WordPress Website Security Basics: Are You Just Cannon Fodder?

WordPress Security Basics

Having installed WordPress and started creating some content, one of the first things you will need to consider is making sure you are protected from unwanted visitors.

Of course, you want visitors to your site who are going to read and comment on your content. But you don’t want the type of visitor who tries to sneak in through the back door and cause damage!

WordPress is the most popular blogging platform and unfortunately that makes it more desirable for hackers to try and destroy. A hacker wants as many targets as possible, and WordPress makes that more achievable.

It’s very similar to the PC industry. Windows is the most common Operating System and that’s why hackers target Windows rather than the Apple Mac.

Some people think that WordPress must be full of security holes and that’s why hackers focus on it. But that is not true.

WordPress as a standalone piece of software is quite robust. The security holes start appearing when people start adding poorly coded plugins and themes to customise the look and feel of their website.

What if you don’t protect your website?

If you do nothing, you’re just leaving yourself wide open to an attack.

You are essentially cannon fodder!

Here are some types of attack you could get:

  • Redirection – Your site could be redirected to a very unpleasant site
  • Defacement – Your site could get a “Hacked by XXX” message on the home page together with a ghostly video playing
  • Deindexed – Your site could be temporarily deindexed by Google with the loss of thousands of visitors per month
  • Spam – An account on your server could have an email spam script injected into it so it appeared that you were sending out mass spam emails
  • Brute force attacks – I’ve had loads of attempts to gain administrator access to my sites from robots using random usernames and passwords

So, how do you protect your website?

It’s not possible to eliminate the risk of your website being attacked – you can only reduce it. Here are five ‘best practice’ steps you should follow as standard:

5-step protection plan

1. Change the default username

When you install WordPress, the default administrator username is ‘admin’. Do not, under any circumstances, leave it as ‘admin’ – change it to something else. If you want to be completely obscure use a password tool to generate a random character string and use that.

Robots will try combinations of the ‘admin’ username and passwords to try to gain access to your WordPress dashboard by brute force. Don’t believe me? Look at this example:

brute force alerts
brute force admin

More on the tool that delivers these notifications later on…

2. Use strong passwords

It’s absolutely essential that you do not use something obvious like ‘password’. Please use a mix of characters like ‘r4oYv8rR&$y’.

I use a free password management tool called LastPass. These tools not only store all your passwords, but they have password generators too. No excuses – go and do it now!

3. Keep your software updated

It’s important to keep your software updated to the latest version. This includes WordPress itself, your theme, your plugins, and your personal computer. Software vendors release patches to fix potential security loopholes as well as fix product defects.

Note: Go and check your WordPress Dashboard now and see if you have any outstanding updates pending.

4. Install a WordPress security plugin

You need to install a WordPress security plugin. If you navigate to WordPress.org/plugins and search for security, you’ll see a list of the available plugins. Here’s a small snapshot:

security plugins

I’ll share my experience of WordPress Security Plugins in a moment…

Caution: Before installing any of these security plugins, make sure you have a backup of your site. The plugins make significant changes to the configuration files, especially the .htaccess file, so a backup is always your first step.

5. Protect your computer

It’s all very well securing your WordPress site with a security plugin, but you need to ensure that your own computer is fully protected, too. If your computer got infected with a ‘password stealing’ malware program then the steps above would be less effective. There are countless anti-virus and malware programs available, so just make sure you get them installed and working.

For more WordPress security tips, check out this guide by Colin Newcomer.

WordPress security plugin shootout

iThemes Security vs Wordfence Security

This is my experience of using these two WordPress Security Plugins:

  • Both offer free versions with an option to upgrade to a premium paid version with additional features and support
  • To start with you can safely take the free option
  • If your circumstances change in the future and you think you can benefit from the extra features then that is the time to upgrade

iThemes Security

The first security plugin I installed was iThemes Security (formerly Better WP Security).

However, I didn’t like it.

It installed quite easily as you would expect with a WordPress plugin. Once installed, the plugin ran a scan of my WordPress installation to check what vulnerabilities existed and produced a list by priority of what should be fixed.

If you look at the example screenshots on WordPress then it shows a couple of items for each priority:

ithemes security example

In my experience there were about 10 items per priority. Now I consider myself fairly technical, but by no means a super techie. However this list was daunting. And when I read the description of the problem and the proposed fix I was even more concerned.

To be fair, you don’t have to action these lists of security items, but when someone or something says you have a potential problem I generally like to try and fix it.

There was a strong suggestion that some of these fixes could make my site too secure, so secure in fact, that I would be locked out. I didn’t feel comfortable at all. I was overwhelmed. Naturally I started researching further and trying to find some answers, but nothing was too clear.

If you prefer, you can opt for iThemes Security Pro. You’ll get more features and professional security experts to support you.

Wordfence Security

After a few days of going nowhere fast I decided that I would try another security plugin. I had a chat with a few people and opted for Wordfence Security.

The plugin installed smoothly and I was soon into configuring the options. My immediate reaction was that this was so much more manageable than iThemes – there was no overwhelm factor.

Of course there are options/settings you need to go through and check, but you can choose to leave the default settings in most cases to start off with and come back later to modify. Notice also how there is help tips at each statement/action…

wf scan instructions

​Once you’re set you run a full scan to get your first report. You get:

A Scan Summary…

wf scan summary

A Detailed Activity report…

wf scan detailed

And a list of Issues (or not )…

wf scan issues


I haven’t tried other security plugins, but I’ve heard good reports about Sucuri and Bulletproof.

To date, I have been very satisfied with Wordfence and see no reason to change. The plugin is both easy to manage and intuitive with the help tips.

Most importantly, it keeps the unwanted visitors away!


Here’s what you have learned today:

  • There is no room for complacency – follow the 5-step protection plan!
  • Wordfence offers a great, easy-to-use WordPress security plugin!

In this post we covered two of the most popular security plugins, but there are plenty of other solutions on the market. You may find our article on WordPress security plugins & tools useful. And it’s also worth noting that some content delivery networks offer security functionality such as a web-application firewall, which can be helpful.

Disclosure: This post contains affiliate links. This means we may make a small commission if you make a purchase. This doesn’t cost you any more but it does help us to continue publishing helpful content – thank you for your support!

Copy link