Last Updated: October 2016
These tips are specific to self-hosted WordPress.org blogs.
Do not have a username called “admin”
“Admin” is the default WordPress username, which it’s the first thing everything tries. Every single failed login attempt for Nose Graze has used the username “admin” (which doesn’t exist for me). By simply using a different name, you are already one step ahead of hackers. There’s more information on how to do this in the WordPress Codex. There are also plugins that can help you do it. See the security plugins section for an example.
Enforce strong passwords… everywhere
This is particularly important if you are a co-blogger or have a lot of guest bloggers with their own accounts on your blog. Every single account needs a strong password. There are plugins you can install that force your users to use a “strong password”. I’ll talk more about this later when I go over security plugins.
Ideally, all your passwords should follow the guidelines I outlined in my Passwords & Recovery Questions post, but at the very minimum, your administrative accounts need to be strong. The passwords should be at least 10 characters and contain a mix of letters (upper and lowercase), numbers, and symbols.
Delete any old or inactive accounts
Does your ex-co-blogger from 6 months ago still have an active account on your blog? If they’re no longer co-blogging with you, then there is no reason to keep that account active. Having unused accounts (especially unused admin accounts) is a security risk! Delete the account or at least downgrade it to a Subscriber level. Every additional account you have is one more way for someone to try to hack into your site or guess your password.
Back up your site!
There are many plugins and services to help you back up your site. One of my clients swears by VaultPress, but I’ve never tried it because it’s paid (the cheapest plan is $15 per month). Other people love Updraft Plus and BackUpBuddy. There are so many different options and ways you can save your backups, including: backup to folder, backup to FTP server, back up to dropbox, backup by e-mail, etc. You can easily schedule backups so you don’t have to worry about remembering to do it yourself!
Install a brute force protection plugin
Honestly, you don’t need a massively “heavy” plugin for security. The main thing you need is something to protect against brute forcing. Brute forcing is when a bot/script/person sits at your login page trying different passwords over and over again. You need a plugin to say, “You’ve had enough guessing! CYA!”
The best and simplest plugin for this job is Login Lockdown.
But if you really want to use a bigger plugin like WordFence Security or iThemes Security, then those certainly won’t do any harm. The important thing is that you have SOMETHING blocking people who try to guess passwords over and over again.
Add some kind of second protection
What’s better than one password?
You can set up some kind of two factor authentication for your login page. Examples include:
- Add an htpasswd box (a second username and password)
- Google Authenticator
- Clef Two-Factor Authentication
Always update WordPress
You should always update WordPress as soon as you can. It’s true that some themes or plugins may break with upgrades or become incompatible. But which do you care about more: how your blog looks, or your blog’s security? WordPress updates almost always include bug fixes and security fixes. That means if you don’t update WordPress, your blog is more vulnerable and easier to attack/hack.