Websites By Liz

Web Design for Small Businesses

WordPress Security

You may not be aware of how often hackers attempt to access your WordPress website. I get notifications several times a week that one of my clients’ websites is under a bruit force attack. These aren’t the big-time attacks that happen to high trafficked sites like Target. They usually last under 500 attempts, so as long as you have some basic security measures in place, they’re likely to move on to another site that’s easier to hack.


You might think it’s no big deal for a hacker to know your username as long as they don’t have your password. But if they know your username, they’re already half way to having your full login credentials. Your username should not ever be “admin”, nor should it be your first name or any other word that’s easy to guess. When I set up sites I usually use admin *in* the username but include other letters that would be difficult to guess.

Also, your username shouldn’t be visible. When you’re logged in to your admin section, go to Users > Your Profile and make sure the line “Display name publicly as” is something different than your username. Your company name or your first name are usually appropriate.


Of course, ALWAYS make sure your password is long and difficult to guess. It should include symbols, numbers and letters, lowercase and capital. I usually use a long, 20-digit or more random password. Here are just a few password attempts that my security plugin once recorded over the course of just a few minutes: passwd, 555, top, low-cost123, 12345678, 888, ASDZXC, theman, 666999, zxczxc, internet, adminpass, buster, 232323, coffee, PASS, dog, !QWERTY, 123abc, asdfg, qweqweqwe, as well as lots of common first names and, surprisingly, many swear words… you get the idea. Never use a person’s name, even if it’s followed by a number. Never use any real words, even scrambled using numbers and symbols, such as @ = a, 5 = s or 3 = e. And don’t use keyboard patterns like “qwerty” or “zxcv”.

Other Users

Make sure every user than has access above “subscriber” follows these rules, and unless your website requires it, uncheck the box next to “anyone can register” in General Settings.


WordPress is made up of the WordPress core files, a database, theme files (the design of the site) and plugins. Keep WordPress, your theme and all plugins up to date. Hackers find and exploit security holes in the above components of your site, so you need to keep them up to date. Sometimes your theme or a plugin might have had some customization done to it, so always check with your web designer first!


One plugin that can be installed quickly with little to no setup is Limit Login Attempts. This plugin has put a stop to bruit force attacks on many of my clients’ sites. So much so that whenever I get a notification, I go and install that plugin on the site right away.

One of my newest favorite plugins is called Sucuri. With a little bit of a learning curve it walks you through the process of “hardening” your site. It also records all login attempts and changes to the site (when you publish a blog post or edit a page, etc) and will notify you via email if you want it to. Plus post-hack tools, just in case. Sucuri also has a paid proxy service that’s optional if you want a little extra security.

As always, it’s a good idea to back up your site regularly. A plugin called BackUpWordPress will allow you to run automatic updates on a schedule you set up or you can run them manually… Just in case anybody does get in and ruin your site. It happens.

Final Notes

Earlier this year I offered a security review to my clients. For those to accepted, the above have already been covered. If you’re interested in help or more information, drop me a quick note.

[ccf_form id=”420″]