WordPress Security Essentials For Your Site

Once you have setup your WordPress site properly, you must protect it. There are many people out there trying to harm specific website with malicious code or SQL injection. Do NOT think yours might not be the one.

What You Will Learn

What to do and what you should never do when it comes to WordPress security.
What plugins your WordPress site must possess. And how to setup them properly.
Learn how to make a backup of your site. Bad things happen when you least expect.

WordPress Security

WordPress Security Basics

Useful Tips and Tricks

People are wrong when they do not take WordPress security seriously. I didn’t as well, and learned the lesson the hard way. Don’t make the same mistake as I did.

I am saying this too many times, I know, but I must mention it again. Do not use nulled themes. Especially if they come from untrusted or ineligible sources. If you are short on budget, let your spirit guide you to a nice free theme.

Choosing secure hosting is the point where WordPress security starts. Make sure your web hosting is well established. Read a review or two about them as well. Don’t just go for the cheapest ones.

WordPress is a free and open source blogging platform, but they work hard to keep your WordPress site safe. Always use the latest version of WordPress. Every new version might consist extra layer of updated and security measures.

We have covered how to install WordPress properly before. We even talked about a few good hosting companies you can choose. We have also covered the basics and “where to start” points. But these are just few regular steps that were more like an introduction. If you want to make sure everything runs smooth, don’t stop here.



Be ruthless when it comes to untrusted plugins. Make sure the plugin you are using is approved by WordPress. If any plugin is from no further use, make sure you deactivate or delete it.

A few tips and tricks require manual modification of your configuration files. At the time of writing this post I wasn’t sure if I was supposed to describe this features the old school way or the way I do it to protect my sites.

I figured out that this post was supposed to help all readers, experts and novices alike and I chose my way (the easier way) – by using perfectly safe WordPress plugin.

WordPress Security Plugin

One of the best plugins that makes your site a safer place is the “WP Security” plugin. You can find it in the plugins section named “All In One WP Security & Firewall“.

The reason I prefer this plugin is because it is very easy to manage. However, there are many other WordPress security plugins that do the same things as “All In One WP Security”. You can try Sucuri Security or iThemes Security (former Better WP Security) as well.

All In One WP Security Plugin

Let’s start from the best things about this plugin. First of all, it’s free. As far as I have seen, it doesn’t slow you site even a bit. It’s so easy to configure that even a 12-year old kid can do it.

The first thing we’re going to do is remove the WP Generator meta tag. Under “WP Meta Info” tab at the “Settings” option, check to remove the meta info produced by WP Generator. This option is applied on all pages.

By now I hope you are not using “Admin” as a username to login into your WordPress account. If you do, please change it ASAP. You can do that in the first tab at “User Accounts” option.
There is a nice password meter in the “Password” tab as well.

Next, it’s the “User Login” option. I will try to cover as much options as I can about the “All In One WP Security” plugin, but it’s in your best interest to read all the options that this plugin offers. Choose the ones that best cover your needs.

WordPress login lockdown

Very important, enable the “Login Lockdown” feature. I usually set the maximum login attempts to 5. Check to receive email when someone exceeds the allowed number of failed login attempts. If he’s too persistent, I recommend blacklisting his IP address.

If you want to enable new account registrations manually, check this option under “User Registration”. Since this requires too much manual work, I recommend enabling a captcha form on the WordPress user registration page (located under the “Registration Captcha” tab).

Wordpress captcha

Even the best sites in the world can be breached. That’s why I always recommend keeping a fresh site backup. This plugin has this possibility available in the “Database Security” option, under the “DB Backup” tab.

Next, enable the “Firewall” and “WordPress Pingback Vulnerability Protection” options. This will keep your ‘htaccess’ and ‘wp-config’ files safe by denying access to it. Furthermore, it will protect you from DoS (Denial of Service) and other hacking attacks. There are plenty additional firewall features available as well. Pick the ones you find handful.

WordPress security

Protect from Brute Force attacks by changing your WordPress “Login URL”. Instead of ‘wp-admin’, choose something different and unique. Remember, this is only for you. Something like ‘isign’ perhaps.

On the next tab there is a “Cookie Based Brute Force Login Prevention”. This is all very nice, but I recommend using this option only if you feel it necessary. You can check the “Login Captcha” option instead in order to prevent brute force attacks.

WordPress login captcha

Another important thing is preventing comment spam. Two very nice solutions are offered here. One of them is the option to “Block Spambots From Posting comments”, the other one being the “Captcha option”. I preferably choose them both.

At last, but not least, you can enable the “Right Click”, “Text Selection” and “Copy” protection. You can find this in the “Miscellaneous” area. As I said, there are many other options available as well. It’s just that I have chosen to emphasize only the necessary ones.

We are now lock and load and ready to start with the real thing – Internet marketing.

Let’s Wrap It Up!

WordPress security is essential. When it comes down to WordPress security, here are some important things you need to remember:

  • Choose secure hosting. Find more about this here.
  • Never use a nulled theme. If you are short on budget, at least try to find a decent free theme.
  • Always update to the latest version of WordPress.
  • Skip all unnecessary and untrusted plugins.

All In One WP Security & Firewall is a free plugin you need to improve your Website security. By now you promised me that:

  • You are not using “Admin” as a username to login into your WordPress account.
  • You have enabled the “Login Lockdown” feature.
  • Your WordPress site has a fresh database backup stored.
  • Firewall and pingback protection are enabled.
  • You have saved yourself from comment spam.

Tagged , , ,

Leave a Reply

Notify of