WordPress Sites – Security and Essential Plugins

It took us a long time to embrace the use of open source platforms but once we did we accepted that these were going to be the way forward, with the mass availability of themes at very little cost in reality it takes a lot to shy away from them and revert back to the use of basic HTML mark-up for a general day to day website.

WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time.

More simply, WordPress is what you use when you want to work with your blogging software, not fight it.

As it is open source software it is regularly updated and is free, which of course is great news, but with that comes the associated problem that hackers have easy access to the software source code and this makes WordPress sites open to hacking on a regular basis.

In this blog post we will discuss the steps that we consider an absolute minimum must when installing and configuring your WordPress site so as to protect your website as much as possible from future hacking attempts that it will inevitably receive.

Similar advice applies really (although not specific to this post) for all other self-hosted software, shopping cart systems, survey systems etc.


WordPress Database is like a brain for your entire WordPress site because every single piece of information is stored in there thus making it a hacker’s favourite target. Spammers and hackers run automated codes for SQL injections and you will make it easier for the hackers to plan a mass attack by retaining the default database prefix ‘wp_’.

Therefore, when setting up the database make sure that you do not use the standard database prefix of “wp_”


The standard username for the Administrator with all the powers to change anything on your site is “admin”; never ever use this username or allow it to be registered as a user!

At the point of installation/set up use an administrator’s name that is very random and one that is not easy to guess by anyone. Only ever use this admin account for installation, set up and subsequent configuration of your WordPress site, never use it to make any posts or write any pages on your WordPress site.

Once your site is set up and configured set up another user account with roles/privileges as an Editor (Somebody who can publish and manage posts including the posts of other users) or an Author (Somebody who can publish and manage their own posts) We would suggest the role of Editor for the site owner/administrator and Author for other people you wish to have full access to make posts on your WordPress site – An Author cannot write or edit pages whilst an Editor can. You can read more about WordPress roles here. http://codex.wordpress.org/Roles_and_Capabilities

When setting up the users always set the public Display Name to something other than the log in username.

Whilst we are talking about Usernames, it may be an idea for you to have a read through our article on Usernames and Passwords.


There are many thousands of different plugins available to do just about anything you can think of with a WordPress site, the majority of which are free to download and use, for those that charge for their plugin usually they have a ‘light’ version that will do the basics for you free of charge and thereafter you can purchase the enhanced version if you can see the added value given the purchase costs.

Several plugin authors may ask you for a voluntary contribution to use the plugin and in our opinion, if you see a benefit from using the plugin then it would be only right if you expect free updates of the plugin and for it to compatible with all the latest versions of WordPress moving forward that you do make an appropriate donation. If no one did then the plugin author would eventually get fed up of updating it and you would need to replace it relatively quickly.

Below are a few plugins that we consider are almost an absolute necessity to assist you with the day to day management of your WordPress site and its security, by default all WordPress installations that we work with have as a minimum the following:-



Wordfence is the Leading Cyber Security solution for WordPress. It provides a Complete Anti-Virus and Firewall Package for your WordPress Website including Two Factor Authentication, a Firewall incorporating Machine Learning and Tools to help Recover from a Hack.

Wordfence Security is available free. Simply sign into your WordPress website, Go to Plugins > Add New > And search for ‘wordfence’.

The premium version includes enterprise WordPress Security features like Two Factor Authentication and Country Blocking, however, see below for the two factor Google Authenticator.

Google Authenticator

The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.

If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail/Dropbox/Lastpass/Amazon etc.

The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.

If you need to maintain your blog using an Android/iPhone app, or any other software using the XMLRPC interface, you can enable the App password feature in this plugin, but please note that enabling the App password feature will make your blog less secure.

Google Authenticator is available free, simply sign into your WordPress website, Go to Plugins > Add New > And search for ‘Google Authenticator’ by Henrik Schack

Google Authenticator – Per User Prompt

The Google Authenticator plugin is a great way to add two-factor authentication to your site, but it does have one major drawback: it asks every user for the authentication token, regardless of whether they have 2FA enabled or not. This can be confusing for users, which prevents some administrators from using the plugin on multi-user sites.

This plugin modifies the way that Google Authenticator behaves so that only users who have it enabled are prompted for the token. If a user doesn’t have it enabled, then they’ll proceed directly to the Administration Panels; if they do have it enabled then they’ll be prompted to enter their 2FA code.

Google Authenticator – Per User Prompt is available free, simply sign into your WordPress website, Go to Plugins > Add New > And search for ‘Google Authenticator – Per User Prompt’ by Ian Dunn.

Backup Programs

When it comes to software installations then we can say no more other than backup, backup and backup – one day you will thank yourself for making the effort and this day and age offsite backup for many server software installations can be done for free!

BackupWPup Free

The backup plugin BackWPup Free can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more, see list below. With a single backup .zip file you are able to easily restore an installation.

• Database Backup (needs mysqli)
• WordPress XML Export
• Generate a file with installed plugins
• Optimize Database
• Check and repair Database
• File backup
• Backups in zip, tar, tar.gz, tar.bz2 format (needs gz, bz2, ZipArchive)
• Store backup to directory
• Store backup to FTP server (needs ftp)
• Store backup to Dropbox (needs curl)
• Store backup to S3 services (needs curl)
• Store backup to Microsoft Azure (Blob) (needs PHP 5.3.2, curl)
• Store backup to RackSpaceCloud (needs PHP 5.3.2, curl)
• Store backup to SugarSync (needs curl)
• PRO: Store backup to Amazon Glacier (needs PHP 5.3.3, curl)
• PRO: Store backup to Google Drive (needs PHP 5.3.3, curl)
• Send logs and backups by email
• Multi-site support only as network admin
• Pro version and support available – BackWPup Pro

BackWPup Free is available free, simply sign into your WordPress website, Go to Plugins > Add New > And search for ‘BackWPup Free’ by Inpsyde GmbH.


Once you have installed BackupWpup Free you will need somewhere to save your backed up files, use a DropBox account, you can sign up for free at http://www.dropbox.com and get 2GB of storage absolutely free, that should be sufficient for several daily backups of your WordPress site.

Advanced Automatic Updates

Advanced Automatic Updates adds extra options to WordPress’ built-in Automatic Updates feature. On top of security updates, it also supports installing major releases, plugins, themes, or even regular SVN checkouts!

Advanced Automatic Updates is available free, simply sign into your WordPress website, Go to Plugins > Add New > And search for ‘Advanced Automatic Updates ‘by pento.

And Finally, a Small Plug…

If you have a WordPress site that you need assistance with, need hosting or need a new site then give us a shout! We would be delighted to assist you.