2018 WordPress Security Tips (Easy & Actionable)

In this age and era, WordPress security is a necessity, and it’s definitely not an option.

Otherwise, your hard work on creating your website will be in vain.

WordPress security.

You can keep your website safe and sound with these easy and actionable WordPress security tips.


Use A Strong Password

This is the basic of all basics.

Never use a password that can be guessed easily.

Always avoid using numerical or alphabets in order such as 123 or ABC.

WordPress strong passwords.

If you find it hard to remember, then write it down and store it someplace safe.

Although the most convenient way is to store your password in your PC or smartphones.

However, that’s not recommended because someone may have access to your password.

Especially in an unsecured connection, like a public WiFi.


One Administrator

An administrator has the highest level of power over a WordPress website.

That role itself allows you to do almost anything with your website.

If you have too many administrators on your website, you’re just worsening your WordPress security.

Why so?

Administrator role.

Common sense, really.

More users, the harder the environment can be controlled.

Different users have different password preferences and login locations and that’s beyond your control.

Indirectly, you’re just exposing your website to a higher risk of being hacked.

So, if you really need more than 1 administrator account, then keep it to a bare minimum.


Change Your Default Username

If you’re still using WordPress default username “admin”, that’s a big no-no.

You’re just making it easier for others to get into your website.

Therefore, how do you change it?

Very simple.

All you need to do is to create a new user with administrator capabilities.

Dashboard > Users > Add New

Changing WordPress username.

Remember to set the role to Administrator.

Then, log out and log in using your new one.

Users > All Users

Then delete the “admin”.

You will not able to delete the “admin” until you have logged into your new one.


Keep WordPress Up-To-Date

This is by far one of the easiest WordPress security tips that can be implemented.

All you need to do is to update WordPress to its latest version.

That’s it!

Dashboard > Updates

Updating WordPress.

WordPress constantly improves its security and fixes bugs regularly through its updates.

Many people are concerned that updating their WordPress website.

That’s understandable because the latest version may not work with older WordPress plugins.

You could possibly break the functionality of your website.

Minor WordPress updates are done automatically.

However, you’ll get a notification when a major update is available.

Therefore, always make a backup copy of your website first before you perform any major WordPress updates.

Better be safe than sorry.


Use Two-Factor Authentication

To beef up your WordPress security, you can implement two-factor authentication (2FA).

Even if someone is able to guess your username and password correctly, they will not be able to get into your website.

2FA adds another layer of security to your website.

What does it do?

Two-factor authentication.

It works similarly with one-time passwords (OTPs) sent by banks.

When you want to make a transaction, an OTP will be sent to your mobile for confirmation.

Same goes for 2FA.

When you want to log into your website, a confirmation will be sent to you.

It can be in the form of:

  • SMS
  • E-mail link
  • App notification
  • QR code generator

Personally, I find Unloq very simple to use, with a clean and modern interface.


You can customize the outlook of the login part.

The best part of all, it’s free with all features included out of the box.

You pay only when you have more than a 100 users.


Loginizer is another very popular 2FA in the WordPress directory.

It has 700,000+ active installations on WordPress with a 5-star rating.

Not only does it function as a 2FA, but it has a lot of other security functions that you can do with it.

However, the 2FA comes as an add-on feature by purchasing the premium version of the plugin.

If you’re just starting out and just wants a simple 2FA, go with Unloq.


WordPress Security Plugins

In order to beef up your WordPress security, it’s a must to get a security plugin.

For most regular users, you just don’t know where to begin.

Therefore, these plugins will keep your website secure in most aspects.

Of course, not all security plugins are created equal.

You will have to pick one that suits your needs the best.


The most popular WordPress security plugin is Sucuri.

It allows you to scan for malware and also grants you the necessary security protection for your site.

The downside of the free plugin is that it does not come with a firewall.

You will have to pay for that service.


The other top-notch security plugin that I find really useful is SecuPress.

SecuPress is kind of the underdog here.

Unlike Sucuri, SecuPress allows you to set up a firewall to prevent attacks.

To further enhance its firewall properties, there is a premium plugin for it as well.

However, the free version of SecuPress does not come with a malware scanner.

You can eliminate the need for a malware scanner.


By keeping your site well protected.

If your site has been infected with malware, both Sucuri and SecuPress are able to remove it for you.

That being said, you will not be able to remove it with the free plugins.

Sucuri security fee.

You will have to use Sucuri’s premium service to have it removed.

SecuPress malware removal.

Or SecuPress’ malware removal service.

And from a Malaysian’s standpoint of view, both services are very expensive!

Therefore, it should be your number 1 priority to keep your site well protected in the first place.


Use A Premium WordPress Theme

You should also focus on getting a reputable WordPress theme for your website.

Why so?

It’s amazing to know that a majority of WordPress websites are hacked are related to themes.

According to an infographic by WP Template, 29% of the hacks are related to WordPress themes.

As you can see, that’s a lot!

WordPress hack statistics.

It’s very tempting to get a free theme without paying extra.

However, some themes may not have been updated for ages and you might be exposing your website to risks of being hacked.

I’m not saying that all premium themes are great.

But, in all honesty, they are better than free themes in general.

It’s safe as long as the creators keep updating their themes regularly.

Of course, you’ve got to read up reviews about the theme that you are getting first.

Read also: How to install WordPress themes


Secure Your Backend

You don’t really hear this often from websites that write on WordPress security tips.

However, from the pie chart above, a whopping 41% of WordPress hacks are related to your web hosting.

Absolutely shocking!

As a matter a fact, there’s a lot of ways a hacker can gain access to your WordPress files.

There are many ways a hacker can enter you can access your files.

Of course, one of it is through WordPress itself.

However, the other way of getting to your files is through your web hosting provider.

If you can log into your web host’s website using a simple username and password, so can a hacker.

Using 2FA for cPanel.

Or are you using a web hosting control panel such as cPanel?

Someone can easily access your files if you did not place any security on them.

So what can you get your web hosting to do?

  • Enable a firewall (such as ModSecurity) if available.
  • Check if 2FA is available.
  • Activate hotlink protection to prevent others from linking your files without permission.
  • Configure an SSL for your website (may incur charges).

What’s an SSL?

SSL for WordPress sites.

The sign of the green lock indicates that your connection is secure.

That’s an SSL.

Your web hosting provider can set it up for you.


Backup Your Website

The last thing on your to-do list if to make a backup copy of your website.

You can do a website backup using 2 ways:

  • Backup manually through your web hosting provider.
  • Use a WordPress backup plugin.

Website backup.

When all else fails, and you can’t figure out what’s wrong with your website, you can restore to it to the previous setting.

Of course, you may lose some of the recent updates.

And it depends on how frequent you backup your website.

To be honest, it’s best to backup your website using a WordPress plugin.

Why so?

That’s because:

  • You get to schedule your backups be it hourly, daily, weekly or monthly.
  • The data is stored in another server such as Google Drive, Dropbox, Amazon S3, etc.
  • If your server fails, your backup survives in another location.
  • Backup is just a few simple clicks away.
  • There’s no need to mess around with your server’s settings.


UpdraftPlus is a very popular backup plugin among WordPress users.

And with over 1,000,000 over installs, there has to be a reason.

This plugin is very simple to use and it gets the job done, fast.

Apart from that, the basic functions are more than sufficient for normal websites.

And the best part, it’s free to use!

However, if you choose to backup manually through your web hosting provider, be sure to download a copy unto your PC.

At least, if your server goes down, the backup remains safe on your personal hard drive.


It’s Now Your Turn

It’s easy to implement these security tips without needing the knowledge to code or change any of your WordPress files.

Therefore, I hope you will find them useful.

So which one will you use first?

Are you going to start using a 2FA?

Or will you be changing your WordPress theme?

Or are you going to rely on a WordPress security plugin?

Leave a comment