[et_pb_section bb_built=”1″ admin_label=”Section” fullwidth=”on” specialty=”off” background_image=”http://ratherpoetic.com/wp-content/uploads/2017/04/wpsecurity3tipscropped.jpg” transparent_background=”off” allow_player_pause=”off” inner_shadow=”off” parallax=”off” parallax_method=”off” padding_mobile=”off” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” make_equal=”off” use_custom_gutter=”off”][et_pb_fullwidth_post_title admin_label=”Fullwidth Post Title” title=”on” meta=”on” author=”on” date=”on” categories=”on” comments=”on” featured_image=”off” featured_placement=”below” parallax_effect=”on” parallax_method=”on” text_orientation=”center” text_color=”dark” text_background=”off” text_bg_color=”rgba(255,255,255,0.9)” module_bg_color=”rgba(105,93,98,0.5)” title_text_color=”#ffffff” title_all_caps=”off” meta_text_color=”#ffffff” use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_padding=”||25px|” title_font_size=”52px” meta_font_size=”22″ title_line_height=”1.25em” meta_line_height=”1.25em” /][/et_pb_section][et_pb_section bb_built=”1″ admin_label=”section”][et_pb_row admin_label=”row”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

WordPress Security. Not the internet’s most glamorous topic, but if you use WordPress for your website, it is a super important one. But lots of information on wordpress security reviews the same basic tips:

1). Don’t use “admin” as your user name
2). Get a security plugin
3). Use strong passwords

And they are right to. These tips are great, they are the basis of securing your wordpress website, and everyone should follow them {If you haven’t implemented all of these tips, you can check out my blog post on Easy WordPress Security}. But just in case that doesn’t quench your thirst for WordPress Security here are three more WordPress security tips that you might not have seen before.

WordPress Security Tip #1
Have TWO accounts with administrative privileges

At first this might seem counterintuitive. Having multiple accounts + passwords to track for your website can seem daunting, and doesn’t that give the bad guys another way to get into your website? Perhaps, but hear me out.

I learned this the hard way, when one of my sites was victim of a brute force password guessing attack. It went something like this:

Bot tries to guess password several times.
Security plugin says “hey, you don’t know the password. I’m locking you out for 15 minutes.”
Security plugin sends me an email saying “hey, I locked this user out.”

Awesome. My security plugin was doing exactly what I had asked it to. The problem was that the bot had my username. This means not only was the bot from Siberia locked out, I was locked out too.

I couldn’t log in to fix the problem, block the bot’s IP, or edit my site in any way. And when you consider that a brute force attack can last anywhere from 10 minutes to several days, that isn’t a situation you want to be in.
The solution is to have a back up admin account for your website. I recommend a completely unguessable username and a super long random password {I cover how to choose usernames and set strong passwords in my Easy WordPress Security post}. Next time you are in a situation where your primary login is compromised, you have a spare.

WordPress Security Tip #2
Set Nicknames for user accounts

Think back to the situation I described in the last tip. The bots trying to guess my password already had my username, but how? There are a lot of ways to scrape this data, and since I am not a hacker, I don’t know them all, but I do know that one way is by getting the username from blog posts.

So let’s say your website is brand new. You just created it, installed wordpress and smart cookie that you are, you used a strong username + password combo. But if you were go to that standard wordpress blog post that comes on each site {you know that “Hello World” post} you would probably see your username right there. Why? Because your user account doesn’t have a nickname set.

Because that is the default, and so is that Hello World post, usernames are easy to scrape from websites. And a bot with your username is 50% of the way to busting down the door of your wordpress backend as if it was a horror film villain.

The solution is to jump into the profile settings under “Users” in your wordpress dashboard, and changing the nickname from your username to an actual nickname. I would recommend setting nicknames for everyone who has an account for your website, though really users with administrative privileges are the priority.

WordPress Security Tip #3
Know your FTP access

This is my final tip that I feel isn’t talked about enough. Regardless of how awesome your username is, how strong your password is, and how perfectly you have configured your security plugin, there is always a chance that something will go wrong and lock you out of the wordpress backend.

It has happened to me more than once.

And what to do? Some of the best techniques for recovering from WordPress issues is by accessing your website via FTP.

What is FTP? It stands for File Transfer Protocol {you can read more about it on wiki}, and it means accessing your server {the space you rent from your host} directly. You are bypassing the WordPress interface entirely and seeing the files on your server just as if you were looking at files on your computer.

This can be super daunting, but it is really important to have it in place. Even if you aren’t comfortable accessing and altering your website via FTP, having those credentials means you can hire someone to help you. FTP comes in handy when you get the WordPress White Screen of Death, when you have a file that is too large to upload through the WordPress interface, or sometimes when you need to restore your website from a back up.

Every host should allow you FTP access and you should already have credentials. Keep these in a safe place and hopefully you never need them.

And there you have it, 3 more wordpress security tips. Learned in the trenches by yours truly.
Peace + Bandwidth,


Leave a Comment

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.