WordPress is a popular way to develop websites. It’s free price is attractive. It’s well supported. And it’s very flexible.

But the ever-present nature of WordPress means that it also attracts less desirable elements who seem to delight in destroying the work of others.

Which means that in much the same way as you wouldn’t think of running Windows without up to date anti-virus software, you need to keep your WordPress installation as secure as possible.

1. Don’t use admin as your username

Most WordPress auto-install routines pre-fill “admin” as your user name.

And, of course, most hackers know that.

Which means it is the first – and often the only – user name that the hacking programs use when they try to breach your installation.

If you’ve already used “admin” then you need to log in to WordPress, add a new administrative user with a good password, log out of WordPress then log back in with the new user name and delete the admin one.

It doesn’t take long but is well worth doing.

2. Update as soon as you get notified

Recent installations of WordPress will automatically update the main program if you haven’t done so soon after an update gets released.

This is good as it helps keep the core files – the ones that are most likely to be attacked by hackers – current and at their most secure.

But all the plugins you’ve added to improve your website’s functionality need keeping up to date as well.

Occasionally you’ll get notified – this happened recently with the JetPack plugin – but most of the time it’s up to you to log into your website and apply the updates as they become available.

The same advice applies to themes – these can be exploited by hackers if they’re not kept up to date.

3. Limit login attempts

This is a free plugin that does exactly what it claims in its title.

It’s a good way of protecting against what are known as “brute force” attacks whereby a hacking program will try as many passwords as possible until it finds one that works.

Or, more likely, it will run the top 100 most common passwords before deciding your site isn’t worth the effort of hacking.

Limit login attempts keeps note of failed login attempts and blocks access from that particular computer for a pre-set amount of time.

For one of my sites, it’s blocked access 4,445 times since I last cleared out the log files and another one has blocked 5,061 attempts.

So it’s a common problem and an easy fix. Just don’t set up email notifications of blocked access if you’re of a nervous disposition.

4. Use a decent password

It’s easy to fall into the trap of using the same password for everything.

Probably one that’s easy for you to memorise and that isn’t too strong.

When I first started on the web, 4 character passwords were considered secure and there weren’t any checks as to whether or not they contained a mix of letters and numbers or any punctuation characters.

Now, a minimum of 6 or 8 characters is the minimum for most sites and at the very least they should be a mix of letters (lower and upper case) and numbers. But preferably also including punctuation marks.

There are random password generators on the web – I tend to use these and tick the boxes to include everything. I also set the password length to 12 characters – this is likely to future proof my passwords for a good number of years.

If you’d like more help keeping your WordPress site secure, click here.