This post is more than three years old so may contain incorrect information, or opinions I no longer hold.

How To Secure WordPress

11 Jul 2018 | ~6 minute read

WordPress is used absolutely everywhere; there are over 76 million WordPress sites across the Internet. This popularity makes WordPress a large target for attack, so knowing how to secure WordPress is extremely important.

This very site uses WordPress, so I thought I’d share some tips on how to secure WordPress to ensure you don’t end up being the unfortunate admin that owns one of the many compromised WordPress sites that are out there.

Use Obscure Credentials

I’ve spoken about why your password is probably crap before, as well as password managers, but I’m not just talking about passwords here. Setting an obscure username will also improve your security.

For example, this is my personal site and my name is obviously Kev. So logic would dictate that having a username such as admin, or kev, would be pretty simple to guess. Any threat actor worth their salt would guess usernames like kev, quirk, kevq, kevquirk, admin, administrator etc.

Having a random string as a username does increase security – it’s almost like turning your username in to a second password. If you’re using a password manager (like Bitwarden), then it doesn’t matter if your username is kev or {G%TD}P_)+@QRG/T, as the username and password are auto-populated anyway.

Use 2 Factor Authentication

So you now have an obscure username and password. The next thing is to make your credentials even more secure by enabling 2 factor authentication (2FA).

If you don’t know, 2FA is an additional method of authentication whereby after entering your username and password, you will be prompted to enter a 6 digit code that changes every 30 seconds. These codes are usually generated by an app that you have on your mobile device.

The rationale being that the first factor of authentication is something you know – your username and password, and the second is something you have – your mobile device with a temporary code on it.

Adding 2FA to your WordPress site dramatically increases the security of your login credentials. So even if your username and password were admin and password123, an attacker would still need the 6 digit code from your phone to log in.

DO NOT use admin and password123 as your password!

To enable 2FA to secure WordPress, you will need to install a 2FA plugin. I would recommend this plugin. Once installed, go to the Two Factor Auth menu item in WordPress, scan the code with the 2FA app in your mobile device and you’re ready to go with 2FA on your WordPress site.

The next time you log on, you will be prompted for your 2 factor code after you have entered your username and password:

Restrict Access to Admin Pages

By now you should have an obscure username and password, as well as an ever rotating 2FA code that is required before someone can log in. But why not make it so only authorised people can even access the admin pages, never mind log in?

That’s what we’re going to do now. The entire admin interface is stored in the wp-admin folder within your WordPress directory. If you’re running Apache on your web server (most people are), you can add a file to the wp-admin folder called htaccess that can be used to limit the access to your admin pages to certain IP addresses only.

To do this, paste the following code in to a text editor and save it as .htaccess (the preceding dot is very important).

order deny,allow
deny from all

# Home IP address
allow from

# Office Wi-Fi
allow from

# Server IP address
allow from

Next, edit the file as needed to include the public IP address of your server, as well as any other IP addresses you wish to be able to access wp-admin. In my config, I have my home IP, the wi-fi in my office, and of course the server itself.

You need your server IP in there so your server is able to communicate with the admin interface on your site. This is important when it comes to updating WordPress, among other things.

Once your .htaccess file is complete, upload it to the wp-admin folder within your WordPress directory. To test, try logging in to your site using your mobile 4G connection – you should get an error message saying access if forbidden.

Finally, you need to lock down the wp-login.php file in the same manor, so only authorised users can access the login page too. To do that, edit the .htaccess file that’s in the root folder of your WordPress site, and add the following above where it says # BEGIN WordPress:

<files wp-login.php>
  order deny,allow
  deny from all

  # Home IP address
  allow from

  # Office Wi-Fi
  allow from

  # Server IP address
  allow from

Remember to update your IP addresses in the same way as you did previously.

Update & Backup

We’re pretty secure at this point. Our credentials are good, and no unauthorised IP addresses can access our login/admin pages. However, there’s still more that we can do…

Updating and backing up may seem obvious, but so many people fail to do this most basic of tasks. Updates to WordPress often include patches to security vulnerabilities, so it is very important to ensure you’re always fully up to date.

I used to write for a fairly large technology blog; the first time I logged in to their admin interface, I was astonished to see that they were using a version of WordPress that was over 1 year out of date!

If that update icon is available in your WordPress admin interface, make sure you click it ASAP. It only takes a minute to update WordPress and it could potentially prevent you from being the next defaced site.


Let’s say all of the steps above somehow fail, and your website gets hacked; or maybe you just deleted something by mistake. It’s always a good idea to have backups.

Personally, I recommend UpdraftPlus, which allows you to take regular backups automatically. You can even upload them to remote sites, such as an FTP server, Dropbox, Amazon S3 and many more.

I’ve used UpdraftPlus for years, and have had to restore from it on numerous occasions. It’s often the first plugin I install on a fresh WordPress site.

If you do use UpdraftPlus, and get use out of it, think about upgrading to the pro version so you help the developers out. We wouldn’t want to see this awesome plugin disappear!

Remove Version Information

You may not know this, but by default WordPress displays version information within your page’s source code. This means that any potential threat actors would know what version of WordPress you’re running, and therefore what vulnerabilities you may be vulnerable to.

Let’s remove that crucial piece of information from all facets of your site. There are a number of ways to do this, but the easiest (and least technical) way of doing this is to install the Remove WordPress Version plugin.

Once installed and activated, it will automatically remove all version information from your website, so threat actors will no longer have the upper hand.


Now you know how to secure WordPress, go forth and stop those bad guys! If you have any additional tips on how to secure WordPress, please do share your thoughts in the comments below.

Reply by email

← The one before
More or Less WordPress Theme

Up next →
Getting Started With Mastodon

Want more?

So you've read this post and you're still not satisfied? Ok then, here's some other stuff for you to do: