Basic security for WordPress

When you first start out in this business of setting up and designing websites, everything seems to you to be perfectly functional, practical and unbreakable. But as you gain experience in the sector you realise that all that glitters is not gold:

  • Things don’t always work the way you want them to
  • Websites or parts of them sometimes break
  • An update can worsen a problem you already have

WordPress runs 60% of the websites that use a CMS as their main engine. WordPress is a powerful tool, there is no doubt about that.

However, the fact that WordPress is so well established in the digital world (and the mere fact that the vast majority of the world’s websites run on it) also makes it a tool that hackers frequently attack.

Although there are no computer systems, websites or any system that is infallible (just ask banks and large companies), WordPress is actually quite safe if we follow several rules that help to keep attacks under control.

Reasons why someone would want to attack our website

logo hacker

There are several reasons why someone would want to gain access to the dashboard or server on which a website is running, but there are three main reasons for attacks:

To get money

For example by changing the payment addresses or API’s that we use to monetise our website.

We may realise that something is not right when, after several days without receiving income, we find that the API, the user or the bank account of our monetisation system have been changed.

If you are an e-commerce that sells online and a security breach steals your customers’ credit card numbers, for example, you will lose credibility and users’ trust in your site. If the data leakage is large and/or very sensitive, you may even have legal problems.

To obtain data

Data from users’ sign-ups for example, of websites that monetise their newsletters and need the user to register (so people introduce names, personal data, language, email address…) are a very juicy morsel in the form of a database that is worth the effort.

To elliminate competition

Google penalises websites that do not work properly or that violate the content and quality guidelines set by the company.

You can play dirty against a competitor by fraudulently gaining access to that competitor’s website to abuse the site by adding spam links, creating low quality pages or deleting URL’s on a massive scale that will end up flooding the site with 404 errors with the strategy of making Google believe that it is a junk site.

If the mess is not fixed in time, Google will penalise the website, the website will drop in the SERPS, it will lose visibility and the attacking company will have one less competitor.

Protect your WordPress from attacks

Although WordPress does its best to prevent our website from being sent to the graveyard, we can also do our part to make things difficult for those who want to do so.

If you want to avoid any unpleasant surprises and troubles by seeing your WordPress hacked, get down to work with the following tasks that I mention below.

Choose a good password

A password is not secure because it is longer or has more or less characters, but because it is a combination of both.

cómo elegir una contraseña de wordpress segura

Given the data processing capacity of today’s computers (about 8 billion calculations per second) a password can only be considered secure against brute force attacks (down you will read about it) if it has more than 20 characters and includes lowercase letters, uppercase letters, numbers, special symbols and all of these are combined randomly.

In this post I explain how to design strong and secure passwords and how to manage a large number of unmemorable passwords without going crazy or having to write them down in an excel spreadsheet.

Exactly: Spending time generating good passwords and then pasting them into an excel sheet? Doesn’t sound like a good idea.

Keep the website updated

Updates are not mere whims designed to add more functionality to a theme or plugin. They also fix security holes that can compromise the stability of a website.

Having our WordPress, theme and plugins outdated means earning odds of having an unstable site that is more prone to attacks.

Change your WordPress login address

The default login address for every WordPress site in the world is websitename.com/wp-admin o /wp-login. So if you know that a website is a WordPress you can check if the administrators have changed that login address by adding /wp-admin or /wp-login to the initial URL*.

*You can check if a website works with WordPress in less than a minute by analysing its source code or pasting the URL in a tool like WhatCMS) 

By the way: as you can see the access address to my website is not /wp-admin but another one


By changing the default login address of our WordPress we directly avoid the so-called brute force attacks (randomly testing passwords), as we will see in the next section.

To change the WordPress login address quickly and easily I use a very light and effective plugin: WPS Hide Login.

To change the default login address using WPS Hide Login simply enter the URL you want to use as your login address and tell the plugin what you want to happen when someone wants to access the default login address.

If you forget the login address you set, you will have to deactivate the plugin through the server files and the default WordPress login address will be set again.

Avoid brute force attacks

Brute-force attacks are trial-and-error attacks: randomly trying out passwords until one of them is correct. If the password is weak, we are gaining points for attackers to gain access to our website.

If we have not changed the default access address of our WordPress, as we explained in the previous section, attackers should only point their bots to the access page of our WordPress and program them to test passwords randomly and uninterruptedly.

But there are ways to avoid that someone could be testing passwords without pause: anti-brute force systems.

Plugins to prevent brute force attacks

There are lightweight and effective plugins that block an ip address when it exceeds the number of access attempts you have specified.

Loginizer Brute Force
WPS Limit Login

I use either Loginizer or WPS Limit Login (same developers as WPS Hide Login).

Install one of these systems, program it correctly and you’re done.

Brute force attacks detected on a WordPress that has this system installed. PS: the site is not mine

As you can see in the image above, on average there are one or two login attempts using a random password every 10 minutes or so (and I’ve seen websites with much worse records than this one). The bots attack the default WordPress login URLs (and they also know which is the admin user, easy to get through the author id), which means that if we change that login URL we will avoid these attacks.

In my experience all the WordPress I’ve worked with (ALL of them) are attacked by brute force systems. In other words: whenever I’ve set up a system to log brute force attacks I’ve always ended up getting instant data.

So yes: your WordPress is probably also suffering from an automated system that is testing passwords at this very moment.

Implement a two-step authentication system (TFA)

If you want to go more pro and have a bomb-proof WordPress you can combine all of the above with a Two Factor Authentication (2FA) system.

A 2FA system is the same as what a bank does to confirm a bank transfer: it asks you for your card number and also asks you for the code that was just sent to you by SMS.

The summary of what NOT to do

To put it all in a nutshell, the ingredients for an insecure website are the following:

Use a lame password, or worse, use the same lame password for everything.

Not having our WordPress, themes and plugins properly updated to the latest version

Not changing the default login address of WordPress

Not having a brute force attack rejection system in place

Fixing a disaster

If our website has been hacked and we notice it early on, we must undo all the changes the attackers have made to the systems. However, that can be hard work and often impossible. That is why it is extremely important to work with competent hosting providers who can lend a hand when things go wrong.

I mainly work with Loading.es, for the simple reason that they offer an efficient and very fast customer support system, a user-friendly server management environment and a high-quality backup policy.

Loading.es offers two-click WordPress installation, free SSL and fast SSD hosting from 47€ plus VAT per year. Click on the banner for more information

The backups

Having daily backup copies is key to being able to undo a disaster in the form of a virus, malware or hacking of our website. If we know when the website was hacked, it will be enough to restore a backup of the files and databases to a date prior to the attack.

However, if we do nothing else, the website will probably be attacked in the same way again: we will have to work to implement the necessary security measures to prevent the website from being attacked again.

List of backups available: one every hour