Check out this post on how to setup a website if you are new to blogging. It will get you up to speed on your very first blogging website. Now onto the Top 3 Tips to Secure your WordPress Blog!
Back to the topic
Breaches can happen at any time and the fact is that they do. I have detailed below my top 3 tips that I recommend to all WordPress Blogging websites. This will ensure there is an extra layer of security for protecting what you have worked so hard at.
The default WordPress website is like a house with the standard door locks.
The lock on the doors work pretty well if you are keeping the neighbors’ kids or small rodents out but they are by no means going to keep a grown adult out. Most WordPress website has the basic security measures in place but when it comes to data on a website, you probably would want an extra layer of security.
Top 3 Tips to Secure Your WordPress Blog
Securing your website is like installing a home alarm, putting up “beware of dog” signs, getting a dog to roam the house, or putting in place a camera system. Nothing is truly secure if the intruder really wants to get in but it helps to deter the hacker.
Following what I have detailed below will ensure that you have an extra layer of protection.
All hosting provider have some form of DDOS protection, firewall and security measures to ensure that brute force attack are limited but sometimes the issue might be because of an outdated plugin or a plugin that left loop holes for hackers to gain access to your blog. Implementing these security tips will ensure that you are protected from outside intruders and possible inside malware.
Tip 1: Change your Login Name
Was your WordPress automatically installed for you? Do you utilize “admin” as your username? If so, I recommend you change it as soon as you can.
Secondly, was your domain email used for the admin account? I recommend using an email address that is not tied to your domain when associating it to your admin account… something like a Gmail or Yahoo account. Reason being, chances are that the same domain email may be used on the “About Us” or “Contact” page, which makes it easier for a hacker to use when trying to break in to your website.
The WordPress login page accepts both the email and username.
Avoid the use of “root”, “admin” or “administrator” as a username. These 3 username are commonly used as a first attempt at trying to break in. If you are using one of these usernames, follow the instructions below to change it.
Protect your Blogging Website by using unique Usernames
Log into the backend of your WordPress website. Typically http://yourdomain.com/wp-admin. Enter in your username and password. Go to the Users tab, look for the admin account. Edit the admin account. The example below shows “admin” for the Username.
WordPress does not offer an option to change it by default.
See how the “admin” username is grayed out.
To make the change, you will need access to the database.
- Log into your Cpanel Account (typically http://yourdomain.com/cpanel)
- Launch phpmyadmin from the main Cpanel page which will open a new website page.
- Expand your WordPress database (Look for the wp_ prefix on a standard install)
- Open the wp_user table and look for your admin account under the user_login field.
5. Edit the row that corresponds to the admin account, change the admin Username and then click on “Go” to save the change.
6. Now go back to the WordPress backend (http://yourdomain.com/wp-admin) and look at the admin user account name. It should now reflect the new username.
NOTE: You may be prompted to log back in. If so, use the new username.
Tip 2: Change the Login URL Path
WordPress’ default login URL is http://yourdomain.com/wp-login.php. You may think to yourself, “who cares” but in reality, you should care. If a hacker knows you are on a WordPress platform, they will know your admin login page. By default, users tend to use “admin” as the login name for the administrator account. I am guilty of that too.
Like I mentioned above, avoid the use of “root”, “admin” or “administrator” for your admin username.
So how do we go around this? Luckily there is a plugin called WPS Hide Login which can be installed by going to the WordPress admin page, clicking on “Plugins” and “Add New” plugin. Search for “WPS Hide Login” and install the application. This plugin makes it possible to change the WordPress login URL path.
So instead of
you can change it to something like
My example image is grayed out because I already have it running on my site.
Now that the Plugin has been installed. Make sure to activate it under the “Plugin” section of your WordPress backend.
Change your URL Login Page
- Go to Settings>>General
- Scroll to the section “Login URL”.
- Change the URL login path to whatever you want it to me. For my example, I used “login”. This means my WordPress login site now becomes http://mydomain.com/login
If you attempt to log into the old login path http://yourdomain.com/wp-admin/, you’ll get a 404 error. You’ll now need to use your new http://yourdomain.com/login login page or what ever you named it.
Tip 3: Use Wordfence Plugin for a Firewall Protection and Malware Security Scanner
The WordPress security plugin provides the best protection, constant updated Threat Defense Feed, and Firewall to protect you from getting hacked. The Wordfence dashboard also provides a wealth of information to assist you.
Install the plugin the same as any other. Go to the plugin section. Add in a new plugin. Search for Wordfence and install the plugin.
After the activation of the plugin, make sure to enter in your email to get updates about any potential threats and or updates. Check the agreement terms and continue.
FYI I normally opt out of the newsletter that Wordfence provide if I am already enrolled through one of my other accounts but it may be a good idea for you to enroll so that you are aware of changes that are coming. I try to avoid getting duplicate emails.
Lastly, click “No Thanks” on the following screen if you are going to use the free option. Of course the Premium option might be something to consider.
Details on the PREMIUM options are listed at the end of the post.
Go through the tour guide that pops up to get familiar with Wordfence after you have it installed.
I personally use the free version but the premium version can offer extended capabilities. It will automatically start a scan and protect your website as soon as it’s activated.
Under Wordfence>>All Options, there is an Advance Firewall option section. Make sure to add your public IP to the Whitelist section. Make sure to add in your public IP and not your private IP. If you don’t know your public IP address, open a browser and go to google.com. Then search “whats my ip”. Google will respond with your public IP address. It’s usually something like 22.214.171.124. Not those numbers but in that format if it’s an IPv4. With the ever changing Internet, google might show you your IPv6 address in stead. To get around this, you might have to use the search term, “whats my ipv4 address”.
Now enter in your IP address and save the setting.
Now go back to the top of the Wordfence Dashboard.
To make your site as secure as possible, Click on “Click Here to Configure”.
This option modifies your .htaccess file. Wordfense auto detects your server setup on the first drop down field.
Leave it to the default unless you know what you’re doing.
Make sure to read through and download a backup of the .htaccess file just in case something goes wrong.
Click “Continue” to proceed.
Click Close once it finishes.
Lastly stay up to date with Wordfence by clicking on “Yes, enable auto-update”. This ensures you are running the latest version of Wordfence. You should see this message in your WordPress Dashboard or under the Wordfence section.
If you do not want to set it to auto update… well you know what to do.
If you like the Wordfence plugin, you might want to get the premium version which has the options below:
- Receive real-time Firewall and Scan engine rule updates for protection as threats emerge
- Real-time IP Blacklist blocks the most malicious IPs from accessing your site
- Country blocking
- Two factor authentication
- IP reputation monitoring
- Advanced comment spam filter
- Schedule scans to run more frequently and at optimal times
- Access to Premium Support
- Discounts for multi-license purchases
I have not personally used the Premium features because their free version has worked really well for me but it may be something to consider if you need the extra options that Wordfence has to offer.
These are the Top 3 Tips to Securing your WordPress blog. I hope this helps you in providing an extra layer of security. If you have any question, feel free to comment below.