Basic WordPress Security – What I Do For My Sites

Basic WordPress Security Takes Just a Few Minutes

Basic WordPress SecurityMost WordPress website owners realize security is an issue that must be dealt with. If you’re not one of those owners, get on board. Malicious bots, spam emails and comments, brute-force password crackers, hackers — they’re all out to get you. Stop the majority of them (and significantly reduce CPU usage, which is essential if you’re on shared hosting) with these simple, easy-to-implement steps.

Step 1 – Have a Strong Username & Password

Don’t choose “admin” as your WordPress username. Automated attackers know that most WordPress usernames are “admin” so they’re already a step ahead of you. If you are currently using “admin” as your username, don’t worry — it’s easy to change. I’ve listed the steps below. If the steps are unclear to you, watch my short, concise video on basic WordPress security.

  • Go to Users –> Add New User
  • Fill out all the information, choosing a more complex username
  • Log out of WordPress (because you’re logged in as “admin”)
  • Log back in with the new user information
  • Go back to Users –> All Users
  • Hover over the user you want to delete
  • Click “delete”
  • On the next screen attribute all content to your new user
  • Finally click “confirm deletion”

You’ve now got a new user for your WordPress website that doesn’t use the username “admin.” Nice work.

Now, make sure your password is complex. To change your WordPress password, do the following:

  • Go to Users –> All Users
  • Click on the username that you’d like to edit
  • Scroll down to the New Password field
  • Type in your new password (twice)
  • Don’t use dictionary words
  • Don’t user partner names or pet names
  • Use lowercase and uppercase letters, numbers, and characters
  • The more random it is, the better
  • Click Update Profile when you’re finished.

Congratulations. Basic WordPress Security step #1 is complete. You now have a complex username and password.  What’s next?

Step 2 – Change Your Login URL

While this might seem complicated, it’s not. It’s even easier than changing your username and password. And it’s important because all the attackers know that your login page is We’re going to change that.

  • Go go Plugins
  • Click Add New
  • Do a search for Rename wp-login.php
  • Click Install Now
  • Activate the plugin
  • Go to Settings –> Permalinks
  • Under Rename wp-login.php type in the login url you’d like to use
  • Remember it!
  • Click Save Changes

Nice. You’ve now changed your default login url. Well done. Your site is already much more secure than it was a few minutes ago.  Moving on to step three in Basic WordPress Security . . .

Step 3 – Limit Login Attempts

Limiting the number of login attemps will discourage brute-force attackers. A simple plugin to use (although it has not been updated for a while) is called Limit Login Attempts.

  • Go to Plugins
  • Click on Add New
  • Do a search for Limit Login Attempts
  • Install and activate the plugin
  • Go to Settings –> Limit Login Attempts
  • Leave the default settings “as is” but feel free to change the “Lockout” settings

If you’d like a plugin that’s actively being developed that has a very high user rating, you can also try NinjaFirewall (WP edition). I have not tried it. It works differently than the above plugin and is more complex, but it would be an excellent addition to your security suite. If anyone tries it out, I’d love to hear about it in the comments.

We’ve talked a bit about how to discourage attackers. Now how about reducing that spam?

Step 4 – Use Akismet to Reduce Spam

Using Akismet (which comes by default with all WordPress installations) is, in my opinion, necessary. If you’re not using it, you should be. To activate Akismet, do the following:

  • Click activate under Akismet on your Plugins page
  • Click Activate Your Akismet Account (big button at the top)
  • Click Get Your API Key
  • Click Get an Akismet API Key
  • If you already have a account, click “I already have a account”
  • If you don’t have a account, fill in the pertinent information and you will have one!
  • Click Sign Up
  • Click Sign Up in the Personal box
  • Move the slider on the right side of the screen all the way to the left (to zero dollars) unless you want to donate
  • Click Continue
  • Copy your API Key to your clipboard
  • Return to your WordPress website and paste in the API key

Well done. Akismet is up and running, protecting your blog from email and comment spam. You’re one step closer to locking down your WordPress website and frustrating hackers and spammers.

Step 5 – Use a Captcha (or similar) Plugin for Comments

For step 5 of our Basic WordPress Security tutorial, we’re going to install a plugin to stop the bad bots from bombarding us with comment spam. I’ve tried a variety of captcha plugins, which annoy the heck out of me (and users) so I searched for something different. My favorite comment spam plugin is called Slider Captcha. It’s probably not the most effective comment spam plugin, but I like it because it doesn’t inconvenience my users too much.

  • Go to Plugins
  • Click on Add New
  • Do a search for Slider Captcha
  • Install and activate the plugin
  • Go to Settings –> Slider Captcha
  • Adjust your settings then at the bottom, swipe! to save your settings
  • Be sure to test out the plugin on your site

If you think this plugin isn’t effective or if you’ve found an alternate comment spam plugin that has low impact on your site’s visitors, I’d love to hear about it.

Step 6 – Keep Everything Up to Date

This might seem obvious, but you won’t believe the number of WordPress websites I’ve worked on that are far outdated or are using extremely outdated plugins. This is a huge security risk. Keep your WordPress website updated at all times!

Step 7 – Back Up Everything Regularly

Backing up your WordPress data may seem like another obvious step, but again, many people do not do it. In case of an emergency, having a backup may be your only saving grace. You should use a well-regarded plugin (like UpdraftPlus Backup and Restoration) to be sure your site’s database and files are backed up. UpdraftPlus is nice because it includes tools to automate the process. Simply install and activate the plugin and follow the simple configurations steps.

Basic WordPress Security Recap

Let’s recap these quick and easy WordPress security tips.

  • Change your site’s login url
  • Change your site’s username from “admin” and create a strong, complex password
  • Limit login attempts to confound brute force attackers
  • Activate Akismet
  • Install a comment spam plugin to assist Akismet
  • Update WordPress and all plugins regularly
  • Back up your WordPress website regularly

These changes will only take a few minutes to implement and could save you from significant trouble down the road. Keep in mind that this list is far from exhaustive; there are many other changes that can be made which will further secure your WordPress website and reduce CPU usage, like straight-up blocking persistent bots in your .htaccess file. If you have questions about how to do that, let me know and I’ll tell you how I do it.

If you found this tutorial useful, please share it! Give me a tweet. Give me a like on Facebook. Link to it.

Free Support for Your WordPress Blog

Remember, I provide free support for your WordPress blog. Priority goes to those who have purchased hosting via Inmotion Hosting, the web host I’m an affiliate for. Keep in mind that I only promote the web host that I use. Yes, I use Inmotion to host this website (and all my websites).  I’ve been with them for a number of years and my favorite feature, by far, is their responsive, 24/7, knowledgeable, understandable technical support via phone or online chat.

Remember, if you haven’t watched my WordPress tutorials and you have questions, watch the videos first. If you still have questions, let me know and I’ll be happy to help you out. My hope is that with my tutorials you’ll learn WordPress well enough to be self-sufficient.

Keep in mind that I really love helping and connecting with others. So contact me!  I look forward to hearing from you.


  1. Thanks again Eric, Followed your step by step guide and already looking forward to going back to bed and sleeping easy. 😉

    1. gplus-profile-picture

      No problem Sir! I actually made this video and article based on the questions in your email to me. Glad you found it useful.


  2. Hi Eric, thanks for the tip, immediately changed my login page. Just wondering, what’s the downside to using something like wordfence for security?

    I’m also using inmotion btw, but did not find your website when I was looking to compare between hosting services. Glad I made the right choice. I am trying to start a blog on roughly ‘how to start a blog’ like yours but in my own native language, Malay, because there is basically no one teaching us how to build a website, for free that is. Everyone wants to get paid and I am trying to start this blog out of frustration after paying RM2.5K (About USD600) for my company website that gets no support and have to wait for the webmaster to change anything. And a wordpress class costs a minimum from RM600 to RM3.6 (USD133 to USD800) in Malaysia. Sorry for my ramblings.


Leave a Reply