WordPress can often get a bad rep for security, however, the truth is that WordPress is actually, in itself, very secure and most security breaches are caused by human error and poor choice of plugins or themes. We will guide you through 5 very basic steps to harden your WordPress security without any expense.

1. Usernames & Passwords

The first step we take when working on any WordPress site is ensuring that the default username ‘Admin’ doesn’t exist. During most WordPress installs the first user added will have a username of ‘Admin’, this is well known and if you are still using the ‘Admin’ username hackers will be 1 step towards gaining access to your site as they will often attempt a brute force entry using the username ‘Admin’. If you still use the ‘Admin’ username then the best thing to do is create a new user then delete the admin user, during the deletion process you can assign all the content from the old user to the new user.

Passwords are also a huge weakness, WordPress now has a password generator and strength indicator. We recommend you use the password generator to ensure that your passwords are very strong. Having a strong password will make gaining access to your site forcefully much harder and most automated attacks will move on. While on the topic of passwords, make sure that your email password is equally as strong. If a hacker gains access to your email they could request a password reset for your site and gain access to almost any service you signed up for using your email. We suggest you use 2-factor as a minimum with your email.

2. Core & Plugin Updates

It’s extremely important that you update the WordPress core as updates are rolled out, most updates will contain fixes for previous vulnerabilities and outdated versions of the WordPress core and plugins can leave your site susceptible to attacks. It’s also important to only use plugins that are updated regularly and if you need to use a plugin that hasn’t been updated in a while have it reviewed and tested first.

We notice a lot of WordPress users don’t update certain plugins because their site developer told them not to. If this is the case we recommend you ask your developer to update the plugin for you or consult with a WordPress expert on how to update the plugin and ensure that the site retains full functionality.

3. Server & Database Access

Your WordPress install is only as secure as your server, database and/or your hosting control panel (should you have one). Ensure that your server is setup with basic security in place, prevent root login, restrict SSH, use a strong password for database access and change the default database table prefix. If your hosting control panel allows it use 2-factor authentication and an extremely strong password.

4. Use a Security Plugin

We recommend the Shield Security plugin as it provides very good security features that are easy to manage and doesn’t cost a penny, you can also use any other well-known security plugin. If you are unsure of the settings you can install and leave the default settings in place, be careful with certain settings as you may end up locking yourself out or slowing your site down if your server doesn’t have many resources. As a minimum, we recommend you use a security plugin that prevents brute force login attempts on login forms.

5. Only Use Reputable Plugins & Themes

When looking for a theme or plugin ensure that you pick one from a reputable source, never download ‘nulled’ copied of premium themes or plugins not only is it essentially stealing but most likely you will end up installing malware on your site. When looking for plugins and themes in the WordPress plugin directory pick one that has a good review rating and that is updated recently, check support forums for the theme or plugin to see if there are any known issues before installing.

Try to limit the number of plugins you are using, only use plugins that you absolutely need. How many plugins are too many? Check out this article to find out more.


I hope this guide is useful and helps you maintain a secure WordPress installation. Should you come across any issues please leave a comment below or contact WP Helper, we offer completely security hardening and hack recovery, all our maintenance and support plans provide advanced security monitoring and hardening.