Wordpress Security

3 simple steps for improving wordpress security

If you’re building a new WordPress website or simply managing one that already exists there are certain measures you should take to improve your website security. WordPress is the most popular CMS on the market. Nearly half of all websites on the internet are built with WordPress. As such, people are very familiar with the default login structure and how to access the admin login for most sites.

Below are three simple steps you can take to upgrade your security and reduce the risk of being hacked.

Lengthen passwords and change every 3 months

This one is pretty self explanatory but to be brief: People can run scripts that autogenerate passwords and try them on your login page at a very fast pace. Lengthening your password to at least 13 characters and changing your passwords every 3 months is a basic security measure that will help greatly reduce your risk of being hacked.

Install the ‘Limit Login Attempts Reloaded‘ Plugin

This plugin adds some javascript to your site that limits a person from continually trying to login. You can change the settings from the plugin menu but by default a person will be locked out of the admin page for 30 minutes after 3 failed login attempts. If they continue to fail logging in the lockout time increases. I’ve found this plugin incredibly useful for two reasons: it adds security and also lets you know how many failed login attempts you are receiving per day.

You could also add this functionality manually to the functions.php file. Do a quick search for ‘Limit WordPress Login Attempts Without Plugin’ on google and you will find many different articles on how to do this. If you’re curious the plugin that I mentioned has over 2 million installations and a 4.9 rating.

add htaccess file directive

This is the final and perhaps most crucial step in adding some security to your website. You can add a directive to your Apache htaccess file that will restrict access to the wp-admin page. You’ll need ssh access to your server and you’ll need to locate the htaccess file.

If you’re on lightsail this file is located here:


The directive to add at the bottom of the htaccess file is this:

<Files wp-login.php>

Order Deny,Allow

Deny from all

Allow from


For every additional ip address simple add another ‘Allow from …’ line. I suggest leaving a comment above each ip address for future reference.

Restart your server and your good to go.

Having trouble. Shoot us a message. We’re here to help: https://picnic.productions/contact-us/

Leave a Reply

Your email address will not be published. Required fields are marked *