WordPress Security Explanation and Information

By Bonnie Koenig

 Security is both one of the most important topics online and one of the most boring. Why it’s boring is obvious. Let’s look at why it’s important.  

Hackers love programs that are used by millions. They love hacking Internet Explorer. They love hacking WordPress. In both cases, they maximize the chances that their random targets will be using the program they’ve hacked.   

How can you keep your WordPress installation safe?

  • Keep Your WordPress installation up to date
  • Don’t use the username  “Admin”
  • Use strong passwords
  • Don’t install using Fantastico or Quick Install
  • Make sure your Host has good security for WordPress
  • Don’t use filenames that start with wp- in your installation.

The first four will get you 95% of the way there. In fact, arguably depending upon your host, it may get _MG_6785e1 you to 98%, which means changing filenames or moving your wp-config file (another security measure) are probably not worth the effort.

In the old days when you had to manually update WordPress it was harder to keep your installation up to date. Now you can just do a one click update and you’re done. Spend the time on that click. It’s worth it.

Admin was the default username for a number of years. Many quick installations still use it. This means a hacker can guess this user name and suddenly they only have to figure out a password, making the site easier to break into.  

Keep your passwords strong. Use at least 10 characters and use at least one number and one other key like a semi-colon in your password string. Every new character possibility increases the difficulty of cracking the password exponentially.  

Don’t use Fantastico. It’s wonderful for that one click install. However, your password is the same for the database and user. Also the database name is always the same. This means a hacker has a lot of information right away. Take the time to install it yourself.  You can name your database anything you want.  Create a unique user name and strong password for the user. You just increased your WordPress security by a hundred fold.

Quick Install has other presets, one of which is the username  “Admin”.  

Make sure you have a host that understands WordPress. Many hosting companies host WordPress but don’t work well with it. Check out Web Hosting Talk for examples of good hosts and check threads that talk about hosts that know WordPress.

If you’ve been hacked you may feel a bit insecure. Plugins like WordPress Security Scan will double check your security and Secure WordPress will make sure your site remains secure. Consider using them.  Even in a ‘safe’ neighborhood it doesn’t hurt to have an extra deadbolt.

As I said, security is boring.You did some work. Go snuggle your pet!

Bonnie Koenig is a web consultant and WordPress web designer. Bonnie loves to educate people about what to look for when designing a website.  In her spare time, she designs marketing materials for acupuncturists.  She and her cat, Cheysuli, have been blogging together since 2006 at http://www.chey.mysiamese.com


Similar Posts


  1. And if you have used a one click install it’s easy to change your data base name which I am happy to write an article on if there is interest–or maybe I’ll have Ichiro do it at Mousebreath?!

  2. Those are good practices for worpdress security. I will point out that “using a strong” password should be an imperative. That password must be mixed cases, alongside numbers and a relative word that no one can guess.

Comments are closed.