123 Reg logo Blog

3 ways to instantly make your WordPress more secure

By Tim Fuell - February 24, 2015

The popularity of WordPress means that it not only attracts bloggers and people who use it to run full websites, but also hackers attempting to access sites for their own gain. While using a reputable and reliable host like 123-reg helps protect against many potential attacks, any website is vulnerable to a committed hacker. Hackers frequently try to compromise WordPress installations so they can use them to send spam, set-up potential phishing scams or launch other attacks. This is why it is always important to keep your WordPress installation and plugins up to date as the teams behind them are constantly issuing updates that close any potential security loopholes.

But since we’d expect you to be doing that anyway, here are three more ways you can protect your WordPress site from hackers.

Change your Admin user

There are some very sophisticated hackers who simply like a challenge and second guessing them is always a tough challenge. However, there are many less sophisticated hackers who use brute force password attacks. These work by making multiple attempts to guess your password and user name in quick succession. Even a fairly simple brute force programme can make thousands of guesses an hour. Sites using default usernames and simple passwords are easy to compromise using this method.  To make things harder for brute force attacks, you should ensure you don’t rely on default usernames. You may not use it, but the chances are somewhere in your WordPress installation you still have a user named admin. It’s the default setting, but it’s not a necessary setting.

Changing the admin username is very simple.

1. Create a new user via Users > Add New.

2. Choose a new username and click to make that user an administrator.

WordPress user admin box

3. Next make sure you delete the old admin account – if you have posted as admin in the past you will have the choice to reassign those posts to another existing user.

4. Now logout and log back in.

You’ve just dramatically reduced your chances of being hacked. Many hackers will try to attack people using the name “admin”, but if that doesn’t exist on your installation they will fall at the first hurdle.

Change your login URL

Just as admin is the default login name, so www.example.com/wp-admin/ is the default login screen for your WordPress blog. It needn’t be.

WordPress plugin search

Log in to your WordPress installation, head to Plugins. search for “login URL” and you will find an array of plugins to do the job – just check the review ratings to be sure the plugin is up to date and does its job well.

Once installed the plugin can usually be accessed via Settings > Permalinks . The idea is to change the login slug to something less obvious – limited to alphanumeric characters. Again this instantly reduces the risk of hackers guessing your password because now they won’t be able to find your login area as easily.

Keep scheduled backups

It’s not a deterrent, but keeping backups is certainly a solution to the major disaster a hacked WordPress site can become. WordPress has a built in backup tool, so make sure you’re using it. If the worst happens and something goes wrong – whether you’re hacked or you make a change to your site that results in undesired consequences – you’ll have a way of restoring a working version of the site from the backup you created. Access the backup tool via: Tools > Backup. Here you can choose what files you backup and how frequently, as well as where you backup to – be it a server, email or your computer.

WordPress is a brilliant way to create a great website but it can become even better with a little extra thought and common sense. The three tips above coupled with a strong password and keeping installations up to date can help you become less of a target, minimise your security risk and let you concentrate on building the content to make your website something extra special.