Select Page

As you are probably aware Lime Canvas is a WordPress agency. Everything we do for our client’s and partners in some way involves WordPress. We are also very actively involved in the local WordPress communities in Sydney and Dublin.

As a result I meet people who have built or are building WordPress websites all the time, who don’t have as much experience with the CMS as we do. I hear about seemingly small mistakes that get made then costing the person dearly in time, stress and anxiety.

So below you will find 5 WordPress security tips that you absolutely MUST implement if you have a WordPress website. Believe me when I say that if these tasks seem challenging now, ignoring them will result a MUCH bigger challenge later on.

Prevention is better than cure as the expression goes.

1 – Do not have admin as your username

Some of the quick installers web hosts provide to setup WordPress will either use “admin” as an example of a username or will actually use it as the Administrator account’s username.

Like drugs – just say no. Every time you say yes to “admin” as your WordPress Administrator account username, somewhere else in the world, a hacker rubs his or her hands in glee and a baby kitten dies.

What your site username(s) are is something you need to check and luckily its quick and easy.

Simply click on the menu item on the left labelled “Users”. This will display a page with all of your users.  If you have an admin account then you need to setup another account as an Administrator with something else as the username, and then delete your “admin” account.

This is something you should go do right now if you are uncertain because by using admin as your username what you are doing is reducing a Brute Force Attacker’s workload exponentially. All they need to do is brute force your password.

These Brute Force Attacks on WordPress have been a real problem lately and although the large scale bot net attacks on WordPress have reduced these types of attacks are still happening regularly.

2 – Use a secure password

This is so basic and yet almost without fail new client’s that come on board with Lime Canvas have WordPress administrator accounts with passwords that are shockingly weak.

Hint: Your company, or your own, second name with a 1 (or 123) at the end is NOT a secure password.

A secure password is a string of characters with 12 digits which are a mix of letters, numbers, capitalised letters and symbols.

I recommend using a password manager that generates (and securely stores) really robust passwords.  This one is free and works great on all good browsers (and some of the crappy ones like Internet Exploder).

3 – Make sure you have WordPress backups

Yes your web host does backups but you shouldn’t rely on them. Particularly not when it’s so easy to setup your own backup system for free.

For large scale backups or a backup solution if you manage a lot of WordPress websites, I would recommend using Xcloner and Amazon S3.

If you just have one or two sites there is a very user-friendly plugin that you can use to backup your WP installation to Dropbox on a schedule. Keep multiple backups.

This will require a Dropbox account but those can be set up for free, so there really is no excuse for not having your own backups.

4 – Install a security plugin

There are a lot of different options available that offer an array of firewall features & functions. At an absolute minimum whichever you choose should limit login attempts.

Wordfence Security is probably the most well known and widely used and would be my personal preference.

5 – Always keep your plugins and themes up to date

This is the first thing most web hosts will blame as being the cause of a security breach should one happen to you (whether it is or not!). These updates pushed out by the plugin’s developers regularly fix security holes, so it’s important that you keep your installations up to date at all times.

If you manage a good number of websites this can add up to a good chunk of work. Unless of course you are using something like this which takes all the hassle out of managing your updates.

If you’ve read this post thinking that I’m being overly cautious or exaggerating please understand that WordPress as a platform is very secure. However, we get a sizable volume of queries every week from people whose sites have been hacked and who are looking for us to provide a WordPress security solution.

Good luck and stay secure!

I’d love to hear from you if you’ve had any experiences with having your WordPress website breached and what your experience was with getting it fixed…