Basic WordPress Security Takes Just a Few Minutes
Most WordPress website owners realize security is an serious issue that must not be overlooked. If you’re not one of those owners, get on board. Malicious bots, spam emails and comments, brute-force password crackers, hackers — they’re all out to get you. Enhance your knowledge of basic WordPress security (and significantly reduce CPU usage, which is essential if you’re on shared hosting) with these six simple, easy-to-implement steps.
Step 1 – Have a Strong Username & Password
Don’t choose “admin” as your WordPress username. Automated attackers know that most WordPress usernames are “admin” so they’re already a step ahead of you. If you are currently using “admin” as your username, don’t worry — it’s easy to change. I’ve listed the steps below.
Go to Users –> Add New User
Fill out all the information, choosing a more complex username and a very complex password that includes lower-case letters, upper-case letters, numbers and characters. The more complex your password, the better.
Let me repeat that. Make your password complex. Very complex! Don’t take chances with your website’s security by choosing a simple password. Your WordPress website will get hacked if you decide to use a lame-brain simple password. Don’t use nicknames, partner names, pet names . . . I think you get the idea. Don’t take chances.
Change the new user’s role to Administrator.
Now, if you’re a Jetpack user you’ll also need to connect the new user with Jetpack. Click on Jetpack in the left-hand navigation menu. Then click the button that says Link to WordPress.com.
Once this step is complete, you will be redirected to a WordPress.com screen. Since you’re already connected to Jetpack, this screen should simply ask you to complete the connection process. Click the button that says Approve and the process is complete.
At this point, you’re ready to delete the original user named “Admin.”
Go back to Users –> All Users then tick the checkbox next to Admin. In the Bulk Actions dropdown, change the text to Delete and then click Apply.
On the next screen you will attribute all content to your new user unless you want to delete all the previous Admin’s content (since it’s probably you, you won’t want to do that).
When you’re sure you have it right, click Confirm Deletion.
You’ve now got a new user for your WordPress website that doesn’t use the username “admin.” Nice work. And you’ve also got a complex password that even a super-computer can never guess.
Congratulations. Basic WordPress Security step #1 is complete. You now have a new username and a complex password. What’s next?
Step 2 – Enable the Protect Module Within Jetpack
Sounds simple, right? That’s because it is.
I’ve already sung the praises of Jetpack, an amazing plugin from Automattic (the company behind WordPress). If you don’t know what Jetpack is or what it can do, read this post. Once you have Jetpack set up, return here.
I have to say some folks don’t like Jetpack. They say it’s too bloated, slows down your website, etc. I beg to differ. Jetpack brings the power of the WordPress.com cloud straight to your website. It may slow down your site slightly (1/10 of a second maybe?), but properly configured, Jetpack does nothing but enhance your website. And in some cases, your site might be faster after setting up the plugin. Get it.
So now that you have Jetpack, all you have to do for this step is enable the Protect module within Jetpack. Hover over Jetpack in the left-hand navigation pane and click on Settings.
Then click Security under the Jetpack subheadings in the middle of the page. Beneath that, turn on the Protect module by clicking the little slider. Enabling the Protect module prevents and blocks malicious login attempts. And it’s free. Do it.
Step 3 – Use Akismet to Reduce Spam
Using Akismet (which comes by default with all WordPress installations) is, in my opinion, necessary. If you’re not using it, you should be. To activate Akismet, either watch the following video starting at 4:45 or do the following:
- Click activate under Akismet on your Plugins page
- Click Activate Your Akismet Account (big button at the top)
- Click Get Your API Key
- Click Get an Akismet API Key
- If you already have a WordPress.com account, click I already have a WordPress.com account
- If you don’t have a WordPress.com account, fill in the pertinent information and you will have one!
- Click Sign Up
- Click Sign Up in the Personal box
- Move the slider on the right side of the screen all the way to the left (to zero dollars) unless you want to donate
- Click Continue
- Copy your API Key to your clipboard
- Return to your WordPress website and paste in the API key
Well done. Akismet is up and running, protecting your blog from email and comment spam. You’re one step closer to locking down your WordPress website and frustrating hackers and spammers.
Remember, if you want video instructions for settings up Akismet, the directions for setting up the plugin begin at the 4:45 mark in the video.
Step 4 – Install the WPBruiser Plugin (or something similar)
For step 4 of our Basic WordPress Security tutorial, we’re going to install a plugin to help Akismet stop the bad bots from bombarding us with comment spam. I’ve tried a variety of captcha plugins, which annoy the heck out of me (and users) so I searched for something different. WPBruiser is the best complement to Akismet that I’ve found and it works perfectly with Jetpack’s contact form.
Go to Plugins and click on Add New.
Do a search for WPBruiser then click on Install Now.
Finally, click Activate.
Once you’ve activated the plugin, feel free to check all the boxes in the Security section.
Also check all the boxes in the WordPress section.
Then check the box next to Jetpack Contact Form in the Contact Forms section. On my site, I left the rest of the options unchanged.
I’ve found that even with sites with severe spam problems, WPBruiser in combination with Akismet works wonders to virtually eliminate the spam.
If you think this plugin isn’t effective or if you’ve found an alternate spam plugin that has low impact on your site’s visitors, I’d love to hear about it.
One more note. I’ve wondered if Jetpack Protect and this plugin overlap in terms of functionality. I have a support request in to WordPress support as I write this and will update this article when I receive a response.
Step 5 – Keep Everything Up to Date
This might seem obvious, but you won’t believe the number of WordPress websites I’ve worked on that are far outdated or are using extremely outdated plugins or themes. This is a huge security risk. Keep your WordPress website updated at all times!
Now I’m going to use what my friend Tim always called The Principle of the Double Knock. He used it to refer to passages in the Bible. “Whenever Jesus says, ‘Verily, verily,’ you better pay attention!” he’d always tell me. “He says ‘verily’ twice to make sure you’re listening.”
So here it is again. Always keep everything updated on your WordPress website. If you want your WordPress website to get hacked, by all means, stop logging in and never update anything. Your site will be easy prey for the losers out there looking for ways to hurt you.
Step 6 – Back Up Everything Regularly
Backing up your WordPress data may seem like another obvious step, but again, many people do not do it. In case of an emergency, having a backup may be your only saving grace. You should use a well-regarded plugin (like UpdraftPlus Backup and Restoration) to be sure your site’s database and files are backed up. UpdraftPlus is nice because it includes tools to automate the process. Simply install and activate the plugin and follow the simple configurations steps.
When I set up UpdraftPlus, I like connecting it to Dropbox for easy storage of backups (storing backups on your server isn’t the best idea; in fact it’s a bad idea). I’ve included directions for setting up Updraftplus with Dropbox in the following video (start at the 15:45 mark in the video).
Basic WordPress Security Recap
Let’s recap these quick and easy WordPress security tips.
- set up a strong username and password
- enable the Protect module within Jetpack
- set up and activate Akismet
- set up and install WPBruiser
- update WordPress, all plugins and all themes regularly
- back up your WordPress website regularly
These changes will only take a few minutes to implement and could (will) save you significant trouble down the road. Keep in mind that this list is far from exhaustive; there are many other changes that can be made which will further secure your WordPress website and reduce CPU usage, like straight-up blocking persistent bots in your .htaccess file. If you have questions about how to do that, let me know and I’ll tell you how I do it.
If you found this tutorial on basic WordPress security useful, please share it! Give me a tweet. Give me a like on Facebook. Link to it.
Free Support for Your WordPress Blog
Remember, I provide free support for your WordPress blog. Priority goes to those who have purchased hosting via Inmotion Hosting, the web host I’m an affiliate for. Keep in mind that I only promote the web host that I use. Yes, I use Inmotion to host this website (and all my websites). I’ve been with them for a number of years and my favorite feature, by far, is their responsive, 24/7, knowledgeable, understandable technical support via phone or online chat.
Remember, if you haven’t watched my WordPress tutorials and you have questions, watch the videos first. If you still have questions, let me know and I’ll be happy to help you out. My hope is that with my tutorials you’ll learn WordPress well enough to be self-sufficient.
Keep in mind that I really love helping and connecting with others. So contact me! I look forward to hearing from you.