You probably heard about last month’s ransomware attack on the NHS. And there was another attack across Europe this week.

I don’t know about you, but this stuff scares the crap out of me.

(Can’t the intelligence services figure out who these people are and send the SAS to visit them? It’s what they deserve.)

Anyway… that got me thinking and I realised that, compared to most website owners, I know a lot about site security. (Much of this was learned the hard way.)

So, to help you protect your sites, here are some tips for WordPress security:

#1: Don’t use Admin

When I set up a new WP site, I create a new user with admin privileges. Then I delete the user called “Admin.”

That alone makes things exponentially more difficult for hackers. Because, instead of trying to work out the password for “Admin,” they have to work out both your username AND your password.

Just doing this will foil most attacks.

#2: Use Wordfence

Wordfence is a free plugin. (There is a paid version, but I use the free one and it does a great job.)
It’s the most widely used WP security plugin and will prevent most attacks. You can read about it here:


#3: Install Login Lockdown

This is another free plugin. It blocks IP addresses that have had multiple failed login attempts. You set the rules of “X failed login attempts in Y minutes = block that IP address for Z hours.”

For example, my sites put the limit at 3 failures in 5 minutes = block the IP for 6 hours.

That’s enough to put the kibosh on most brute hack attempts.

BTW, there is some overlap between this and Wordfence, but I like having both as extra security.

#4: Back up your website

Either use a webhost that does regular back ups, or do your own backups. That way, if the worst does happen, and your site is hacked, you can quickly get up and running.

Hope these 4 tips were useful, and help you win the war against these scumbag hackers.

All the best,

Steve Gibson