Securing your website starts with using a secure username and password. Believe it or not a lot of people still use easily guessable usernames and passwords including their company name or something equally as insecure. This sounds ridiculous, but surprisingly I see this time and time again.
It’s also a good idea to use a secure method to store your passwords. Most modern operating systems include a system to do this or you can use 1Password or Lastpass.
This applies not only to WordPress but for E V E R Y W H E R E you use a password.
Update your username and password
By default it’s not possible to update your username but theres a plugin for that simply called Username Changer.
Install the plugin, change your username to something less obvious then deactivate and delete the plugin.
You should then update your WordPress admin password to something impossible to guess. The latest versions of WordPress include a strong password generator for this.
WordPress security plugins
In the past few years a lot of great security plugins have been popping up due to the large increase in WordPress hacking attempts.
Sucuri is great for scanning for bad code and hardening the parts making up a WordPress installation.
Wordfence is great at detecting suspicious login attempts (basically anyone who isn’t you or someone you know) and blocking them so they cannot get into your website. It also checks everything is up to date and monitors traffic
Both plugins are free and have premium options for more advanced functionality.
Once you have installed these plugins you will need to carry out a few quick steps to set them up.
Sucuri basic setup
You will see a notice “Plugin not fully activated yet. Please generate the free API key to enable audit logging, integrity checking, email alerts and other tools.”
- Click Generate API Key, select your email address and click Proceed
If you keep seeing the API message, you may need to contact support [at] sucuri.net to have them manually add your site - Go to Sucuri Security in the left menu
- Go to the Malware Scan tab and click Scan Website
- If everything is clean go to the Hardening tab
- Scroll down and click the Harden button in each row with a red warning*
* Website Firewall Protection is a paid feature. You don’t absolutely need it but it will add an extra layer of protection to your site. - Go to your site and refresh to check everything is still working
I’m getting loads of emails!
After some time you might notice you receive a lot of emails alerting you of unsuccessful login attempts. To turn off this email notification go to Sucuri Security > Settings > Alerts [tab] and un-tick “Receive email alerts for failed login attempts (you may receive tons of emails)”.
You can also edit other email alerts from this page.
Wordfence basic setup
- Go to Wordfence in the left menu
- Click Start a Wordfence Scan
Since you previously updated WordPress and all plugins in the previous post, the scan should be clean - Scroll down to New Issues and check for anything requiring attention
- If everything has been done and the scan is good you will see a message “Congratulations! No security problems were detected by Wordfence.”
This is by no means a complete guide to setting up WordPress security, but with these steps in place you’ll be on track to avoiding a lot of potential headaches in future.
Next Steps
After you’ve backed up your site, update your WordPress site and all plugins to the latest versions and check everything is working. Install the Sucuri and Wordfence plugins, run scans and carry out the basic setup steps above.
In the next post I’ll be running through a few ways you can increase the performance pf your WordPress site quickly and easily.