The Ultimate Guide to WordPress Security Part 2 of 3

by Cerys O’Brien

This is the second of a three-part series on WordPress security we started yesterday.


Advanced WordPress Security Practices

The above suggestions are steps that any website owner should be able to follow. Even if you get confused along the way, the process will be simple and WordPress is designed to help create a secure website.

These next steps, however, require a bit more software knowledge. If you do not feel comfortable making these changes on your own, then you might benefit from hiring a professional to adapt these for you, or you could stick to the basic protection.

Either way, we would advise everyone to look through these advanced security practices and implement as many as they can.

Change The Default “Admin” Username

When WordPress first began, the username for your website would be “Admin”. In fact, If you were to make a quick build website today, your username might still be “Admin”.

However, as a heavily used log-in credential, keeping the default username means that hackers already have one answer to your security questions.

Look at your website and search for your username. WordPress doesn’t allow you to simply change these details, instead, you can either install a username changer plugin or create a whole new admin and delete the old one.

Customize Your Login Page URL

One way in which hackers try to attack is through the login page. There they can request your wp-admin folder. This folder contains the coding functions required to make sure your website runs properly. A hacker accessing this information can quickly stop your website from running.

To stop this type of attack, all you need to do is customize your login page’s URL. Your login URL defaults to /wp-admin or /wp-login.php. To change this go into the official plugins directory, and pick a plugin which suits your needs. For example, you could pick Custom Login Page Customizer. Once activated, you will be asked what your preferred login page URL is and hey-presto your page is more unique and therefore more secure.

Password Protect WP-Admin And Login

You can add another layer of protection to your login page by adding a server-side. If the hacker gets past the first layer of protection, they then have to deal with this second layer too. For most bots, that’s enough to register a waste of time, and they move on to the next victim.

As we said before, a hacker can request your wp-admin folder through a login page, but changing your URL to something more unique can prevent this from happening. If that doesn’t work and the bot can pull through your folders (which contain functions to run your website properly), then you need to stop them from opening the folder.

To do this, simply edit the wp-admin folder found in the current directory, and click “password protect”. Use a unique password, as we mentioned before, and you’ll have a second protection system in place.

Limit Login Attempts

Most hackers come in the form of bots. They can try hundreds of combinations to attempt to find your passwords and login. They can attempt this on your customers or even on your admin profile. To stop this “brute force” method, you should limit how many login attempts a person can make.

By default, WordPress doesn’t have a limit to how many login attempts you can make. To fix this security risk, you can install a plugin that limits the number by either their recommendation or your desired settings. For example, you could use WP Limit Login Attempts.

Add Two Factor Authentication

To secure the login page even further, you can add in a two-factor authentication process. There isn’t a strict rule on what the two factors have to be, but they are commonly the username and password in the first step and a second device confirmation in the second step. This forces the hacker to have at least one physical connection to a known device and warns the user of a possible attack.

As with everything on WordPress, all you need to install this verification process is to use the relevant plugin. For this service, you can choose a Two Factor Authentication version. There are many to choose from each with its own setup plan.

Automatically Log Out Idle Users

It isn’t uncommon for people to walk away from their desk or computer screen while logged into a website. Although this might seem confident to let the website stay logged in during this time, it actually creates a massive security risk.

With the system unlocked and unprotected, anyone can walk by and use the service or take your details without the user’s permission.

To reduce this security risk install an Inactive Logout plugin. You can give the user a reminder to be active before the logout commences. This will encourage them to click through a page and “wake up” the website, just in case they are simply taking their time looking through a page. If there is no change, then the website will automatically log the user out when they reach the time limit.

Limit User Permissions

Ideally, you should limit the user’s permissions as soon as you launch your website. This is so they don’t gain access to the “behind the curtain” operations, such as moderating comments, creating pages, or editing posts.

Although you want the users to write comments on your pages, they shouldn’t have any other ability to edit your content. To do this, you can make every new user a subscriber. Subscribers can only read content and view the webpage.

To do this, go to settings, and then general. You can see the term “New User Default Role”, there you change the dropdown to “Subscriber”.

You can then change the user role from “Users” to “All Users”, so previous customers will be turned into a subscriber too.

Add Security Questions To WordPress Login

This next tip is another one for the login page. To make the first login step harder for hackers and bots to get past, you should include at least one security question.

You can do this by installing a security question-based plugin such as WP Security Question. When you activate it, the plugin will ask for your security question and your answer. This step is an easy one, but it can dramatically decrease your chances of being hacked.

The security questions should be unique, leading to a wide possibility of answers. For example, you do not want the answer to be similar to your password or your username. You also don’t want the answer to be found online through social media. If you said “What Was Your First Pet Called” and your Instagram is filled with pictures of your first pet, a hacker can easily find the answer.

Disable File Editing

One reason why so many people love WordPress is because of its endless possibilities for customization. The in-built code editor is just one of many avenues you can go down to create your own space.

When it comes to security, this feature can be a problem. Hackers can use this area to change themes or plugins. If you have no desire to edit your website or use the code editor, then we suggest turning it off.

If you aren’t using the feature then it is simply a doorway into your mechanics, and so should be removed. To turn this file editor off, either install a plugin that specializes in this area or add the below code to the wp-config.php:

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true );

Disable PHP File Execution

A PHP file is a website filled with code, Hypertext Preprocessor code to be exact. It has all the details the website needs to function properly including the date, time, online forms, and database information.

Unless you are writing the code yourself, you do not need to access the PHP file. If you do not need to access it, then you should disable anyone from being able to access it. That way you know the files are safe despite never opening them.

To disable the files you can either install a plugin that can do it for you, or you should add the below code to a text editor:

<Files *.php>

deny from all


Save this code as “.htaccess” inside your wp-content folder.

Be sure to return tomorrow to read the rest of this series.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.