Posted on September 20, 2013 by 
Disclosure: If you purchase something after clicking links in the post, we may receive a commission. This helps us keep the free content and great resources flowing. Thank you for the support!
Take the first step towards a better website.
Get Started
There are lots of nonprofit organizations across the globe. Just about every one of them needs a well-designed website to tell their story and receive donations to help their causes. Divi is an excellent theme for nonprofits such as charities. Fortunately, you don’t have to start from scratch for...
View Full Post
These days, we all have access to a near infinite amount of resources we can use for our professional development. That includes online tutorials, podcasts, and more. However, books are still our favorite medium for in-depth learning. In this article, we’re going to introduce you to 12 of...
View Full Post
Whether you’re a new web developer or a veteran code junkie, you need a code editor robust enough to handle everything you can throw at it. In fact, that might just be the most important part of your toolset. Since this is an ongoing search for most everyone the field, we wanted to give lay...
View Full PostWe offer a 30 Day Money Back Guarantee, so joining is Risk-Free!
Copyright © 2023 Elegant Themes ®
Thanks Nick for this informative article. I’ve been learning more and more about security since the “brute force attack outbreak” several months back. I’ve implemented a lot of the things here when it comes to WordPress, but I could definitely improve some things when it comes to securing my network and resetting my passwords on a regular basis. So thanks for the tips!
My recommendation for a backup solution is BackupBuddy by iThemes. It regularly backups your site and sends to an offsite server, and then it also does malware scans. It’s also useful for moving a WordPress site to quickly set up a test site to test new plugins, etc.
The last thing I’d like to say is I also highly recommend the “Limit Login Attempts” plugin that you mentioned. Not only does it help prevent the brute force attacks from successfully logging in to your site, but it also limits the amount of times they can attempt (hence the name). Correct me if I’m wrong, but I’ve been told that brute force login attempts put a big strain on your server, and locking the bots out after a few attempts will prevent that from happening.
Thanks for the recommendation – I linked to Backup Buddy in the post and have heard good thing. Brute force attacks have certainly strain a server, just like any other burst in traffic can. Using a Firewall can help ban the IP addresses that the attacker is using before they put too much load on the CPU. A simple software Firewall like CSF is easy to implement.
You could always use something like fail2ban and iptables to do a similar job.
Very Good article Nick!!! Very useful tips for website security. Thanks for share
Regarding #4 and removing the default “admin” account. I did that to all my blogs, and I also installed this plugin.
“Limit Login Attempts”
This is cool, because it will block too many failed attempts. So far all it’s finding is folks trying “admin”, but it will pick up the odd attempt at something else. Probably not foolproof, because it works by cookies, but I figure it can’t hurt to use it.
Better than nothing 🙂 Maybe there is a solution that bans by IP instead of cookies out there. I surprised that Limit Login Attempts doesn’t do this, but I haven’t looked into it.
Fail2ban works well
Very useful information. Thanks a lot.
“Folllwing”? Where did attention to detail go?
Sorry…
great article, but major typo in the heading.. “Folllwing These Simple WordPress Security Tips Could Help Save Your Website”
Thanks Jamie, looks like I hit that publish button a little too quickly 😉
One more typo: Be Weary of Phishing Attempts. Yes, I am weary of phishing attempts, but I think you meant to say Be Wary.
Great article with good, solid recommendations. Thanks for taking the time to put it together.
Thanks Glen.
Right-on Nick! Thanks for the helpful tips. This is a post worth bookmarking 🙂
Not a surprise that WP Better Security is on your list.
I’m using it .. and .. it simply works !
(It is amazing to see the Logs .. and how many times people are trying to login .. with the “admin” role .. amazing ..)
Cheers
Eric
There are tons of bots out there scouring the internet for a lucky break 🙂 (in other words, a weak password).
Update, backup, ensure redundancy, make it harder for the bad guys. You make very good points. I’m often amazed at how often people take none of these steps.
Here are some password tips, too: http://goatcloud.com/2013/03/01/password-protection/
and some tips in case your email is hacked: http://goatcloud.com/2013/06/17/what-to-do-if-your-email-account-is-hacked/
in case they’re of use to fellow ETers.
Thanks for the resources Cliff, I am sure they are appreciated by the community 🙂
Great Article.
Has anyone tried 2 part authentication by using something like Google authenticator on your WordPress site.
http://wordpress.org/plugins/google-authenticator/
Yep, I use Google Authenticator on several sites. I’ve noticed Dreamhost offers it too for logins to your account dashboard.
I just learned about Clef and am trying that on a few sites too. It seems easier for an end user to use, but its Single Sign On (SSO) nature, for me, makes it a little “too convenient” for me to use with admin accounts on multiple sites. I just might be overly cautious.
I also played with LaunchKey (sorry, too lazy to find the URL) and it holds promise but I found their 1.0 version too buggy. I haven’t tried the latest release yet.
Hey Glen
Unfortunately GoDaddy doesn’t offer two part authentication in the UK yet (however available for USA).
http://support.godaddy.com/help/article/7502/enabling-twostep-authentication
Dream host does offer it via the Google App: http://wiki.dreamhost.com/Enabling_Multifactor_Authentication
Thanks Nick … I appreciate the informative blog articles you have been delivering lately. All these small efforts create such a better ET community. 😛
Thanks Chris, we always try hard to provide value to our customers, even if that value isn’t in the form of a new theme!
Very Good article Nick. thanks for share
Wow!!! Just wow, this is really helpful. Thanks so much.
Excellent article, Nick.
I’d like to add a suggestion for stopping most brute force login attempts and also keeps your server from being overloaded by those attempts:
Password protect wp-login.php.
There are good instructions here: http://codex.wordpress.org/Brute_Force_Attacks
That technique will make for two step login process but, assuming you use different usernames and passwords, it makes it a lot harder to hack your site and also prevents the php and mysql queries that are a burden on the server from taking place until you’ve authenticated using http basic auth first (which is a light load).
Handy set of tips. Thanks for sharing it.
Thanks ver much
thank to your tips. i was ddos. and i use IOSEC HTTP Anti Flood Security …. Share to all your friend
Thanks for the great article Nick! We also use Wordfence on virtually all of our sites to help ensure we are covered. We like the notification feature when something is happening on one of our sites that we have set up alerts for. It also helps keep us current on plugin updates, etc.
Good security tips It will help us to secure our Word press installations
A great addition to limit login attempts is Stealth Login Page. This will mask the wp-login/admin url to only you know. This way bots/software will be redirected when they visit site/wp-admin. It’s not foolproof, but will save you from a lot of login attempts (before they occur)
Thanks for the tip Mark.
Thanks for this amazing article on wordpress security, you have been shared some wordpress plugins too for security, but I am afraid if they will make heavy load on CPU or website gets slow? Also write about how to speedup your wordpress site or blog.
I wouldn’t expect the recommended plugins to put excessive load on the CPU.
Thanks for this, Nick. I’m running a series of church websites built on WordPress and we had a 10,000 login attempts per site attack. In discussion with the server provider, I’ve installed the Rename wp-login.php plugin, which allows me to rename the wp-admin file. Job done!
Thanks for the suggestion Lawrence.
Hey Nick,
first of all thanks for sharing the article. Creating backup time to time is the most important and plugins like Captcha can also helps to secure our wordpress login.
Thanks for sharing that. Really informative and helpful article. 🙂
I wish i saw this when it was published! I just got hacked! Had to pay bluehost to remove all the malware and now i have to reinstall ET on my sites!
Thank you for this article and the helpful comments. I am having some serious issues with 2 of my wordpress sites with elegant themes being hacked recently. Both have inserted viagra and cialis ad text and I am having a hard time cleaning and keeping clean.
Creating backup time to time is the most important and plugins like Captcha can also helps to secure our wordpress login.
Thank you for sharing these helpful tips on WordPress security. Those WordPress site owners are surely delighted that information such as this is available for them. Cheers!
Thanks for posting. This is one of the best articles I have found on this topic. I love that you come at it from all the different angles. Definitely sharing a link on my blog!
I really like your blog.. very nice colors & theme.
Did you make this website yourself or did you hire someone to do it for you?
Plz respond as I’m looking to construct my own blog and would like to
find out where u got this from. appreciate it
I found a better VPN solution https://www.waselpro.com/en/. It’s much simple.
Great stuff Nick 🙂
Regarding Security has anybody else any experience of Bullet proof Security? It seems to have been pretty robust for us. Using that in combination with linmit login attempts has cetainly kept the wide boys out so far.
Has anybody else in this stream used Ryan Shaw’s WP Backup Plus? It was a really promising plugin at first but I’ve had a hideous time with it and his support team over last 6 months or more!
Cheers again,
Ray
What a great list of tips – there was several I was not aware of, and will implement right away – thanks again for a great summary!
Great tips. Thanks
Very nice really.
Thanks sir.
Regards
Hi, Love the article. I used Better WP Security. But after the update to ithemes security it broke all of my websites. All themes and plugins (i use Divi) were gone. What do you think of ithemes security?
I don’t know what i did wrong.
Best security with IP and country blocking, limits login attempts and monitors 24/7 … http://www.wordfence.com/ They have free and paid versions. Would’t host WP sites without Wordfence!
Great tips.
Thank you for sharing.
Works like advertised, just had to remove manually the content of folders with “Identities” and “Address Book”. Nothing major, most important is that the DLLs and EXEs are out.
One step closer to a more secure environment. I also blocked all sites for IE and am using exclusively Firefox and Thunderbird now.
Thanks a lot !
Nice tips. It is a good idea if you can put your entire website under the https:// protocol. After the new google updates a lot of peoples ware talking, about SSL and HTTPS certificate, if you use them on your website you can get better rankings.
The downside is that if you use the https:// protocol your website may load slower the before.
Addition to this tips, i would recommend “Anti-Malware and Brute-Force Security by ELI” plugin.
It’s free, easily cleand and rescue your site if its infected somehow.
Great article Nick, thanks for the points, I’ll be working through these to make sure I have everything as secure as possible. I currently use Wordfence, and I think it’s a fantastic plugin. It offers a number of options including a limit on login attempts. I’ve already found a number of attempts at accessing my site, but feel pretty secure with Wordfence. Just wanted to share. 🙂
I am new member to Elegant Themes but have been signed up to receive your posts for a quite a while. I am glad I joined because not only do you create excellent themes but you also go the extra mile by creating really useful posts like this!
BTW I use myRepono (http://www.myrepono.com) to back up my clients sites, it is fairly easy to install on each site, cost effective and most importantly if you do ever have an issue with a site you can restore it to a previous version with a single click. Also I think it is good to have a backup with a thirdparty.
I would also second XtraMark’s suggestion of WordFence, we use this and have found it excellent. We also have a reseller subscription with Stop The Hacker that provides us with account monitoring for malware injections etc
I have also found it useful to secure your wordpress installation through your mysql, changing the default table names and such.
Great information, Nick!
For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
Tested and happy with it!
Thanks for the share.
I am reading a lot about changing the WP table names prefix to help in security. Is this of value? Does it affect the install of your themes at all?
Thanks!