whb-logo8whb-logo8whb-logo8whb-logo8
  • Home
  • About
    • About
    • Contact
  • Blog
  • Methodology
  • Affiliate Disclosure
    • Disclaimer
    • Privacy Policy
✕

3 Tips to Make WordPress More Secure

When it comes to WordPress, it’s always been a bit of a security risk. By it’s very nature, WordPress is somewhat insecure due to the fact that its core is essentially PHP files (many of which are publicly accessible and only protected by server-side permissions) that connect to a database (that also accepts request from these files)—not exactly the recipe for a secure system.

Oddly enough, WordPress is still quite secure for what it is. The WordPress.org team does a great job of putting out free updates and making it better with each iteration. On top of that, there are best practices, plugins, and other things that a person can do to make WordPress much more secure.

Now, this by no means is an exhaustive or comprehensive list, but here are three things you can do right away to make WordPress much more secure.

Restrict Access to Your WordPress Admin Panel with .Htaccess

If you’ve got an Apache server running cPanel, you have a .htaccess file in the public_html folder of your web server. In case you don’t know, .htaccess is the file that sets server access rules as well as redirect rules.

The nice thing about .htaccess is it can be used to limit access to the back end of your WordPress site in the /wp-admin/ area as well as the wp-login.php file folder. Here’s how to do it:

1) Add the following lines to the .htaccess file in your public_html folder:

#limit login file
<files wp-login.php>
order deny,allow
allow from [example IP here]
allow from [example IP #2 here]
deny from all
</files>

Then, create a .htaccess file inside your /wp-admin/ folder, and add the following lines:

# alt block IP method
<Limit GET POST PUT>
order deny,allow
allow from [example IP here]
allow from [example IP #2 here]
deny from all
</Limit>

# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>

All you do for this step is replace the [example IP here] including the brackets with an IP address that you want to allow access to the website. For example, this could be your home, office, etc. With these two .htaccess files in place, your server won’t allow access to the back end of your WordPress site to anyone who isn’t accessing from a whitelisted IP address.

Can this be annoying if you need to access your site from somewhere that isn’t your home or office IP randomly? Sure, but how often is that really? Unless you’re doing a lot of posting from your mobile (which isn’t super common), then it’s definitely worth the convenience trade off for the added level of security.

Install a WordPress Plugin That Limits Login Attempts

If you’ve gone ahead and locked down access to the site using the .htaccess file, it’s very unlikely that anyone would even be able to get to the login screen for WordPress. But, there’s always the possibility that you leave your computer unattended, or something else happens that causes you to leave your login screen up while you’re not around.

To cover these cases, it’s good to have a plugin that limits login attempts to the WordPress page. Our favorite plugin is Login Lockdown by Michael VanDeMar.

With this plugins (and other similar plugins that limit login attempts), you simply install them like any other WordPress plugin, and then configure them to your liking, which includes the number of login attempts before a block is enacted and other various options. These plugins aren’t good enough in our opinion by themselves though, so don’t forget about that—but the combination of the IP block and a plugin that limits login attempts is typically pretty secure.

Don’t Leave Your Username as “Admin”

This should be pretty obvious—most people know that picking a good username and password combination is key to having any type of secure system, but often times in WordPress it seems people forget about this.

There are many software programs that use “admin” as the username by default, and this is not good. A lot of hackers and bad apples know this, so they’ll try to brute force their way into the WordPress installation with the default username and try various password combinations. And if you don’t have anything in place to limit login attempts or restrict access by IPs, then you might be in for an unfortunate surprise. So—always make sure to pick a good username/password combination, and never let the username be “admin.”

Related posts

November 11, 2024

Bluehost Shared Hosting: What’s New and What’s the Same

Read more

Looking for a Secure WordPress Host?

Let’s face it, not all WordPress hosting companies are created equally. And not all of them take WordPress security very seriously.

If you’re going to take the time to build a website, your hosting company should have your back when it comes to security. Here are two that do!

Hostinger

SiteGround

Hey you! Just a heads up—if you purchase hosting using the links on this page (affiliate links), we might get a commission. It doesn’t cost you any more, and helps support the site 🙂

Guides & Reviews

  • The Best WordPress Hosting – An Expert Guide
  • The Best Web Hosting for Small Businesses
  • A Guide to Web Hosting for Nonprofits
  • The Best Domain Name Registrars
  • The Ultimate Guide to Web Hosting Alternatives
  • Web Hosting Glossary
  • Web Hosting How-Tos & Tutorials
  • Best Web Hosting & Software

Comparisons

  • The Fastest Web Hosting - Find Out Who Wins!
  • A Big List of Web Hosting Companies
  • Bluehost vs Hostgator
  • Dreamhost vs Hostgator
  • Bluehost vs Godaddy
  • Siteground vs Hostgator
  • Bluehost vs Dreamhost
  • The 5 Best GoDaddy Alternatives
  • Top 12 JMeter Alternatives
  • 20 Best Load Testing Tools
  • Hosts We Don't Recommend

Deals & Savings

  • Bluehost Coupon Codes & Discounts
  • Hostinger Coupon Codes & Deals
  • SiteGround Coupon Codes & Deals
  • DreamHost Coupon Codes & Discounts
  • HostGator Coupon Codes & Discounts
  • WPEngine Coupon Codes & Promos
  • NameSilo Coupon Codes & Deals
  • Web Hosting Coupons & Deals
  • Cheap Web Hosting
  • Cheap Email Hosting
✕
Follow @WebHostBuddy
Copyright 2025 WebHostingBuddy.com. All rights reserved.