Advanced WordPress Security Tips: Secret Security Keys, Hidden Usernames & Logins, & Private Sites

Sometimes the best defense is a good offense. For the ultimate in WordPress security, it’s a great idea to resort to subterfuge to throw off hackers. After all, hackers don’t think twice about being sneaky to steal and harm your clients’ digital assets.

There are indeed steps WordPress users can follow that take advantage of the art of stealth. Let’s take a look at a few of them. You might not decide to use them – and in no way do they absolutely guarantee complete security – but even implementing one method could put your WordPress site a bit further out of the reach of hackers.

Create Secret Authentication Keys and Salt

A WordPress site recognizes the legitimate user who’s logged in as the admin by storing that person’s information in a cookie on his or her browser. Cookies identify you and your client.

To protect the information stored in cookies, WordPress uses authentication keys and salts to encrypt the information and decrease the chances of an account being hacked. No matter how strong, most all encryption can be cracked eventually. It’s thus wise to regularly update your clients’ WordPress authentication keys and salts and even make them “secret.” How can you make them secret? Essentially, WordPress allows users to kind of “hide” their authentication keys and salt by making them complicated. These additional passwords for your site are long and random – but not secret, per se. They just feel secret because they’re almost impossible to break.

To learn how to do this, see the “Security Keys” section of this WordPress support page for more information.

Hide Your Username for Increased WordPress Security

All a hacker needs to do to find most login pages, the gateway to a WordPress site, is to type in the URL of a site and follow it with /login.php — it’s that simple. But here’s where, many would argue, stealth can help with your clients’ WordPress security.

One thing that improves WordPress security is to change the access point to your clients’ websites to something else. Just simply change the login page URL to something other than “/login” — it could be complex or even simple, but should be different. There are two popular plugins that let you change the login.php: WPS Hide Login and Protect WP-Admin. Both offerings have many favorable reviews and were recently updated.

Block the Bots

There is another popular plugin that uses “stealth” to help protect the login function, but this one directly takes on the bots that mindlessly roam the web trying to hack usernames and passwords. Stealth Login Page creates a secret login authorization code, which is emailed to the correct user so legitimate access isn’t locked down.

Anyone – particularly a bot – that doesn’t enter the additional authorization code will be redirected to a customizable URL safely away from your clients’ WordPress sites.

Make Your WP Site Private

There’s nothing requiring you or your clients to put their WordPress sites on the web for all to see. Granted, if they have a business, hiding from the world doesn’t make sense, but if their WordPress sites offer something that can be shown at their discretion, making the site private is a sensible security step.

WordPress offers a quick tutorial on how to hide a site, and it shows how clients can invite visitors of only their choosing.

Keep in mind, this and the other stealth tips we shared don’t offer a foolproof security plan. You should still consider using two-step authentication, avoid downloading outdated plugins or themes, and overall use sound judgement to protect your clients’ WordPress sites. However, this little dose of secrecy certainly will help keep hackers guessing!

Want WordPress without the hassle? Check out WordPress Without Limits, a managed WordPress solution, with one-click staging, one-click backup restoration, automatic updates, automatic backups, and free SSL.