WordPress Security


By: Drew Germyn

Categories: Guides

WordPress is a free and open-source tool and a content management system (CMS) based on PHP and MySQL. Features include a plugin architecture and a template system. WordPress was used by more than 23.3% of the top 10 million websites as of January 2015. WordPress is the most popular blogging system in use on the Web, at more than 60 million websites.

Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken.

This is a basic guide on how to secure your WordPress to help it from getting hacked. However, nothing is infallible.

The basics:

  • Make sure the computers you use are free of spyware, malware, and virus infections.
  • Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.
  • Use long passwords for your WordPress login. Preferably hard to guess, with numbers.
  • Keep your WordPress and plugins up-to-date.
  • If you have an SSL certificate, connect to your WordPress admin login using HTTPS.
  • When connecting to your server you should use SFTP encryption.

Restrict access to your WordPress admin area

It is important to restrict the access to your WordPress admin area only to people that actually need access to it.

First, you need your own IP address, and then the IP addresses of any of your admin users.

Then add the following to your .htaccess file in your WordPress installation directory. Replacing xx.xxx.xxx.xxx with your IP address.


RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^xx.xxx.xxx.xxx$

RewriteRule ^(.*)$ - [R=403,L]


Don’t use the “admin” username

Many attackers will assume the administrators username is “admin”. You easily block a lot of brute-force attacks by simply naming the administrator username something different. Softaculous allows you to choose a different username when installing WordPress. You can also change the administrators username on already installed WordPress websites.¬†However, a much easier method is to simply create another administrator account, login with that account, and delete the old administrator account.

Consider two-factor authentication

Two-factor authentication will significantly improve the security of your website. The easiest way is to install the Clef plugin. Their documentation is quite descriptive and very easy to follow.

Localnode’s security features:

  • Web Application Firewall
  • Support for the latest PHP and MySQL versions
  • Intrusion detecting system
  • Account Isolation

As mentioned before, nothing is infallible. But following these guides will greatly increase your WordPress security.