and keep doing the great work in future.

    • Stuart on 5th July 2016 at 12:09 pm

      Thank you Sophia, I really appreciate your comments.

Leave a Comment