WordPress Security

WordPress Security

Michiel Heijmans

Michiel is a partner at Yoast and our COO. Internet veteran. His main goal with most of his articles is to kick-start your site optimization. So much to do!

If you’re working with or using WordPress, then you should always think about your site’s security. WordPress isn’t any more or less secure than any other platform, but the number of users, plugins and third party add-ons make it a common target for attackers. Don’t worry though, there are some basic steps you can take to keep your site safe (even if you’re not very tech-savvy)!

New to WordPress? Our FREE WordPress for beginners training is here to help. Find out how to set up your own site, learn the ins and outs of creating and maintaining it, and more. This training is part of our free training subscription, take a look at all our online SEO training subscriptions!

Table of contents

1. Don’t use ‘admin’ as a username

Most WordPress ‘hacks’ and attacks don’t do anything more sophisticated than try and brute-force their way into your admin area by guessing your password. That’s much easier for them to do if they don’t also have to guess your admin username! Avoiding using common words (like admin) for your usernames can make brute-force attacks much less effective.

If you’re working with an older site that already has an ‘admin’ user, it might be time to delete that account and transfer any content or access to a more secure username!

2. Use a complex password

Having a better password can make it much harder to guess or to brute-force. An easy tip to remember is CLU: Complex. Long. Unique.

But longer, unique passwords can be hard to remember, right? That’s where tools like 1Password and LastPass come into play, as they each have password generators. You type in the required length, and it generates a password for you. You save the link, save the password, and move on with your day. Depending on how secure you want the password to be, it’s sensible to set a long password (20 characters is good) and decide on things like the inclusion of less usual characters like # or *.

3. Add two-factor authentication

Even if you’re not using ‘admin’ and have a strong, randomly generated password, brute-force attacks can still be a problem. Don’t worry though, two-factor authentication can help protect your site.

The principle is that, rather than just entering your login details, you also need to confirm that you’re you by entering a one-time code from another device you own (usually through an app on your phone). That’s much harder for attackers to fake!

Two popular plugins for handling authentification in WordPress are the Google Authenticator and Rublon Plugin (which takes a slightly different approach). Just make sure that you don’t lose your backup codes, or you might find yourself



This article was written by Michiel Heijmans and originally published on SEO blog • Yoast.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

Your email address will not be published. Required fields are marked *

Show Your ❤️ Love! Like Us
Scroll to Top