WordPress is open source and free, which is one of the reasons for its popularity. Themes and plugins architecture of WordPress makes it suitable for beginners as well as professionals. But the security of WordPress site should be one of your major concerns as a blogger or webmaster. This article features 8+ Key WordPress Security Tips for Beginners.

WordPress is the most popular open source blogging platform available but it is a target of notorious hackers also. It is very important for all webmasters to keep their WordPress blog secure.

Being an open source blogging platform, It has many protective plugins, functions, and techniques available to save you. These tools can defend your site from various attacks, spam and other threats.

8+ Key WordPress Security Tips for Beginners to Secure WP Site

Following WordPress security tips are the most recommended practices by the pro bloggers to secure WP site

#1 Back-up your site Regularly

First WordPress Security tip on my list is back-up your site regularly. This is one of the important tasks but often overlooked due to various things. Even if you have taken all the appropriate security measures taking regular backups are very important.

WordPress Security Tips - UpdraftPlus

WordPress Security Tips – UpdraftPlus

I would recommend you to use UpdraftPlus WordPress Backup Plugin to take back-ups of your site. You can use this WordPress plugin to automate the backups of your WP site. The plugin allows you to save backup files outside of your server i.e. Google Drive. You can download this plugin from the WordPress repository for free.

#2 Keep your Themes and Plugins Updated

Make sure that you keep your WordPress theme(s), plugins and WordPress updated to the latest updates. These updates actually include security patches and fixes vulnerabilities. Most of the times notorious hackers gain access to an old version of WordPress websites very easily because of available security vulnerabilities.

Keep your Themes and Plugins Updated

Keep your Themes and Plugins Updated

#3 Remove the Un-used Plugins and Themes from WP

Always delete the un-used plugins & themes from your WordPress site which are no longer in use. There’s no sense of keeping them on your server, as it takes up space on server & increases the load.

#4 Change your Default Login Username

Initially, prior to WordPress version 3.0, WordPress used to assigns the administrative account, a username “admin” by default. That’s the reason why ‘admin’ was used as a username on many WordPress sites back then.

However, in the onward version, there is no restriction to use the default username ‘admin’. During the period, hackers launched a series of brute-force attacks at millions of WordPress powered websites, attempting to sign in by pairing the username “admin” with common passwords.

Change your Default Login Username

Change your Default Login Username

Now, let’s learn how to fix it. There are two popular ways you can choose to fix this:

  • Create New Account – The best and simple way to change default username is to add a new user and give admin access to the newly added user. Then you can delete old admin user. It will give you an option to associate all the existing posts to the new account.
  • Change username through PhpMyAdmin – Login to your cPanel and click on phpMyAdmin, then select the database where your WordPress site is hosted. And then navigate to the wp_users table. There you can see all the usernames on your site. You should replace the user_login entry under the account with any unique name.

#5 Hide Login Username

Unfortunately, in WordPress, it is very easy to see the username of WordPress user, all one need is to check the author archive page slug.

As by default, WordPress will show the account username there.

Ex: https://your-domain-name.com/author/user-name/ 

However, to hide your login username there is a simple solution. You can download WP Author Slug plugin to fix this issue. This plugin simply changes the username (author slug or login) with a sanitized version of the user’s Display Name.

#6 Use a Strong Password & Change it Regularly

According to a study, about 8% of the WordPress powered sites are hacked due to a weak password. Passwords consisting of names and correctly spelled words are extremely vulnerable to brute-force attacks, so it would be a wise idea to use a strong password.

A password should be strong and which can’t be guessed. For a strong password always use at least 8 characters containing upper-case, lower-case, Special character and Numbers.  Alternatively, you can use a password generator.

Nowadays, if you use Google Chrome or Safari for browsing, you might have noticed that, while creating an account on any site. Google or Safari automatically offers random passwords. These passwords are very strong to crack and you can save them in your browser for easy to use.

#7 Limit Login Attempts in WordPress

It’s possible to block a suspicious IP trying to hack your WordPress website by limiting the login attempts.

This can be possibly done with the help of plugins like Limit Login Attempts Reloaded WordPress plugin.

This plugin automatically blocks a suspicious IP after it exceeds the login limit, and allows admins to specify how long that suspicious IP address remains blocked.

#8 You should Hide your WordPress Version

You might be aware that the version number of WordPress is included in the metadata of the WordPress theme.

And the installed version of WordPress can be easily checked by viewing a page source header.

Notorious hackers can easily find the installed version of WordPress and exploit it. As the vulnerabilities of previous releases versions are known to everyone through channels.

To hide your WordPress version number, you need to add the following code to your ‘functions.php‘ file:

//Add the below code to Remove version of your WordPress
function wp_ver_remover() {
return '';
}
add_filter ( 'the_generator', 'wp_ver_remover' );

#9 Migrate your site from HTTP to HTTPS

Host and transfer your WordPress site through an encrypted channel will provide another layer of security.
Check with your hosting provider to see if you have an already available SSL certificate with your plan (free or paid).
Then add this line of code at the top of your “wp-config.php” file to force use https everywhere:

define(’FORCE_SSL_ADMIN’, true);

Otherwise, you can use the WordPress HTTPS (SSL) plugin, it allows SSL control of your site.

#10 Disable Server Directory Browsing

Server Directory browsing (if enabled) in your WordPress site is very dangerous. It is comparable to keeping your door always open and inviting the thief to see and steal your wealth inside the house.

A simple way to disable directory browsing in your site is to upload a blank index.html file in all directories and subdirectories except the root. However, modern hosting providers by default disable the server directory browsing.

Wrapping It Up

This is a comprehensive list of WordPress security tips, which should help you to secure your WP site. You can also have a look at the security measures taken by WordPress.org here.

Hope these Key WordPress Security Tips for Beginners would be helpful to secure WP Sites. Do let me know if you find any difficulty to implement these WordPress Security Tips on your site. I would be happy to help.