Last Updated on February 23, 2023 by Nick Roach 62 Comments
Take the first step towards a better website.Get Started
If there is one question that goes back to the very beginning of blogging, it’s “what blogging platform should I use?” Everyone asks this question (to Google, most likely), and everyone gets bombarded with a thousand different answers. That’s primarily because there are so...View Full Post
There are lots of nonprofit organizations across the globe. Just about every one of them needs a well-designed website to tell their story and receive donations to help their causes. Divi is an excellent theme for nonprofits such as charities. Fortunately, you don’t have to start from scratch for...View Full Post
These days, we all have access to a near infinite amount of resources we can use for our professional development. That includes online tutorials, podcasts, and more. However, books are still our favorite medium for in-depth learning. In this article, we’re going to introduce you to 12 of...View Full Post
Thanks for posting. This is one of the best articles I have found on this topic. I love that you come at it from all the different angles. Definitely sharing a link on my blog!
Creating backup time to time is the most important and plugins like Captcha can also helps to secure our wordpress login.
Thank you for this article and the helpful comments. I am having some serious issues with 2 of my wordpress sites with elegant themes being hacked recently. Both have inserted viagra and cialis ad text and I am having a hard time cleaning and keeping clean.
I wish i saw this when it was published! I just got hacked! Had to pay bluehost to remove all the malware and now i have to reinstall ET on my sites!
first of all thanks for sharing the article. Creating backup time to time is the most important and plugins like Captcha can also helps to secure our wordpress login.
Thanks for sharing that. Really informative and helpful article. 🙂
Thanks for this, Nick. I’m running a series of church websites built on WordPress and we had a 10,000 login attempts per site attack. In discussion with the server provider, I’ve installed the Rename wp-login.php plugin, which allows me to rename the wp-admin file. Job done!
Thanks for this amazing article on wordpress security, you have been shared some wordpress plugins too for security, but I am afraid if they will make heavy load on CPU or website gets slow? Also write about how to speedup your wordpress site or blog.
A great addition to limit login attempts is Stealth Login Page. This will mask the wp-login/admin url to only you know. This way bots/software will be redirected when they visit site/wp-admin. It’s not foolproof, but will save you from a lot of login attempts (before they occur)
Good security tips It will help us to secure our Word press installations
Thanks for the great article Nick! We also use Wordfence on virtually all of our sites to help ensure we are covered. We like the notification feature when something is happening on one of our sites that we have set up alerts for. It also helps keep us current on plugin updates, etc.
thank to your tips. i was ddos. and i use IOSEC HTTP Anti Flood Security …. Share to all your friend
Thanks ver much
Handy set of tips. Thanks for sharing it.
Excellent article, Nick.
I’d like to add a suggestion for stopping most brute force login attempts and also keeps your server from being overloaded by those attempts:
Password protect wp-login.php.
There are good instructions here: http://codex.wordpress.org/Brute_Force_Attacks
That technique will make for two step login process but, assuming you use different usernames and passwords, it makes it a lot harder to hack your site and also prevents the php and mysql queries that are a burden on the server from taking place until you’ve authenticated using http basic auth first (which is a light load).
Wow!!! Just wow, this is really helpful. Thanks so much.
Very Good article Nick. thanks for share
Thanks Nick … I appreciate the informative blog articles you have been delivering lately. All these small efforts create such a better ET community. 😛
Has anyone tried 2 part authentication by using something like Google authenticator on your WordPress site.
Yep, I use Google Authenticator on several sites. I’ve noticed Dreamhost offers it too for logins to your account dashboard.
I just learned about Clef and am trying that on a few sites too. It seems easier for an end user to use, but its Single Sign On (SSO) nature, for me, makes it a little “too convenient” for me to use with admin accounts on multiple sites. I just might be overly cautious.
I also played with LaunchKey (sorry, too lazy to find the URL) and it holds promise but I found their 1.0 version too buggy. I haven’t tried the latest release yet.
Unfortunately GoDaddy doesn’t offer two part authentication in the UK yet (however available for USA).
Dream host does offer it via the Google App: http://wiki.dreamhost.com/Enabling_Multifactor_Authentication
Update, backup, ensure redundancy, make it harder for the bad guys. You make very good points. I’m often amazed at how often people take none of these steps.
Here are some password tips, too: http://goatcloud.com/2013/03/01/password-protection/
and some tips in case your email is hacked: http://goatcloud.com/2013/06/17/what-to-do-if-your-email-account-is-hacked/
in case they’re of use to fellow ETers.
Not a surprise that WP Better Security is on your list.
I’m using it .. and .. it simply works !
(It is amazing to see the Logs .. and how many times people are trying to login .. with the “admin” role .. amazing ..)
Right-on Nick! Thanks for the helpful tips. This is a post worth bookmarking 🙂
great article, but major typo in the heading.. “Folllwing These Simple WordPress Security Tips Could Help Save Your Website”
One more typo: Be Weary of Phishing Attempts. Yes, I am weary of phishing attempts, but I think you meant to say Be Wary.
Great article with good, solid recommendations. Thanks for taking the time to put it together.
“Folllwing”? Where did attention to detail go?
Very useful information. Thanks a lot.
Regarding #4 and removing the default “admin” account. I did that to all my blogs, and I also installed this plugin.
“Limit Login Attempts”
This is cool, because it will block too many failed attempts. So far all it’s finding is folks trying “admin”, but it will pick up the odd attempt at something else. Probably not foolproof, because it works by cookies, but I figure it can’t hurt to use it.
Fail2ban works well
Very Good article Nick!!! Very useful tips for website security. Thanks for share
Thanks Nick for this informative article. I’ve been learning more and more about security since the “brute force attack outbreak” several months back. I’ve implemented a lot of the things here when it comes to WordPress, but I could definitely improve some things when it comes to securing my network and resetting my passwords on a regular basis. So thanks for the tips!
My recommendation for a backup solution is BackupBuddy by iThemes. It regularly backups your site and sends to an offsite server, and then it also does malware scans. It’s also useful for moving a WordPress site to quickly set up a test site to test new plugins, etc.
The last thing I’d like to say is I also highly recommend the “Limit Login Attempts” plugin that you mentioned. Not only does it help prevent the brute force attacks from successfully logging in to your site, but it also limits the amount of times they can attempt (hence the name). Correct me if I’m wrong, but I’ve been told that brute force login attempts put a big strain on your server, and locking the bots out after a few attempts will prevent that from happening.
You could always use something like fail2ban and iptables to do a similar job.
We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!
I am reading a lot about changing the WP table names prefix to help in security. Is this of value? Does it affect the install of your themes at all?
Great information, Nick!
For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
Tested and happy with it!
Thanks for the share.
I have also found it useful to secure your wordpress installation through your mysql, changing the default table names and such.
I am new member to Elegant Themes but have been signed up to receive your posts for a quite a while. I am glad I joined because not only do you create excellent themes but you also go the extra mile by creating really useful posts like this!
BTW I use myRepono (http://www.myrepono.com) to back up my clients sites, it is fairly easy to install on each site, cost effective and most importantly if you do ever have an issue with a site you can restore it to a previous version with a single click. Also I think it is good to have a backup with a thirdparty.
I would also second XtraMark’s suggestion of WordFence, we use this and have found it excellent. We also have a reseller subscription with Stop The Hacker that provides us with account monitoring for malware injections etc
Great article Nick, thanks for the points, I’ll be working through these to make sure I have everything as secure as possible. I currently use Wordfence, and I think it’s a fantastic plugin. It offers a number of options including a limit on login attempts. I’ve already found a number of attempts at accessing my site, but feel pretty secure with Wordfence. Just wanted to share. 🙂
Addition to this tips, i would recommend “Anti-Malware and Brute-Force Security by ELI” plugin.
It’s free, easily cleand and rescue your site if its infected somehow.
Nice tips. It is a good idea if you can put your entire website under the https:// protocol. After the new google updates a lot of peoples ware talking, about SSL and HTTPS certificate, if you use them on your website you can get better rankings.
The downside is that if you use the https:// protocol your website may load slower the before.
Works like advertised, just had to remove manually the content of folders with “Identities” and “Address Book”. Nothing major, most important is that the DLLs and EXEs are out.
One step closer to a more secure environment. I also blocked all sites for IE and am using exclusively Firefox and Thunderbird now.
Thanks a lot !
Thank you for sharing.
Best security with IP and country blocking, limits login attempts and monitors 24/7 … http://www.wordfence.com/ They have free and paid versions. Would’t host WP sites without Wordfence!
Hi, Love the article. I used Better WP Security. But after the update to ithemes security it broke all of my websites. All themes and plugins (i use Divi) were gone. What do you think of ithemes security?
I don’t know what i did wrong.
Very nice really.
Great tips. Thanks
What a great list of tips – there was several I was not aware of, and will implement right away – thanks again for a great summary!
Regarding Security has anybody else any experience of Bullet proof Security? It seems to have been pretty robust for us. Using that in combination with linmit login attempts has cetainly kept the wide boys out so far.
Has anybody else in this stream used Ryan Shaw’s WP Backup Plus? It was a really promising plugin at first but I’ve had a hideous time with it and his support team over last 6 months or more!
Great stuff Nick 🙂
I found a better VPN solution https://www.waselpro.com/en/. It’s much simple.
I really like your blog.. very nice colors & theme.
Did you make this website yourself or did you hire someone to do it for you?
Plz respond as I’m looking to construct my own blog and would like to
find out where u got this from. appreciate it
Thank you for sharing these helpful tips on WordPress security. Those WordPress site owners are surely delighted that information such as this is available for them. Cheers!