How Secure Are You?

Many of our clients already have existing WordPress sites when they are referred to us. Sometimes we are called upon to help with an unanticipated problem during an upgrade. Invariably, we will audit their WordPress security. We thought we’d take a moment to share some of what we look for when evaluating WordPress security on self-hosted sites and what steps we take to mitigate any risks. If we can help reduce your exposure, please contact us!


Ultimately, this is your fail-safe – and it’s a smart thing to do before you start upgrading and changing various features. There’s a slew of backup plugins and services. Here are our two best suggestions – you only need to select one of them!

BackWPup Free is a free plug-in – it can backup your site, databases to a local file, Dropbox, and/or FTP. (They also make BackWPup Pro version that has some additional features and support.)

VaultPress is a service by Automattic, the developers of WordPress. There’s a monthly fee, but it’s a very robust backup solution.


Though it’s a crucial suggestion, please make sure you understand the implications of upgrading. You should contact your developer to make sure your site will function properly after upgrading.

Many features are added to each version of WordPress. Many security flaws and risks are also repaired during these version upgrades – this is particularly true on minor upgrades (from x.x.0 to x.x.1 for example). And while you’re at it make sure your plugins and themes are up-to-date as well – older versions can harbor security flaws.


We see amazingly simple passwords being used to secure the administrator’s username all the time – from ‘password’ to ‘12345678’. But even slightly more cryptic passwords such as a combination of domain name and zip code or other guessable content should be avoided. It’s best to use a long and random set of characters (upper and lower case), numbers, and special characters (like, !, @, #, $, etc…). And importantly, it’s important that you use this password only for this one WordPress username. Don’t share it with other usernames on the same site. And don’t use it as your Google password or Apple ID Password.


By default, the main WordPress username is admin – and that user has complete control over the site. Everyone knows this – including the hackers. If you are still using ‘admin’ as your username, change it. Unfortunately, it’s not possible just to change it. You must create a new user with administrator privileges. The more unique you make the username, the harder it will be for hackers to guess. Be sure to take our password advice above when creating this user. After creating the new user, log out and log back in using the new username and password. Then you will need to delete the original ‘admin’ user. If you have content created by this user, you will be asked which user should take over this content. Select the new username you just created.


Here are a few plugins we like to include as standard on sites we work on.

Force Strong Passwords
This plugin forces you and other users to use stronger passwords – not ‘password’ or ‘12345678’.

Limit Login Attempts
Though we previously suggested using this plugin, we no longer recommend using it. In fact, we recommend deactivating the plugin and deleting it from your site. It has not been updated in over two years. Some of the other plugins now recommended take up some, if not all. of the slack.

WP Google Authenticator
This enables two-factor authentication. You’ll need to have an authenticated device such as your smartphone or tablet with the Google Authenticator app installed and configured. Once installed and configured, your site will require a username, password, and a temporary unique code generated by Google Authenticator app to be entered for login.

Sucuri Security
This scanner plugin from security firm Sucuri helps monitor security issues with your website. For instance, it can email you if there are any unsuccessful login attemps. Sucuri offers additional services for a fee for malware removal and website firewall services.

This plugin (and accompanying free service) was recently acquired by Automattic which will help keep the WordPress ecosystem more secure.  BruteProtect detects, prevents, and protects against botnet attacks. These are the automated attacks that repeatedly attempt to guess the username and password to your site as well as exploit other weaknesses.  It blacklists IP addresses that are participating in such actions.

Now that’s not all there is to it, but if you get these down you’ll be well on your way to having a much more secure WordPress site.

Again, if you would like our assistance in implementing any of these suggestions, please do not hesitate to contact us at (888) 768-6168.