How to make your WordPress Website Secure


In this update Mick talks about how you can make your wordpress websites more secure than 95% of websites out there. It is very hard to make something completely hacker proof and that is why a regular backup regime is super important. If you can make your site take more time and effort to hack into however then most attackers will move on and look for easier targets.


Episode Transcription

Today we are going to talk about WordPress website security.  I’m Mick Cullen from Redcliffe Marketing Labs.There has been recent news coverage about a large botnet which is targeting WordPress websites.  What that means is that basically a large network of computers controlled by one organization or one person is being used in a fairly organized way to go into different WordPress websites and try to hack into them and take over the computer host of that website and add it to its botnet army.  The thing you have to remember is that this is one big coordinated attack that’s happening at the moment at WordPress websites.  Regardless, all over the world thousands and probably millions of computer programs and people are trying to crack into different websites all the time, every day.

The reason this botnet happens to be targeting WordPress is just because WordPress is a very popular platform.   It’s a great free software to build your website on.  If you’re looking at getting a new website and you’re not using WordPress, then you really need to know what you’re doing and have a really good reason not to use WordPress.  It’s becoming the standard.  It’s hugely supported and lots of people use it, lots of developers.  Especially from a marketing point of view, there are so many tools that you can use to improve your marketing in a WordPress website that again, you need a really good argument not to be using it.

This video is not about selling WordPress, it’s about how to make your WordPress site a little bit more secure and make it harder for people to hack into so they move onto easier targets.  The first thing is super easy.  Make sure everyone who uses your website has a really secure password.  The easiest tool to help you with that is a password manager.  The one I use and recommend is  It’s really fantastic and it will generate secure passwords for you which is going to make it much harder for someone to guess.  In this case, these botnets, what they do is use brute force.  They just try password after password until they can try to crack into your site.  Make sure you and everyone else who has access to your website has a really secure password and not just made up of words you would find in a dictionary.

The second thing is that by default when people use the one-button install for WordPress, the user name for the administrator account will be “admin”.  People will know this.  When they try to break into a WordPress website, the first account they’re going to try is the admin account because they know that one exists.  If you are logging into your website everyday and using the admin account, or if the admin account exists in the back end of your WordPress, then the best practice is to create a new account, making it an administrator, and delete or rename your admin account.  That just makes it that much harder for someone who is going to break in or hack your website.

Just taking those two steps, secure passwords and removing the admin user, is probably going to make you more secure than about 95 percent of the other websites out there.  There are a couple of plugins that I use just to make the website that little bit more secure.  The first plugin used is called “Limit Login Attempts”.  What this does is it will basically lock people out after they’ve gotten their password wrong however many times.  You can set that limit.  If they lock themselves out several times, you can basically give them a delay, say 15 minutes, and if it happens again you can lock them out of your website for 24 hours.  Someone who is trying to use brute force or trying to guess a password, it’s going to take them a lot longer, potentially days and weeks, to actually get through lots and lots of passwords.  Without that plugin, you can just sit there all day with an automated program guessing different passwords to login.

Getting a little bit more advanced, other WordPress plugins to look at are called “Wordfence” and “Better WP Security”.  Both these plugins will do a range of features including a check of your files each day to see if any of your files have changed.   You can determine if that was a change you made or a change someone else has made.  They will also lock down some of the important files and also hide a lot of things like user names and if your password is incorrect.  They are really good tools.

Now something you can do is to put your website on a service like a Cloudflare.  What that does is put an extra layer between your website files and people who are actually requesting it off the Internet.  Because it is such a large cloud hosting platform, they get data from lots and lots of websites.  They can actually spot IP addresses or users who are believed to be involved in hacking attempts on other websites and filter those out and actually stop them from getting through to your website as an intermediate layer.  It provides an extra layer of protection.  It also speeds up your website as well so that your files are faster.  That one is called Cloudflare and worth checking out.

There is no end to the amount of different security plugins and packs you can use with WordPress, but if you are using those ones, it’s going to make you pretty secure compared to everyone else.  All you want to do is make your website a harder target so people will move on to easier targets, that’s the easiest way.  If someone is really determined to hack into your website and they know what they’re doing, then chances are they will probably be able to find a way.  It’s all about risk minimization.

I just want to credit Linda from Redcliffe Online.  She had another really good tip which was leave the admin username in place, but create a very, very long password that’s basically uncrackable.  It’s not a password you use everyday, you use another account, and you leave the admin account as a bit of a honey track knowing that it will take basically years and years of computing power to crack that incredible long password.  It allows the bots or hackers to throw themselves up against a wall.  That’s another tip you can use.

If you find these tips useful, or if you have another really good WordPress security tip, please leave a comment.  Otherwise, look to subscribe on iTunes or YouTube to get these updates, or head over to our website, sign up for the free report.  You will get updates and training tips as well as access to over three hours of Internet marking training videos you can watch in your own time.

Until next time, I’m Mick from Redcliffe Marketing Labs.  Cheers.


Subscribe to Redcliffe Marketing Labs on iTunes