How To Secure WordPress. Again

I’ve been using WordPress to power this site for many years now, and I’m not the only one doing that: According to the WordPress Wikipedia article, the Content Management System (CMS) was used by more than 23.3% of the top 10 million websites as of January 2015. That number makes it a prime target for hackers and script kiddies around the world.

WordPress’ security record isn’t exactly great. There are many reasons for that, among them WordPress’ support for extensions like plugins and themes. Many of these plugins and themes are slapped together by developers who have no clue about the importance of securing their code against known vulnerabilities. This has often resulted in many popular extensions being wide open gates into the inner workings of WordPress, making it very easy for bad guys to ruin everyone’s day. WordPress itself also hasn’t been a stranger to having major security vulnerabilities. That it’s written in PHP hasn’t exactly helped, and security wasn’t really something the core developers put much effort into until recent years. But the latter is, thankfully, getting better. The WordPress core is now updating itself automatically, and this feature will be enabled for plugins as well soon.

But even though security has become a focus, both for the core WordPress team and at least some plugin and theme developers, you should still make a bit of an effort to enable additional layers of security to your WordPress site. Most of the work is done, rather ironically, with the help of plugins.

Use strong passwords

One of the easiest things you can do is to use strong passwords. Many attacks against WordPress are simply scripts trying to guess a username and password combination. Because people are really lousy at creating passwords, these attacks are surprisingly effective. So instead of using weak, easy-to-guess passwords, you should use strong ones. But what is a strong password anyway? We are often told that a strong password is a combinations of letters and numbers that are impossible to remember. That is not necessarily the case. The strength of a password isn’t directly related to its complexity, but rather its length.

Instead of trying to explain it here, I’ll let the eminent Randall Munroe of XKCD fame explain it with the comic “Password Strength”:

XKCD by Randall Munroe: Password Strength

Enable two factor authentication

No matter how strong your password is, it’s possible to guess it given enough time and computer power. Since computers are getting more and more powerful every day, the time needed to guess your password also decreases every day. That’s the reason why you need to enable two factor authentication (2FA) on your WordPress login page.

I’ve been rambling on about 2FA at length before, so I’m not going to do that again now. I’ll just repeat that 2FA will save your bacon the day someone manages to guess your password and that there are plenty of plugins that let you add 2FA support on your WordPress site in minutes.

Just do it.

Install a security plugin

There are many WordPress plugin whose sole purpose is to increase the security of your WordPress installation. Among the more popular ones are Wordfence Security, iThemes Security, and BulletProof Security.

They all come with a wide range of features, like automated malware scanning, real-time blocking of known attackers, and even two factor authentication. Personally, I’m using the free version of Wordfence, and I’m particularly pleased with two of its features: E-mail notifications whenever a new version of a plugin I’m using is available, and the login security options it provides. Among other things, Wordfence allows me to automatically block IP addresses that try to log in with common usernames like admin and administrator.

Which security plugin is right for you is hard to tell. A search for “security” in the WordPress plugins repository will show you what’s currently available.

Block unwanted users

Even though Wordfence blocks IP addresses that try to log in with common and unregistered usernames, I’ve decided to take user blocking a step further. I’m the only one logging in to my site, and I’m always logging in from one particular country. So why should IP addresses that are located outside of that country even be allowed to try to log in?

This can be achieved with the premium version of Wordfence, but there are also free alternatives available. I’m using the excellent IP Geo Block plugin, which is even more powerful than Wordfence when it comes to blocking options. Based on a users IP address, it will figure out what country the user is located in and either block or allow the user to see the WordPress login form based on a white- or blacklist of countries.

Pretty nifty, and very effective. Lately, I’ve been spammed with login requests from countries like Russia, Ukraine and Belarus - very common sources of brute force attacks. Their login attempts have failed, but it was still annoying to know that they tried. With the IP Geo Block plugin installed, these users (or rather computers that are running automated scripts) are not even allowed to access the login form.

Final thoughts

No matter how much effort you put into securing your WordPress site, you have no guarantee that you’ll manage to keep everyone out. But when you make it harder for people to get in, chances are they’ll move on to another WordPress site and try to break in to that one instead. There are, after all, a lot of them to choose from. Also, most WordPress attacks are automated attacks looking to exploit known vulnerabilities. If you run a tight ship, secure what you can, and keep WordPress and all of your plugins and themes up-to-date, these automated attacks will most likely bounce off.

That said, you should still plan for disaster. Back up often, and restore your backups regularly to check if they can be restored as expected. You never know when you’ll need them.


This post has no feedback yet.

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.


It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.