Have you ever thought about the security of your WordPress installation? Or rather has your installation ever been attacked or hacked?

Well, security is one very important feature that every other developer is always worried about. In this article, I would like us to discuss ways of making your installation secure to avoid attacks from hackers who might want to hijack your work and gain unauthorised access.

There are several factors to check in making your installation secure, ranging from the strength of your passwords to setting permissions correctly. There are also plugins available for use in securing in installation, but most of them come with a limitation, some being very difficult to use and other causing a lot of traffic or conflicts with others. I am going to talk about some of the things that you can do to make sure that your installation of WordPress is secure.


One of the things that every WordPress developer knows is that all WordPress installations use wp-login and admin as the default username. These are some of the most common defaults that hackers can use to try and force access to your WordPress installation. With those two, the only value they might not have is the password, but they can write scripts that could attempt to guess the password value, and if they gain access, it could be terrible. Another default value that hackers know is the database name that is by default prefixed by the wp_ keyword. These three are defaults that are known by every other person, and even though we might not have evidence of them being used, why can’t we make it hard for the hackers? These values can be changed during installation of WordPress, or on the settings of an installation that already exists.

During installation of WordPress, the default values are always suggested. This, especially when you click on the ‘Lets Go’ button, can be seen on the screens that follow.

In the screen above, the default prefix value for tables is set as wp_. This is common with all WordPress installations. You will be doing yourself some good by changing this to any other prefix, avoiding the default value.

After that screen, you are taken to the screen below.

Here, we can see that the username has a default value of admin. It is advisable to change this to a different username. Sometimes you might interact with your users, and might be afraid that they will still get to see the name you chose. In such cases, you can choose a nickname in settings, that is the name they would see. Try as much as possible to pick a username that can not be identified with you as well, such as your own name. You will also be prompted to pick your password here, make sure that the password you pick is very strong, you can see the password strength as you enter it.


If you did not change the default values during installation of WordPress, you can still change them. I would advise you to always change them during installation since it is quite easy and straightforward. The table prefix is one of the sensible things to change here because it is touching a lot on the database. If you do this and make undesirable changes to the database, it would mean that your site would not be accessible if you had not backed up the database.


As I mentioned earlier, having admin as your username is not secure. If you have an installation with admin as the username, you do not have to worry although there is no simple way of renaming it apart from creating another user. This can be done by deleting the admin account, of course after creating a new account!

The first step to do this is logging in to your dashboard and clicking on users. You can add a new user by clicking on the Add New menu option. Here, set the username to something else, of course avoiding your real name which could be risky to use, or easy to guess.

After this, fill the other required fields which include the password, email, first and last names and website. You can leave blank the website and last name if you do not want them. Remember to use a very strong password, and set role as an administrator.

Now, you can logout of WordPress and log back in using the new username that you have just created. Going back to users on the dashboard, you can see now that you have two users, the new one and the one that you had. We need to delete the user with username admin. When you hover the cursor over it, you can see extra options such as edit and delete. Click on delete to remove it completely. See the image below.

To add a nickname to the new user, simply click on profile on the sidebar. This will bring a form that you will fill, adding a nickname that can be visible to website users if you interact with them.


An attacker might get into a situation where they are trying to guess one password after another in order to gain access to your installation. This is a brute force attack. One of the best ways to avoid this is to make sure that you are not using common passwords.

There is a plugin called Bulletproof Security that is used to limit the number of times a user is allowed to guess a password, or to attempt a login. This plugin suspends a visitor for an hour if they incorrectly use the wrong password for three consecutive times. You can use it by login into your dashboard, then go to plugins and add new. Once installed, launch it from the side bar and simply select the default options and save.

The admin area location is another value that is targeted by hackers. To avoid this, you can add a basic trap that redirects attackers in case they manage to pass through the Bulletproof Security plugin. Stealth Login Page is a plugin that can be used for this purpose. After installing this plugin, launch it from the sidebar and enable it. Then add a pin or a url that attackers can be redirected to if they try to gain access to your login page. The image below shows how the plugin looks like when launched.

The pin is important. It will be added to your login page, and you will need it to be able to login to your dashboard.


The measures discussed above will no doubt help you secure your WordPress installation. There is no limit to the things you can do to make sure that your installation is safe. There are other things you can do such as limiting users with admin roles, using LastPass or Clef, avoiding the use of repetitive passwords among others.

Related posts

  1. 詳細供款表 最新按揭措施. 1全期按揭計劃或混合年期按揭計劃首階段之每月供款額。 2只適用於每月攤分按揭保險計劃; 3根據金管局最新指引,業主承造按揭必須 …

  2. 全「身」趨勢!LSD真空無痛技術,無需使用冷凍啫喱,比傳統激光脫毛更安全,更舒適,更快捷。腿部背部永久脫毛,只需15分鐘!最快激光脫毛科技 配以22x35mm 及 9x9mm 治療機頭,比其他品牌之24mm為大,覆蓋肌膚範圍更廣。 因而更能縮短療程時間及次數。專為亞洲皮膚而設 因應不同膚色設定不同能量,無論膚色較深或較白均適用 最舒適及最有效的激光脫毛體驗 (與755nm及1064nm作比較) 設真空脫毛技術 LUMENIS LightSheer® Desire 激光脫毛儀備有真空脫毛技術,令激光能量更集中聚焦,達至更快及更有效之療程效果。合1子宮頸癌疫苗-Gardasil

  3. NEAUVIA,歐洲血統透明質酸,目前遍布於全世界56個國家,行政總部在瑞士,卻是源自於意大利的品牌。採用21世紀先進的技術,提取出前所未有的高純度透明質酸,迅速的在全球攻占市場,卓越的品質,領先的技術和平民的價位,已經逐漸的出現在大眾的視線裡,被越來越的人使用。NEAUVIA以系列分女性專用和男性專用,大中小分子以及唇部專用和私處專用,其中私處專用己經在國內一些比較大的整形機構普遍使用。素材提取無與倫比的純淨,運用嶄新PEG鏈結技術-更安全

Leave a Reply