Securing a WordPress website

Since WordPress is one of the most common website platforms used today it has also attracted lots of bad attention from hackers, however there are a few steps that can dramatically increase a WordPress website security. Please note that some of the following steps should be performed by the website developer depending on your level of knowledge.

Use a strong password

A strong password is the first line of defence against attackers. Never use a simple or easy to guess password. Passwords should be 8 characters or more and contain letters and digits.

Change the default admin user name

The majority of hackers and bots (Bots are programs designed to search for a website administration section and then try to login repeatedly until it finds the correct username and password) try to login with the username “admin” as that is the default administration username. The website developer can change the username in the database or a simple way of doing it is to create a new user with administration rights and then delete the default administration account. Make sure the new user account works before deleting the old administration account otherwise you could lock yourself out.

Install an IP based login protection

There is a WordPress plugin called “iThemes Security” which records the IP address of failed login attempts and then blocks that IP address for a period of time. This function protects your website from brute force login attempts.

We strongly recommend all websites using WordPress install this plugin. To read more and find out how to install it please visit:

Enforce SSL

All websites today should be using HTTPS which requires an SSL certificate. A free SSL certificate in included with all Nexus Digital website hosting accounts and can be installed within the Nexus control panel within one click. To enforce the whole website (public and admin section) to use the SSL please install the iThemes Security plugin which has a function to enforce SSL on the site.

Turn comments off

User comments can flood a website with spam or be used to inject a website with dangerous code, so if your users don’t need the comments function we highly recommend you turn it off.

The comment settings can be found in the admin section under "Setting" then "Discussion" and also on the individual pages.

Turn auto email reply off

Many contact forms will ask the visitor for their email address and send a auto reply email to the visitor. This is can be abused by spammers and used to send out mass emails sent from your website. Please turn auto email reply off.

Keep WordPress Updated

WordPress releases security updates regularly to keep your website up-to-date and stop vulnerabilities from being exploited. We recommend you ask your website developer to install the updates.