security wordpress 101

WordPress Security 101 – Securing Your WordPress Installation

WordPress Security 101

Roughly 37,000 websites are breached daily. Considering WordPress powers at least 53% of all websites, you can bet a lot of bloggers have to deal with a website hijacking situation. So, don’t leave anything to chance – your blog is only as secure as you make it by following security best practices.

CMS WordPress security

(Source: Builtwith)

We’re launching a 5 part series of articles covering WordPress security in the cloud to educate and have a dialogue about security best practices that are doable, regardless of whether you are a beginner or a seasoned WP blogger.

Without further ado, here are the first steps to establishing a solid foundation to your WordPress security 101.

Securing Your WordPress Installation

#1. Change Your admin Username

Cybersecurity expert Brian Krebs recently discovered that Equifax’ Argentina website that lets its employees manage credit report disputes from consumers had admin/admin used as its login and password. That, ladies and gentlemen, is how you should NOT manage security.

So, the first thing you should do when setting up your WordPress installation is to change the admin username. Here’s how you can do it:

  1. Go to your admin Dashboard → click Users → see the list of users where you currently appear as admin.
  2. Click Add New → fill out the necessary details → select the role of Administrator → confirm by clicking on Add New User.
  3. Now, go back to the old admin user, hover over it and select Delete → confirm selection.

Tip: you don’t want to display your new admin username to the public. So, click on your new admin name, scroll down to change the nickname and select “Display name publicly as” and select the nickname.

#2. Enable Two-Step Authentication

Don’t underestimate the persistence that hackers apply to hijack WordPress blogs. Adding two-factor authentication is just as important as changing your admin username, so, by all means, do that.

The easiest way to enable two-factor authentication in WordPress is through MiniOrange Google Authenticator plug-in. Alternatively, you can use Sucuri, which is a comprehensive solution for WordPress blogs.

#3. Install CAPTCHA

To prevent bots from breaching your blog’s security, over-taxing your website, slowing down connections and resulting in denied traffic, you need a captcha solution.

The CAPTCHA WordPress Plugin is one of the easiest ways to enable captcha for registration, login, comment, contact and other forms. This plug-in offers granular controls, so you can white-list people and IPs, as well as choose the type of captcha code.

#4. Install Spam Protection for Comments

Spam comments aren’t just annoying; they can bog down your website with excess traffic, or contain malicious links. So, by all means, protect your blog from spam comments. Luckily, Akismet plugin lets you do that for free.

#5. Hide Your WordPress Version Number

You should always update your WordPress installation to the latest version whenever it’s released. However, you should also hide your blog’s version number from public display because it makes it too easy for hackers to identify which exploits will work best for your WordPress version.

To hide your WordPress version number from public display, you’ll need to backup your blog first. Once you have the current backup:

  1. Go to Appearance → Editor → Theme Functions → type the following:


  1. Click Update File.

This filter will prevent your WordPress blog from displaying its number for everyone to see.

#6. Turn Off WordPress API

WordPress API is a useful functionality for developers who build custom applications for their blogs. However, it is also a serious security issue because it can be exploited to bypass WordPress authentication system, even the multi-factor authentication.

So, unless you actively deploy custom applications for your blog, you are better off disabling WordPress API. Fortunately, it is as easy as installing Disable REST API plug-in.

#7. Turn Off XML-RPC

By default, WordPress comes with XML-RPC enabled, which allows you to access your blog remotely. The bad news it also opens a possible attack vector, so if you do not intend to publish posts remotely – disable XML-RPC on your blog.

The easiest way to do so without having to modify the code is through the Disable XML-RPC plug-in.

Bonus Tip: How to Choose Secure PlugIns

WordPress Security

WordPress repository is a treasure trove of free and relatively inexpensive plugins and themes that let you create truly impressive websites without profound technical skills. However, plug-ins are built by people, and people make mistakes. So, a lot of WordPress breaches – 55.9% – are attributed to vulnerabilities in plugins.

Even though all plug-ins in the WordPress library are vetted, it’s always wise to apply common sense when installing new ones. Here are three tips that should help you choose robust and secure plug-ins:

  1. Always read user reviews – install plug-ins with positive user feedback and high rating. Avoid plug-ins that have been recently published, as they may have vulnerabilities that haven’t been discovered, yet. Also, steer clear of plug-ins that appear barely used, or out-of-date.
  2. Read the accompanying documentation – polished and thorough documentation is a sign of a mindful, detail-oriented and conscientious developer.
  3. Research the developer – developers with a positive track record of releasing popular plug-ins are more likely to produce a solid and secure product than newcomers.

In the next WordPress security 101 roundup, we’ll discuss the following topics:

  • Good password hygiene
  • Protecting your password from unauthorized reset
  • Locking out multiple sign-on attempts
  • Restricting user permissions
  • Enforcing the use of strong passwords by your users
  • Logging out idle users

Since there’s never any one step to securing the entirety of your WordPress blog, we’ll be covering the essential topics step-by-step. Hope you find these tips helpful!

Stay tuned for more security tips from the WordPress guru Alex Grant.


Established in 2009, CloudTweaks is recognized as one of the leading authorities in cloud connected technology information, resources and thought leadership services.

Contact us for a list of our leading programs.

Principles of an Effective Cybersecurity Strategy

Principles of an Effective Cybersecurity Strategy

Effective Cybersecurity Strategy A number of trends contribute to today’s reality in which businesses can no longer treat cybersecurity as an afterthought. These include a rapid increase in the number of internet connected devices, an ...
How Adversaries Are Refining and Improving Ransomware in 2017

How Adversaries Are Refining and Improving Ransomware in 2017

Improving Ransomware in 2017 Once adversaries have found a method for breaching network defenses, stealing data, or otherwise generating revenue, they’ll continue to refine these tactics to avoid detection and improve effectiveness. Ransomware, one of ...
As Enterprises Execute Their Digital Strategies, New Multi-cloud Landscape Emerge

As Enterprises Execute Their Digital Strategies, New Multi-cloud Landscape Emerge

The Multi-cloud Landscape The digital universe is expanding rapidly, and cloud computing is building the foundation for almost infinite use cases and applications. Hence, it’s not surprising that of the Fortune 50 enterprises, 48 have ...
Cloud Security Alliance Issues New Code of Conduct for GDPR Compliance

Cloud Security Alliance Issues New Code of Conduct for GDPR Compliance

EDINBURGH, Scotland, Nov. 21, 2017 /PRNewswire-USNewswire/ -- The Cloud Security Alliance (CSA), the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released the CSA Code of Conduct for ...
Blockchain info

How Can Blockchain-as-a-Service Help Your Business?

Blockchain-as-a-Service “Have you seen the price of Bitcoin?”, “You gotta get in on Ripple, it’s going through the roof!”, “Are we in a crypto bubble? Is it all going to crash?” You may have heard all the ...


Researchers combine wearable technology and AI to predict the onset of health problems

Researchers combine wearable technology and AI to predict the onset of health problems

A team of Waterloo researchers found that applying artificial intelligence to the right combination of data retrieved from wearable technology may detect whether your health is failing. The study, which involved researchers from Waterloo’s Faculties ...
Worldwide Services Revenue Posts Steady Year-Over-Year Growth in the Second Half of 2017, According to IDC

Worldwide Services Revenue Posts Steady Year-Over-Year Growth in the Second Half of 2017, According to IDC

FRAMINGHAM, Mass. May 15, 2018 – Worldwide revenues for IT Services and Business Services totaled $502 billion in the second half of 2017 (2H17), an increase of 3.6% year over year (in constant currency), according to ...
Rackspace Launches Kubernetes-as-a-Service with Fully Managed Operations

Rackspace Launches Kubernetes-as-a-Service with Fully Managed Operations

SAN ANTONIO – May 16, 2018 – Rackspace today announced Rackspace Kubernetes-as-a-Service, a highly-available managed service that transforms the way enterprises can utilize new container technologies, accelerating their digital transformation. Rackspace is focused on delivering true transformation ...
The Lighter Side Of The Cloud - Autonomous Sleigh
The Lighter Side Of The Cloud - Turmoil
The Lighter Side Of The Cloud - The Backup Reminder
The Lighter Side Of The Cloud - Due Diligence
The Lighter Side Of The Cloud - Techwear
The Lighter Side Of The Cloud - Machine Learning
The Lighter Side Of The Cloud - The Money Grab
The Lighter Side of the Cloud - Procurement
The Ligther Side Of The Cloud - Speed Browsing