Locking Down Your WordPress Site – Security 101

Locking Down your WordPress Site – Protecting yourself from hackers, bots, and scammers

With recent, high-profile security issues like Heartbleed and the long-time-coming Internet Explorer Day One Bug, security should be at the forefront of any web developer’s mind. How do I keep my site secure? How do I stop hacking attempts? HOW DO I PROTECT MY INTERWEBS?!

The long story short – you can’t protect against every vulnerability out there. Eventually, you will have a security issue. Eventually, you’ll have to deal with bots. Eventually, you’ll have to educate your staff in best practices. That doesn’t mean you should give up, though! Some very basic techniques in security will go a long way to lessening the blow, to the point where a hacking attempt would mean a ten-second annoyance instead of a week-long panic.

Where do vulnerabilities come from?

WordPress is one of the biggest site frameworks out there, and despite what some old-style developers would tell you it alone is extremely secure. With frequent updates and a dedicated community, anyone who has access to the internet can develop their own site, but therein lies the complication… With so many open source developers, hobbyist webmasters, and plugin-based code, there are a million and a half ways your site can be compromised. Let’s go over this very site you see now and talk about the levels of software we’re dealing with.

  1. The webhost’s servers
  2. Your WordPress installation
  3. Your Theme
  4. Your Plugins (take one risk point per plugin, too!)

That’s a lot that could go wrong, so let’s lock them down one-by-one.

Your Webhost

This is the first level of code – typically, you won’t ever have to play with your server-side code or worry about security. If you have any concerns you should contact your host directly – they often have a long list of security measures they take I’m sure they’d be willing to share.

Your WordPress installation

A little higher in risk, WordPress on its own is usually very well guarded. Be sure you keep it up-to-date and follow The Golden Rule of Security (below) and you should be in the clear.

Your WordPress Theme

Now we’re getting somewhere – your WordPress Theme is an extremely variable piece of code. Good theme developers keep their themes as flexible and lightweight as possible, reducing the amount of external code to a minimum. Some general tips when it comes to finding a theme you can trust:

  • Avoid purchasing a one-shot theme from an aggregate site. While ThemeForest has a great selection and absolutely has its place, anyone can post code there and it doesn’t go through any sort of verification.
  • Check the Theme Developer’s reputation before buying. Do they have a site of their own? Do they offer regular updates? Do they have a development blog? How many people have bought the theme beforehand? Do they offer good support? All of these are extremely important questions to ask – if you don’t want to spend the time researching, then you can find some great themes from WooThemes – they’ve got some great themes, great developers, and great support.
  • Keep your theme updated. For the love of god, do it. It’s annoying, sure, but this is a huge, HUGE component.


Probably the most troublesome component of any WordPress install, there’s a lot that can go wrong with plugins. Aside from irregular updates, they can contain poor code or long-term vulnerabilities. Here’s some general guidelines for picking Plugins regarding to security:

  • Only use reputable plugins. Are there two plugins that do the same thing, but one with way more users? Go with that one. It’s easy for someone to clone an existing plugin and insert some malicious code, so play it safe.
  • Do you really need this plugin? The fewer the better.
  • Do I know what this plugin actually does? Read.the.f*cking.manual.

OK, Great! Now what do I do?

On every site I use, I install a security plugin. I’ve got nothing but good things to say about the recently rebranded iThemes Security, install it, read it, set it up. It will secure you against a ton of issues you could come across, and it’s relatively easy to get going. Be sure you follow a setup guide – if you don’t know what something is, then don’t use it.

The Golden Rule of Web Security

Here it is – the real key to keeping your site secure, and the main motivation of this blog post. Day-to-day, I could log into up to a few dozen WordPress installs for sites all around the world, and the common issue keeps making me want to put my head through the wall.


That’s right. Your password. Make it original, make it memorable, make it anything but abc1234. Across the internet, here are some of the most common passwords – if you use any of these, then change them now.

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. abc123
  6. 123456789
  7. 111111
  8. 1234567
  9. iloveyou
  10. adobe123
  11. 123123
  12. admin
  13. 1234567890
  14. letmein
  15. photoshop
  16. 1234
  17. monkey
  18. shadow
  19. sunshine
  20. 12345
  21. password1
  22. princess
  23. azerty
  24. trustno1
  25. 000000

I shouldn’t have to add if your password is the same as your URL or your username, it’s going to spell trouble. I came across an ecommerce site (you know, the ones with your credit cards) that was running off of “admin | admin”… It was a sad day.


Check out Security Part 2, where I go in depth on how to set up your site for maximum protection!

4 thoughts on “Locking Down Your WordPress Site – Security 101”

  1. Why aren’t you suggesting to remove the admin username account and replace with something less typical? I thought that was the Golden Rule of WordPress nowadays.

  2. Good point, Logan! Since that’s a little more advanced, I’ve actually got that planned for a second part where I’d look at specific settings and tricks – this was more of an introduction to all the components ­čÖé I’ll definitely be sure to include it!

  3. Excellent article, thank you. I’ve been seeing recurring attempts of both login and “attempts to access a file that does not exist” coming from the same ip address. I found your article as I was searching for any security measures I may have missed. I do have a question, I have iThemes Security, Acunetix WP Security and Limit Login Attempts all installed. Is this overkill and defeating the purpose, kind of like running 2 AV shields on Windows? Thanks again, I’m definitely looking forward to the next part.

  4. Hi Gene!

    I think it’s probably fine to just run one of those plugins – I like iThemes (a post coming tomorrow actually goes over all the fun iThemes settings!) so I run that as the security plugin for most sites. Running multiple shouldn’t cause a problem if they tend to do things the same way, but if one plugin was to try to take control of something the other monitored, then it could interpret that as an issue and all hell would break loose.

    Some users like some extra security, which is always OK! The free Exploit Scanner plugin acts a lot like an antivirus scan on your computer, but take what it says with a grain of salt. Almost everything you do is stored somewhere in your WordPress database, so it has a lot of room to freak out over nothing.

    Although they have a free version, the premium version of Sucuri is hands down the best security plugin on the market. I insist my larger clients use it, and I’ve never been less than amazed at their product.

    I hope this helps, thanks for reading!


Leave a Comment