November 14, 2015

Don’t Get Hacked: 6 Easy Ways to Secure Your WordPress Site in Minutes

If you have a WordPress website, you need to secure it. After all, hackers gonna hack.

It’s easy to say that you need strong website security, but it’s tough to know how to implement it, especially if you’re a beginner. There is plenty of information out there about the myriad of things you can do to secure your site, but many of them very technical and can be difficult to implement for the non-technical site owner.

There are some basic things you can do, though, that will start you on your way to making sure your website is as secure as is possible that aren’t hard to understand at all.

#1. Choose a strong password

A weak password is the #1 target for hackers. One big reason why we make up simple passwords is because they are easy to remember. Of course, if they’re easy to remember, they are even easier to hack.

We recommend this tip to create and easy to remember, but hard to crack password – make your pass word a collection of four random words. To make it even more secure, try adding 4-6 numbers in a natural place such as at the beginning or end. It turns out that using a random nonsense collection of words for a password is actually more secure (and a lot easier to remember) than mixture of characters, numbers, lowercase letters, and capital letters. If you still find yourself struggling to remember your password, check out 1Password to keep track.

#2. Don’t use ‘admin’ as your username

When installing WordPress, the default username is usually set to ‘admin’. Hackers know this, so that’s where they will start. By using the ‘admin’ username, you’ve already given them half the information they need to crack your login credentials.

You can easily change your WordPress username simply by logging in and creating a new user with a different username. Make sure to give that new user administrator rights. Then, log out and login with the new user’s login credentials. Once you’re logged in with the new username, delete the admin user.

Note: You’ll want to make sure to make to set your new user display name to be your first and last name rather than your actual username. Otherwise, hackers can figure it out just by looking at the author byline of your blog posts.

#3. Keep your WordPress version and plugins up-to-date

WordPress is open source software. Therefore, the details of each version are available to the public. Over 75 million websites on the internet today use WordPress which makes it a big target for hackers and since these hackers can see the entire WordPress code and documentation, even the smallest potential security hole can be found and exploited. WordPress has a huge community of users and developers. Because of this large community, security vulnerabilities are usually spotted quickly. Once they are identified, WordPress put out a new version to fix it.

In short, the only way to keep your site as secure as possible is to keep your WordPress version up to date. This goes for themes and plugins too. Luckily, WordPress has made this pretty easy to do.

To update your WordPress version, do a quick backup of your site and then go to your Dashboard and make the necessary updates.

Find out how you can get your
first month of Proactive Maintenance for $1.

#4. Choose a host who really cares about security

One of the first things a hacker does is find out what host you’re using. Penetrating your host is what he is most interested in, since once he takes over the host, he has complete control over your site.

Check the security policies and measures that your host implements. Are you using a free host? Dump it. Hackers use free hosts to put malicious files on the site, and then when visitors download something, it can be detrimental to the entire network, to say nothing about what it’ll do to your visitor’s computer. Refer to our True Beginner’s Guide to WordPress Web Hosting post to help pick the right one.

#5. WordPress Salts (Security Keys)

WordPress uses 8 security keys, referred to as salts, as part of it’s configuration to help secure your site. These salts encrypt the data that is stored in the cookies of your browser, which helps WordPress identify your computer as one that is logged into your site under your user. If for some reason your cookies were ever obtained by a hacker, the encrypted cookie will make it almost impossible for that hacker to compromise your website. These salts are defined in your wp-config.php file in your WordPress site installation. Often time during installation, these keys are left blank. To make sure you have these salts specified, login to your site via FTP or through your host’s file manager and open the wp-config.php file. You should see something like this…

define('AUTH_KEY', 'kBm7|A#7O5)Cl55QJJXEeRZo+gSWVb2E8Tw,SWyZzNpb7j|U;hu&>XC;`}YU_=J-');
define('SECURE_AUTH_KEY', '<y9G&diz8rHVN8<-r(|r]-J[b)GWIsxuhSxP?u:duq|uSzww:Y3ef?( 5+]T]jt{');
define('LOGGED_IN_KEY', ']L!zh/hgLpJpdEhF%s $`eC~JdEVF&_5oZ[)2V/0,N+0s,KA*63q[t:Z-L^4gSTD');
define('NONCE_KEY', 'cODpxIh %D h+lsLhmttg+_n4-JIJM*@O.!AWm,G N^Xh%4Cus!yQVJ{fF4)LW#m');
define('AUTH_SALT', 'N`~An|- z?f70+Do>U7>qsRO} S/y/$,:+fH#;SQovT5ks.ZI-seJPtHF!wj+y$*');
define('SECURE_AUTH_SALT', 'aS[JI$a8pfF|kKnYK<C<TJ|#cBs[|@-dw|PJ zfTK#dmIkdV7J^%H;r;)}[|CsTS');
define('LOGGED_IN_SALT', '?F7>4|]z|Fj!j[A^&&*z1|!x%jYx7CL]=c-Hr-k1ah;^&S>Mr#Jl');
define('NONCE_SALT', 'Ks]-0l$b!tX5OC~uDp+Dc_.2W/hXlE<&&|U{C2cyT*6?Oi36i@JZ.X=AWA#xI^# ');

…or you may see where they are not set and are empty/blank like this…

define('AUTH_KEY', '');
define('SECURE_AUTH_KEY', '');
define('LOGGED_IN_KEY', '');
define('NONCE_KEY', '');
define('AUTH_SALT', '');
define('SECURE_AUTH_SALT', '');
define('LOGGED_IN_SALT', '');
define('NONCE_SALT', '');

If your keys are empty, you’ll need to generate new salts and add them to your file. You can easily generate these salts from Once you’ve added your salts, make sure to save your wp-config.php file and upload it back to the server if necessary.

#6. Install a security plugin

There are many security plugins out there, so make sure to choose one that is getting updated regularly. Our favorite plugin to install is iThemes Security because it has a one-click configuration to enable default settings that will not conflict with other plugins or themes. Additionally, the plugin is very robust and has many options ranging from the basics to the highly technical. Other credible security plugins include Wordfence, Sucuri Security, and BruteProtect.


Bonus Tip #1: We recommend doing regular backups of your site. While this won’t prevent an attack, it will make recovering from one much easier. Regular backups will also come in handy if anything goes wrong when updating your plugins and themes. Bonus Tip #2: Setup a Change Detection alert to be notified when changes to your site have been made. This doesn’t prevent an attack, but it will alert you the minute something on your site has been changed. This way, if you are victim to a hacker, you can fix it right away. Bonus Tip #3: We’ve highlighted some simple things you can do to secure your site, but there are some more technical things that can be done as well. Having a service like our Proactive Maintenance plans can help you keep your site updated without having to worry about anything. We take care of the everything from the basic to the advanced and if your site is ever compromised, we will de-hack it for free.

The Takeaway:

Your visitors need to be able to have faith in you. They need to be able to know that when they come to your site, any information they give you is safe. If you don’t have customers, then you should at least want security for the site itself. And for your peace of mind.

Don’t set yourself up to be someone else’s attack. Secure your site.