Simple WordPress Security for Beginners – no coding required!

Placing a few extra locks on your site is common sense – you don’t want all that hard work destroyed by some random attack. But it can also seem a little daunting when you first start out with a website, especially if the advice from your Google search tells you to start altering php code.

So here are some simple steps to run through that don’t require any coding, and will very quickly increase the security of your site.

NBthis is by no means an exhaustive guide, just some basic tips for beginners.


admin badgeBy default, the WordPress username on all new installs is admin. Many users don’t bother to change this, and that’s the biggest mistake you can make; an attacker will assume the username is still admin, and if you haven’t changed it they have one half of the first lock already opened – they just need to figure out your password. The method for this is called ‘Brute Force’, whereby a script will enter admin as the username and then a list of passwords is tried against that username to break into your site. It’s not the most sophisticated form of attack, but it’s effective. Don’t make things easy – change the username, and while you’re at it change the nickname too.

Changing the Username

  1. From your WordPress dashboard menu, go to Users > Add New
  2. Complete the form with your new user information, and make sure you change the Role in the dropdown box at the bottom from Subscriber to Administrator
  3. Log out of WordPress, then log back in as the new user you just created
  4. From your WordPress dashboard menu, go to Users
  5. Move your mouse over the old admin user and click delete
  6. BEFORE you confirm deletion, select the new Administrator name in the dropdown box where it says ‘Attribute all posts to’ – this will transfer authorship of the existing posts to your new Administrator account. If you don’t do this, ALL your existing posts will be deleted along with the old admin account!
  7. Click the ‘Confirm Deletion’ button.

Your new administrator account is now active and you’ve taken a huge step to improving the security of your site!

Changing the Nickname

It’s good practice to use a nickname for your administrator account, as this is what will be displayed publicly against any posts you make. After going to the trouble of changing the username for the administrator account, you don’t really want to tell everyone what it is!

  1. From your WordPress dashboard menu, go to Users
  2. Select the Administrator account you use, and choose ‘Edit’
  3. In the nickname field, enter the name you’d like your posts to be attributed to
  4. In the dropdown box for ‘Display name publicly as’, select the nickname you just created
  5. Save your changes by clicking the ‘Update Profile’ button at the bottom of the page


top secretUnbelievably, there are plenty of people in the world that use ridiculously simple passwords. In fact, the top five most common passwords of 2014 were:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty

So what makes a good password? Ideally, a completely random string of uppercase and lowercase letters, numbers, and symbols. For example:

  • qyeV!t6LL
  • nh_nNZdKF
  • zfpFa£ZYP
  • yTg8-eFgP
  • k?uDLynqW

These are examples of five reasonably good passwords, suggested by a generator. But this presents another problem – passwords like that are not exactly easy to remember. You could keep a note of your passwords somewhere, but that leaves you open to compromise if someone obtains your super secret password list.

Fear not, there are solutions in the form of secure password managers – extensions for your browser that store your passwords securely. My favourite is LastPass, a free service with optional paid enhancements.

Security Plugins

There are loads of plugins to choose from. I personally like the simple approach offered by Wordfence Security, which doesn’t really require much in the way of setup. The plugin is free, offers a firewall and file scan, and even comes with a caching option to help speed up your site. There’s also optional paid enhancements.

Stay Updated

Keep your WordPress installation and plugins up to date. Whenever there is an update available, it will appear in your dashboard. Don’t ignore these – they address bug fixes and exploits, and it only takes a few moments to update them.