7 Ways to Protect your WordPress site this Christmas

With the holiday season quickly approaching, many of will be trying to watch what we eat so that we don’t need to tighten our belts come the New Year. In this article, I want to talk about how we can ‘tighten the belts‘ of our WordPress sites in terms of security so that we don’t have any nasty surprises on December the 25th.

Below are seven steps that may you want to consider. Some items are more technical than others and ideally, you will have some access to technical support who can assist you with these (if you don’t have access to such support, then why not look at our pay as you go WordPress support service?).

If you are not confident with any steps below, please don’t attempt them until you are satisfied that you have adequate technical support in place.


If you aren’t familiar with hosting and servers, then ideally your WordPress website will be hosted on WordPress specialist hosting environments such as FlyWheel, Pagely, or WPengine. Because such hosting is specifically WordPress only, and as their network & infrastructure are tuned to the specific needs of WordPress, you’ll more than likely automatically be in a more secure environment just by using them.

However, migrating hosting is not a trivial project, so I’m not going to include that in this list. If you need help with hosting migration in the New Year, please speak to us.

1) Remove Admin account

By default, WordPress comes with an Administrator-level user called Admin. You want to create your own Administrator-level account (called whatever you like) and then delete this default Admin account.

Why? Because every WordPress installation gets this Admin account by default, so hackers will guess that account name first. Why make life easy for them?

Next, take a long hard look at all the other WordPress Administrator level accounts set up on your website. Chances are, there are a few dead or dormant ones there associated to, say, people who have left your company or third party companies you no longer work with. Such dead accounts should be deleted. By getting rid of dormant accounts, you are reducing the number of doorways that hackers can find into your website. Again, let’s not make it easy for them.

Note: sometimes your hosting company has their own Administrator account to your website, this should be kept. If in doubt, speak to your hosting company because, funnily enough, hackers know how to create accounts that look legitimate!

2) Change Passwords

Now you have whittled the Administrators accounts down to just those who do need access to your site, I would encourage all of them to change their passwords; you can ask them to reset their passwords themselves or you can do this for them via the WordPress backend.

3) Plugin Housekeeping

Whilst you are in the spring (winter?!) cleaning mood, you might want to consider removing any plugins that your website does not need. The less code that runs on your website, the less opportunities for hackers to get in.

Next you want to look at updating any plugins where possible. You have to be careful here though; plugins are executable program code, sitting on your website and interacting with other executable code & plugins. Any update can potentially cause a problem. In fairness, reputable plugin vendors won’t release updates without testing them thoroughly first, but still, the risk remains. That being said, the risk of being hacked is probably greater – so keeping your plugins up to date is critical.

Modern WordPress allows you to enable auto-updates, in general, that should be your preferred route.

WordPress plugins – Enable Aut0-updates

4) Security Plugins

Ideally, you also want to install a security plugin such as iThemes Security Pro, or Sucuri, or WordFence (your website host may also have some recommendations here).

Such a plugin can help with many aspects of tightening up the security of your website. In truth, such plugins typically need additional configuration, and perhaps prior consideration of which options you wish to use, and which are right for your organisation (some we’ll touch on below).

5) Multi-Factor Authentication

Ok, scary-sounding title I know – but this is fantastic when it comes to securing your site.

Multi-factor authentication is where you need more than just a username and password to login to your WordPress site. You also need a unique code which is sent to a device under your control (e.g. via email, or perhaps an app on your phone). This approach pretty much stops hackers from making a brute force attack by repeatedly guessing usernames and passwords (as they do not have access to your authentication device).

Whilst not necessarily for the faint-hearted, there are a few ways to achieve multi-factor authentication. The iThemes Security Pro Plugin discussed above has this feature built-in, as does Sucuri. You can also look at Duo or Traitware.

6) Locking down WP-ADMIN

iThemes Security Pro also allows you to implement security rules such as:

  • Restrict access to the website admin area to certain times of day (e.g. office hours only)
  • Restrict access to the website admin to a fixed set of IP addresses (e.g. office, home etc).

Both of these approaches can greatly reduce the opportunity for hackers to wander along and try to gain entry to your website.

7) Web Application Firewall

If you imagine that all the traffic coming to your website travels through a pipe – technology can scan all of that traffic and automatically block things that look harmful (like someone trying to hack your website). In the context of WordPress, such an approach is typically called a ‘Web Application Firewall” (or WAF for short).

One solution here is to use CloudFlare and its Web Application Firewall (WAF). CloudFlare charges $20 a month for their Pro account (which WAF is included in). Yes, you’ll need to move your DNS records to CloudFlare (who need to act as nameservers for your domain); but that is not as scary as it sounds – again, we can help if needed.

Note: if you have gone the Sucuri route in terms of WordPress security plugin, they too have a similar WAF service.

The End

Hopefully, some of those tips are useful to you with securing your website. Don’t panic if you don’t get a chance to do some/all of them – the key is that you are aware of these points and that you’ll put the appropriate ones in place for your website at the earliest opportunity.

If you have any comments, questions, or suggestions, then why not jump onto our Facebook Group and share your thoughts with like-minded WordPress website users. We also stream Facebook Live events to this group on all manner of WordPress and website related topics – see our upcoming events.

That just leaves me to wish you a Merry Christmas and a Happy New Year!

All the best for 2021.

Joel Hughes & all the team at Glass Mountains (whose superb technical knowledge is always of great use in articles such as these!).


No Comments

Leave a Reply