Whether you run your website as a fun side project, as a commercial entity, or somewhere in between, keeping it secure should be one of your top priorities.
While there are plenty of plugins out there designed to improve the security of your WordPress website, if you are anything like me, then your website is probably already creaking under the weight of a growing library of add-ons and extensions.
So if you’d like to strengthen the security of your WordPress website without installing any additional WordPress plugins, then this article with give you some actionable tips which can help you do just that.
Ensure Plugins & Themes Are Up to Date
Let’s start off with the most basic of advice, but perhaps the most important: keeping the WordPress software, as well as any installed themes and plugins up to date.
Each plugin and theme that is installed on your WordPress website is a potential route into the back end of your blog and its underlying code and database, for those with malicious intent. That’s not to say that all plugins and themes pose a security risk, it’s just that sometimes flaws do arise. When they do, developers seek to resolve these issues by releasing updates to their code.
Therefore by ensuring all the components of your website are up to date, you can greatly minimize the risk of your site being hacked through a vulnerability in a plugin or theme you are using, or even through the WordPress software itself.
By regularly logging into the admin area of your WordPress website, you can stay on top of available updates. Thanks to the handy icon that is displayed on the dashboard, you can quickly see if there are any updates available to you. WordPress now even includes the ability automatically to update itself, and leaving this featured turned on is a good idea for most users.
Strengthen Your Username and Password Combination
Another way hackers can gain access to your website is to guess your username and password combination. Whether they do this manually or by using software to enter as many combinations as possible, you can improve the security of your WordPress website by ensuring your chosen username and password aren’t easy to guess.
The first place to start is changing the username of the administrator account for your website. Many WordPress websites simply use ‘admin’ as the username for this powerful account that controls all aspects of your website. If your website is using this username, then you are giving hackers a head start on cracking this combo.
Therefore changing the username for this account is a great idea. Unfortunately you can’t simply rename the account through the user profile screen. So rather than making this change through the WordPress database, the simplest approach is to simply create a new administrator account with a more obscure username, and then login to your WordPress dashboard with that account, before deleting the original admin user account.
There’s no need to worry about any content being lost when deleting a user account. Simply reassign it to the new user after hitting the delete button.
Using a secure password is the next step in this process. Using as many different character types as possible, such as numbers, letters, and special characters, is the key here. By using a strong password generator tool, you can come up with some pretty advanced combinations that will be difficult for anyone to crack. The only downside is that such secure passwords are hard to remember; to overcome this, you could consider using a password manager such as LastPass or 1Password.
Another piece of good practice is to regularly review and remove any inactive user accounts on your website.
Keep Your Username Private
Another step you can take is to hide your username from your visitors. The best way to do this is change the ‘Display name publicly as’ field on your user profile to something other than your login username.
Now your readers will see this name, instead of your actual username alongside each post you’ve written on your blog.
Change the WordPress Login Page URL
One of the main reasons hackers like to go after WordPress websites is the popularity of this software. As brute force hacking can be a numbers game, the more sites you can attack, the greater your chances of success will be.
By default, the login pages for all WordPress websites can be found at the same URL or address (http://yourdomain.com/wp-login.php). However, by changing the login page URL you can put one extra hurdle in front of any would-be threats to the security of your website. While this approach typically won’t overcome a sustained attack on your website, it may well be enough to put off individual visitors sniffing around your website.
While using a plugin can make the process of changing the URL of your WordPress login page relatively foolproof and straightforward, doing so manually shouldn’t be beyond most users. This post on the WordPress support forums provides some advice on obscuring the WordPress login pages without a plugin.
Choosing a Security Focused Web Host
Choosing a web host for your WordPress website that has a strong commitment to site security can take most of the responsibilities off of your hands, when it comes to keeping your website protected.
Not only can a good web host take care of keeping the WordPress software up to date, keeping away hackers and other security threats, but they can also support you in restoring your website should something go wrong.
While there is no single answer to the question of who is the best WordPress web host, by checking out our archive of reviews, you can find the best WordPress website host for your needs.
Hopefully you now have some actionable advice you can put in to practice today in order to harden the security of your WordPress website.
The WordPress software isn’t inherently insecure, but it’s popularity has helped make it an attractive target for hackers. However, by following these steps and becoming more proactive about the security of your website, you can stay one step ahead of the hackers and make the effort of gaining access to your site more trouble than its worth.
If you are have any tips, advice, or questions about improving the security of a WordPress website without relying on plugins, please share them below in the comments.