1. Don’t use ‘admin’ as a username

Most WordPress ‘hacks’ and attacks don’t do anything more sophisticated than try and brute-force their way into your admin area by guessing your password. That’s much easier for them to do if they don’t also have to guess your admin username! Avoiding using common words (like admin) for your usernames can make brute-force attacks much less effective.

If you’re working with an older site that already has an ‘admin’ user, it might be time to delete that account and transfer any content or access to a more secure username!

2. Use a complex password

Having a better password can make it much harder to guess or to brute-force. An easy tip to remember is CLU: Complex. Long. Unique.

But longer, unique passwords can be hard to remember, right? That’s where tools like 1Password and LastPass come into play, as they each have password generators. You type in the required length, and it generates a password for you. You save the link, save the password, and move on with your day. Depending on how secure you want the password to be, it’s sensible to set a long password (20 characters is good) and decide on things like the inclusion of less usual characters like # or *.

3. Add two-factor authentication

Even if you’re not using ‘admin’ and have a strong, randomly generated password, brute-force attacks can still be a problem. Don’t worry though, two-factor authentication can help protect your site.

The principle is that, rather than just entering your login details, you also need to confirm that you’re you by entering a one-time code from another device you own (usually through an app on your phone). That’s much harder for attackers to fake!

Two popular plugins for handling authentification in WordPress are the Google Authenticator and Rublon Plugin (which takes a slightly different approach). Just make sure that you don’t lose your backup codes, or you might find yourself locked out.

4. Employ least privileged principles

The WordPress.org team has put together a great article in the WordPress Codex regarding Roles and Capabilities. We encourage you to read it and become familiar with it because it applies to the following step.

The concept of Least Privileged is simple. Only give permissions to:

• those that need it,
• when they need it and
• only for the time they need it.

If someone requires temporary administrator access for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.

Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles, and you’ll greatly reduce your security risk.

5. Hide wp-config.php and .htaccess

Your wp-config.php and .htaccessfile are critical to your WordPress security. They often contain your system credentials and expose information about your site’s structure and configuration. Ensuring that attackers can’t gain access to them is vital.

Hiding these files is relatively easy to do, but doing it wrong might make your site inaccessible. Make a backup and proceed with caution. Yoast SEO for WordPress makes this process somewhat easier for you. Just go to “Tools > File Editor” to edit your .htaccess.

For better WordPress security, you will need to add this to your .htaccess file to protect wp-config.php:

<Files wp-config.php>
order allow,deny 
deny from all
</Files>

That will prevent the file from being accessed. Similar code can be used for your .htaccess file itself:

<Files .htaccess>
order allow,deny 
deny from all
</Files>