Security starts before you create your wordpress website. You need to start hardening your online presence before you install the Wordpress product
You need to know a little bit about how wordpress works before you install it.
Installing Wordpress from your gotFusion Hosting Control Panel:
- During the install set-up process, never create a database with a table name of wp_. Select something unique that you will remember but DO NOT accept the suggested default.
- If you do or inherit an existing WP domain and move it to your hosting account with us, use the Acunetix WP Security plug-in from within the WP admin to change the table name within MySQL and WordPress.
- Never use Admin as the primary WP account username! Do not use the web site name as the primary WP account username. DON’T give away the key to the front door and expect the bad guys to stay out. For the highest security make your username as strong as your password. A user name of cP7F_te3uQmG-6#f will never be guessed. Use password vault software and store your usernames and passwords for future use. NEVER use a username or password on more than one location. Make a unique username/password for each of your needs, each email account, FTP account, control panel, and wordpress administration.
- Password strength has to be intense - a minimum of 19-20 characters, upper and lower letters, numbers, and special characters… etc. etc. – USE Keepass!!!! USE STRONG passwords!!!!! Keepass password vault is a free download from your gotFusion hosting account. My “rule of thumb” is, if you can remember your password it is NOT secure.
- Always maintain Wordpress core updates. During the control panel install you will find a check-box for "automatic updates" make sure this is checked when you install Wordpress from your hosting control panel. I've taken over client sites that had three year old core WP files! If you install WP from your gotFusion hosting control panel there is an option to automatically install all WP core updates. USE THIS!! The other security plug-ins I recommend will check and tell you when any plug-in or theme has an update available.
- Don't make it easy for the bad guys to deface your content. If your account is compromised, I have no option other than to suspend your account (take it off line) should it becomes a Spam relay or malicious software install site. I cannot un-hack an account/domain but I can restore from backup using a non compromised backup but you need to find the hack/compromise during the 7 day's backups are kept. After 7 days there is no server side backups kept and you will need to start all over again, losing all of your content.
After you have finished installing:
- Avoid using free themes. They have vulnerabilities, are NOT maintained or updated when a security breach is identified, and are not worth the risk!! Themes are inexpensive. Fine one with an online user support forum and one that is updated regularly
- Remove all unused plug-ins and themes. Uninstall THEN use an FTP program to erase them from the server!!!!! Leave no trace for the bad guys to find and exploit them.
Recommended Security Plug-ins
I only trust the following plug-ins for security along with the basic safety settings and procedures outlined above.
- Acunetix WP Security
- BulletProof Security
- Wordfence Security -
These security plug-ins are installed from your WordPress Admin page. Go to your domain's administration, log in, and in the Plug-In section search for and install each of these. They cover different security controls so each and all are necessary to keep the bad guys out of your web site.
In these plug-ins I set a number of stringent controls including log in blocks on invalid usernames - I set a defined list and add the domain name AND admin as defined invalid log in options. I set log in attempts at a block the IP addresses of the log in failure after 2 failed log in attempts (you may want to hold off on this until you have successfully logged in several times so that you do not block yourself.
Go to the Plug-In vendor's web site. Read the documentation. Subscribe to their news letters and FOLLOW their security advice.
At the end of the day no security plan is going to be fool proof but I think the steps above make it a lot harder for the plethora of automated bots from getting in.
For additional tips on hardening wordpress web sites visit and read the information on this URL:
Have fun and be safe out there
If you have any questions or problems, please do not hesitate to contact me through your web hosting help desk interface
Did you find this tutorial useful?
Do you want to keep this resource online?
Make a donation to keep gotFusion alive
This page was written by and is maintained by turtle