To be, or not to be… secure that is. Do you know if your WordPress is completely secure from unwanted attacks? If your answer is, “Yeah, I think so?” or “I’m pretty sure I’m okay” chances are you should take a few additional measures- we all need to sleep a little better at night, right?

Tip 1: Good Password Practices

This option is one that people have been telling you for years. However, if you’ve heard it over and over again, chances are there’s a good, solid reason behind the madness!

Never use the same passwords or usernames for your bank account login, online bill pay login, or your email login (the list goes on). It’s like using the same 4-diget number as your phone code, house security, or ATM pin number… and if you’re doing that, stop it right now!

You can easily generate secure passwords using any sort of free password generator. Examples include:

  • LastPass

If you’re set on creating a password yourself, never use any permutation of your real name, usernames, company name or website name- it’s simply too easy for hackers to guess. Don’t use “regular” words, or create passwords that are too short. It’s best to use a mixture of letters and numbers in a random pattern; like a kitten has run across your keyboard and left a string of nonsense.

Tip 2: Use a Duo Two-Factor Authentication

WordPress SecurityUsing a Duo Two-Factor Authentication takes additional steps to secure your WordPress site. It uses both a password and an additional identification method using a mobile phone or other device to verify your login credentials simultaneously. There’s no extra hardware or installation required, it’s relatively simple to use and it’s free for up to 10 users. After you’ve reached the 10-person maximum, you can add additional users for $3 per user per month. If you don’t like one authentication method, or you have commitment issues, there are 5 others to choose from.



Tip 3: Limit Admin Access

Don’t give admin access to every Tom, Dick and Harry wanting in on the action. When you add WordPress users, you have the option to apply various roles to each one. These include: subscriber, contributor, author, editor and administrator. Each role grants the individual user a different set of permissions; some may be able to access areas of WordPress then, which others aren’t.

Tip 4: Housekeeping?

Put together a routine maintenance schedule to go through and clean out WordPress cobwebs: old files or unused plugins. Make sure the correct plugins are up-to-date, and only download updates from any site other than WordPress itself. Monitor both your logs and your files- you can use OSSEC– which will aid in the process and alert you of any changes.

Tip 5: Web Application Firewalls

What is this and why do I need it? A Web Application Firewall or WAF is a firewall that monitors, filters and/or blocks the HTTP traffic to and from a Web application via an appliance, plugin, or filter that applies a set of rules to said HTTP conversation. These rules protect against attacks such as cross-site scripting and SQL injection. By customizing the rules to your application, many such attacks can be identified before they cause any real damage and blocked.

Two popular options for WAF’s include: CloudProxy or ModSecurity.

Tip 6: Password-protect your admin directory with an .htaccess file.

An .htaccess file is short for Hypertext Access; it’s a configuration file used by Apache-based servers controlling the directory and subdirectories it exists in (and yes it starts with a period). In order to create the .htaccess file you can use either Htpasswrd or Xampp. Htpasswrd is usually shipped with every Linux package that has Apache installed. Xampp is a free tool containing MySQL, PHP and Perl and can be used with Windows, OXS or Linux platforms. A full step-by-step tutorial can be seen here.


Photo courtesy of

Leave a Reply

Your email address will not be published. Required fields are marked *

Read Related Posts