Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Maintenance
  • WordPress Security
  • WordPress Training Webinars
  • WordPress Tutorials
  • WPprosper

How to Secure WordPress Quickly and Easily

Written by Elise Alley on October 13, 2016

Last Updated on October 14, 2016

Knowing how to secure WordPress is one of the most important components of keeping your site safe and protected from hacks. In this post, we cover five quick and easy tips you can use today to secure your WordPress site.

how to secure wordpress featured icons

How to Secure WordPress: 5 WordPress Security Tips

1. Delete your “admin” user.

The username “admin” is just a generic name created by WordPress. The “admin” username is well-known and makes it simple for someone to potentially hack into your WordPress site.

To remove the admin user, follow these steps:

  1. Create a new user for yourself.It is important to come up with a username that is unique to make it more difficult for someone to figure out. (When coming up with your new username, you might also consider how you want your name displayed on the frontend of your site. For instance, if your name is John and that’s how it will be displayed on your posts, using John as your username would not be the best idea.)
  2. Make sure you create a strong password for this user and set the role to admin.
  3. Once you’ve created your new user, log out of the admin user and log into your site with the new user. Then you will be able to go into your users and delete the original admin user.

2. Keep WordPress core and all your plugins and themes up to date.

Updates to WordPress and your themes and plugins often include security updates. Vulnerabilities are found and corrected as quickly as possible in new version releases. Keeping WordPress and your plugins and themes up to date will help prevent vulnerabilities on your site.

When you log in to your WordPress dashboard, you’ll see a notice in the admin bar at the top of the screen with the number of available updates for your site. In the example screenshot below, there are 9 available updates for plugins and themes on this WordPress site.

wordpress-updates

If you manage multiple WordPress sites, use a tool like iThemes Sync for your WordPress maintenance tasks. Sync gives you one central dashboard to update WordPress and all your themes and plugins across all your sites.

3. Delete unused plugins and themes.

It’s also important to remove any plugins and themes from your site that you aren’t actively using. You should be doing WordPress housekeeping at regular intervals to remove any unused plugins and themes. Why? Unused plugins and themes on your site are vulnerabilities on your site which can be exploited by hackers.

When you delete an unused WordPress plugin, also make sure that it is completely removed, from both the site and your database. Some plugins leave information behind in your WordPress database.

4. Periodically update your WordPress salts and keys.

WordPress uses cookies (or information stored in your browser) to verify the identity of logged in users and commenters.

WordPress also includes secret authentication security keys and salts in your wp-config.php file. A WordPress salt is a random string of data that hashes the WordPress security keys in the wp-config.php file. Basically, these WordPress security keys are additional passwords for your site that are long, random and complicated, making them nearly impossible to break.

If you open your wp-config.php file, you’ll see the Authentication Unique Keys and Salts section with seven security keys.

wordpress-salts-keys

A link is provided in the file which will generate unique salts and keys for your site.

wordpress-secret-keys

Copy those unique keys and replace the samples in your wp-config.php file.

If you want to check out a bit more of the technical explanations of WordPress secret keys and salts, here are a few helpful resources:

  • The WordPress Codex – Security Keys
  • The WordPress Codex – Cookies
  • Wikipedia: HTTP cookie
  • PHP: Cookies
  • SSL and Cookies in WordPress 2.6

5. Ensure all users are using strong passwords.

Strong passwords are ones that are difficult for someone to guess and make it harder for brute force attacks to be successful.

When you create your password, be sure to keep these things in mind:

  • You want the passwords to include both alphabetic and numeric characters, not just one or the other.
  • You don’t want the password to be a word that could be found in the dictionary.
  • You want the password to be long; the shorter the password, the easier it is to figure out.
  • You don’t want to use any variation of your name, company name or website name.

Coming up with a complicated and strong password can be difficult on your own. However, there are many tools available to help you with this.

  • Strong Password Generator – Strong Password Generator creates strong passwords for you and allows you to determine the length of the password, whether or not to avoid punctuation used in programming and more.
  • LastPass – LastPass can not only generate strong passwords for you but can store them in their vault, saving you from having to save them somewhere where someone else can find them.
  • 1Password – 1Password, similar to LastPass, both generates strong passwords and stores them for you.

It is especially important for all admins on the site to have a strong password. If their account is hacked, the hacker gets complete access to your admin dashboard as well. However, it’s also important that all users on the site have a strong password.

Consider Using a WordPress Security Plugin to Secure Your WordPress Site

These steps are a quick and easy way to start securing your WordPress site, but we also recommend you use a WordPress security plugin, such as iThemes Security Pro, to help secure WordPress.

Many of the best ways to secure your WordPress site can be more easily addressed by using a WordPress security plugin than by doing it manually. With a plugin like iThemes Security Pro, you can quickly change your WordPress salts and keys, enforce WordPress password security, activate WordPress two-factor authentication and more.

The iThemes Security plugin also includes a WordPress security check to run an audit of your site’s security status.

wordpress security check

Have More Questions on Securing Your WordPress Site?

If you have more questions on how to secure WordPress, leave a comment below or iThemes Community members can open a support ticket from the iThemes Help Desk.

Get iThemes Security Pro Now

Elise Alley
Elise Alley

Elise likes to say she supports the support team here at iThemes. Her job is to make sure the support team has everything they need and to help them out any way she can. When not working, Elise spends time with her two dogs (Iggy Pup and Bowie) and her cat (Indie), her three nephews or her “little sister.” She has an English Literature degree and still spends a lot of her time reading, especially the classics. She also enjoys baking treats for the iThemes office!

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
WordPress Vulnerability Report
WordPress Vulnerability Report – May 25, 2022
Website security matters to your business
Why Website Security Matters to Your Business
wordpress vulnerability report
WordPress Vulnerability Report – May 18, 2022
wordpress-website-hacked
How Do Websites Get Hacked?

Comments

  1. Mike Houghton says:
    October 13, 2016 at 11:22 am

    A word of warning about resetting salts. It’s obviously good advice with one _huge_ caveat: some applications use wp_hash() for their own purposes, storing hashed values to check against later or passing them on to third parties over an API.

    (Please note that the following information was correct recently but may be incorrect at the time of reading)

    One notable example is GravityForms, which seems to use wp_hash() for a PayPal transaction ID. When it gets this transaction ID back from PayPal (e.g. with subscriptions), it rehashes the key data and compares them.

    If you change your salt, these values will no longer match, and your notification hooks will stop firing.

    So keep this in mind when changing salts. And keep a record of all the prior salts you’ve used, just in case!

    Reply

Respond

Click here to cancel reply.

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap