Don’t make it easy for attackers

WordPress is a great tool. So great that it powers about 1 out of every 4 sites on the internet by some estimates. With fame comes risk.


Wordpress is attacked more than other CMSes because of its popularity (kind of like Microsoft Windows being the target of so many viruses and malware for so long because there were so many targets). You don’t have to make it easy for the attackers.

If you’re running your site on WordPress, take a few precautions to make it harder for the bad guys to get in:

  • Don’t use admin as the administrative username — it is the most tried name for brute force logins
  • Set file and folder permissions conservatively — no one from the internet needs to be able to read wp-config.php and most of your files don’t need to be executable
  • Use .htaccess to further protect critical files and folders — lock down the wp-admin folder and wp-config.php, for example
  • Minimize plugins, only use reputable plugins and keep them up to date
  • Use reputable themes and keep them up to date
  • Keep WordPress up to date
  • Use a security plugin — we’re fond of Wordfence but at the very least, use something that limits login attempts!
  • Consider locking out countries that don’t have a reason to use your site — this isn’t right for every site but if you exist solely to serve your local community, IP address ranges from foreign countries really have no need to be able to try to login (hint: some security plugins make this fairly easy to do)
  • Use a trustworthy hosting provider — the absolute lowest price isn’t always a great deal
  • Backup often and test restore the backups to a staging server or local instance to make sure the data is usable — when the unthinkable happens, recovery is a lot easier with a good backup on hand

In future posts we’ll detail how to accomplish some of these protections. Some are also covered in our free eBook, “WordPress for Conservation & Land Trusts“.