WordPress Community Insights You May Not Know About

WordPress Community Insights You May Not Know - Plesk

Each year, seasoned WordPress developers, agency owners, WebPro experts and beginner users come together at WordCamps. From around the world, we connect, learn, and celebrate all things WordPress. WordCamps have grown from the one held by Matt Mullenweg in 2006, San Francisco – to hundreds all over the globe. Each with their own flavour, speakers, sessions, and communities. It’s only natural that we want to get more WordPress Community Insights.

As we create many WordPress-related products, we’re proudly involved in the community that makes WordPress and make regular appearances at WordCamps. We support WordCamps both with sponsorship and by showing up with a booth, speakers, games, special offers, raffles, and interviews. In November 2019, we attended WordCamp US and joined the thousands of other WP enthusiasts and experts. Celebrating and evolving the thriving WordPress ecosystem, hosting educational and engaging games and raffles with special prizes.

In exchange for the grand prize (that any techy would love), we took the opportunity to gather answers to a few burning questions for the WP community. We collated the responses from over one hundred respondents in the infographic you see below. Now we’re going to dive into these findings in a bit more detail and discuss a few patterns and trends we noticed.

Community Insights from WordCamp US 2019

WordPress is such a diverse and flexible platform that it’s used daily by a million different people in a million different ways. To be exact, there’s over 75 million people using WordPress in over 50 different languages. Powering over 172 million websites (around a third of the entire web). And those numbers are still growing.

So who are the WordPress Community?

From our survey of WordCamp attendees, we discovered that, as you would expect, most of them are developers — nearly half at 42%. The rest are a diverse bunch of bloggers, graphic designers, agency owners, marketers, SEOs, freelancers, security researchers, software developers. There are also prospective dev students or small business owners who are newbies to the WordPress world.

As you can see, there’s a real mix of people using WordPress for everything. From personal projects and their own career development to running businesses and supporting client projects. This is reflected in the reasons as to why people were attending WordCamp US.

Most of the respondents were at the event for both personal and professional reasons. With overall the biggest attraction being the opportunity to network, make connections, and simply have interesting conversations with like-minded people.

Of course, some people were there because they were running a session or because they simply wanted the free swag. But even so, they may have been meeting up with someone they met online or were otherwise benefiting from the strong WP community. Similarly, when we asked what they hope to take away from the weekend, respondents mostly mentioned making new friends, contacts and connections.

Other top takeaways included new knowledge/learning, feedback, contributing to the community and learning new solutions for current WP challenges. Many also want to improve accessibility of websites, or get a clearer idea of hosting options and new features out there. And, of course, grab some swag while they’re at it.

How The Community Uses WordPress

When you get a bunch of WP aficionados together in the same place, you can’t not ask them about their experiences with WordPress and the tools they’re currently using. Starting at the top with hosting options, over a third of people (39%) preferred Managed WordPress Hosting, with Cloud and Shared Hosting following at 17%.

In line with these results is what they voted as the most important factors when working with WordPress. Speed and performance took the crown with nearly two-thirds of the vote. While 45% were happy enough to have WordPress work well. However, 44% also wanted stability, and 36% were looking for a user-friendly design.

With over 50,000 plugins available, the WordPress plugins marketplace is booming. Many look to WordCamp for insights into plugins to announce development of their latest ground-breaking product. Maybe even to improve the efficiency of their sites, or simply discover what’s out there.

Interestingly, SEO plugins like Yoast are the most-used WordPress tools, with 55% of respondents using them over others. Second were analytics tools with 37%, security tools at 31%, and page builders, CSS and email marketing plugins coming up the rear.

This shows a clear focus of WP users to quantify and boost their site performance in search engine results pages (SERPs) as much as possible.

Doing Our Bit For The WordPress Community

To finish off the survey, we asked the WordCamp US attendees a few more questions, including if they had any WP-related goals, and if so, what they were. The results revealed that WordCamps have a feel of being about socialising and educating people. However, they’re also pivotal for those serious about pushing their business goals forward.

Some of the respondents’ top WordPress-related goals were:

  • making their products known to the world
  • growing their WordPress client base
  • becoming web developers
  • blogging more consistently
  • building non-profit websites
  • Building awesome sites in general
  • teaching more
  • Increasing their traffic and scaling
  • Getting all the clients and dominating the world

To help fellow members of the WordPress community to achieve these goals, we’ve built a variety of WordPress tools like the Plesk WordPress Toolkit. The WP Toolkit is a single interface for easily installing, configuring, and managing WordPress, jam-packed with features.

We asked the community if they thought the Plesk Toolkit would benefit their work. Nearly half of respondents chose “yes”, with just under a quarter choosing “I think so.” A few of the things that are holding people back included the price. Some were also not sure if it would integrate well. And a few would not go for it, simply because they don’t like change.

Looking Ahead to The Next WordCamp

Go for the speakers, the opportunities, the insights, the lego prizes, swag – or all of the above. Attending a WordCamp is a great way to meet awesome people and stay in touch with everything WordPress.

There has been over 700 WordCamps in 70 cities around the world to date. We plan to attend more in 2020 to continue supporting the WP community and development of the incredible open source platform. Starting with WordCamp Asia in February. To find a WordCamp near you, or even set up your own, visit WordCamp central.

Will you be attending WordCamp Asia in February 2020? What content would you like to see us cover from the event?

Getting the Best WordPress Hosting Performance Today

WordPress Hosting Performance Today

Fast, performant, and close to home? It sounds like a line from an ad. But it’s not. It’s about what a hosting provider should offer a WordPress business. So let’s dive into the behind-the-stage attributes that will give you ultimate WordPress Hosting Performance.   

To have great WordPress performance, you should look for the following magic features: CDNs and your server location. A data center that’s geographically-close to its users guarantees low latency. While CDN ensures excellent response times to users worldwide. Let’s call them the salt and pepper of the WordPress hosting performance dish. Read on to discover the rest of the equally important ingredients.

The WordPress Community on WordPress Performance

We asked the WordPress Community for a top tip to boost WordPress Performance. Here’s what we got. 

Must-Have Hosting Performance Features

WordPress needs hosting. Which WordPress performance attributes would make the latter one the best match?

Optimizing Speed and Performance - Ruby on Rails vs PHP

Server-level Caching and CDNs

Server level caching is a great way to provide a significant performance boost to most websites with a lot of static content (images, CSS, HTML). While CDNs also perform caching, it’s good to have a server-level caching by default.

Speaking of Content Delivery Networks, the providers who offer a CDN with the selected WordPress plan score higher in the attractiveness top. Even upper on this list are the providers who offer a CDN that’s integrated into a control panel.

HTTP/2 and DNS

Also, the hosting provider or CDN one must enable the HTTP/2, the latest major revision of the HTTP Protocol. Moreover, to make a good impression and provide the best possible performance for the users, Gzip compressing should be part of the offering.

A performant hosting experience includes offering a fully-featured DNS service. The providers which offer restricted DNS or domain features (like adding a parked domain, add-on domain or subdomain) don’t make the best impression.

First Byte 300ms or Less

Can it make it in under 300 milliseconds? Then, it’s a keeper. For the end-users, it means their browser will receive the first byte of response within this time-frame. Apparently, 300 milliseconds or less is the golden number – according to numerous e-commerce studies.

Detailed WordPress Performance Benchmarks

stats - NGINX vs Apache - Plesk

“We want it all and we want it now”. These are the expectations we hear from customers browsing online platforms. This is why speed and performance play a major role in the success of any online business. Website performance is about retaining users, improving conversions, making customers happy – and ultimately, growing your business.

Studies say you have just 27 seconds to make a first good impression. When you have an e-commerce website, you have even fewer seconds at your disposal. Neil Patel, digital marketing guru, states that 40% of people abandon a website that takes more than 3 seconds to load. Moreover, Google penalizes slow and poorly performing websites from an SEO perspective and downgrades search engine rankings.

Therefore, other than the managed WordPress hosting plans, how a provider handles various levels of traffic in real-time is also very important.

What Makes the Difference?

  • Concurrency is the number of multiple simultaneous users that are connected to your application, requesting content as quickly as possible. But not all at once.
  • Meanwhile, Requests Per Second (RPS) represents the number of requests the web server can respond to within 1 second. Sites with higher RPS will be able to handle more traffic.
  • As for the latency, it represents the response time observed for 95% of the requests sent during a time frame.

Why Geography Impacts Performance

location - CDN - globe

How do you feel about long-distance connections? They may work, but with some struggle. This also applies to your WordPress hosting, so that you can get the bets WordPress Hosting Performance.

Your website may not perform at its best if the location of the data center that hosts it is not close to your audience. Picking a data center in the same city as your audience will provide much lower latency.

An ideal scenario would be to have two data center locations in the same region to deliver at full speed dynamic content. In particular, PHP generated content dynamically, which can’t be cached easily. And even all your users are in the same area as your data center, you don’t want to lose points for high latency.

This is why using a CDN comes handy. As a Content Delivery network helps you to deliver excellent response times to users worldwide.

Top WordPress Hosting Performers and Why

So, now you know what to look for in a WordPress hosting provider. But do such ideal hosting providers exist? Well, yes. According to Cloud Spectator Report, the best ones, in terms of performance features, are:

  • FlyWheel
  • Kinsta
  • Pantheon

All three of them are A-class hosting performers because they have in place: server-level caching, HTTP/2, gzip compression, premium DNS, First Byte at or under 300ms in at least 1 location, CDN available and CDN management.

WordPress Hosting Performance Features

FlyWheel and Kinsta are top performers also in regards to Global Reach. Pantheon got maximum points for Backup and Restore features, too. For Staging & Cloning, both Pantheon and Kinsta got gold medals. Kinsta received a two more on WordPress Support, respectively Onboarding chapter.

Nevertheless, on Developer Friendly, General Support, respectively Security Features aspects, other providers got into the spotlight. However, none of the 17 providers included in the international benchmark study achieved top scores across all nine listed categories.

Important takeaway: as a WordPress owner you need to determine which feature sets are vital for your needs before selecting a WordPress Hosting provider.

How Plesk Impacts Your WordPress Performance

Speed Up WordPress Website

Lots of points to consider when choosing the best-performing WordPress hosting provider for you, right? Fortunately, there is another way to get the same perks, but without any headache. While using Plesk Hosting Platform for your virtual or dedicated server, you can also use the WordPress Toolkit extension on top of it.

Instant benefits? Everything becomes simpler regarding configuration, routine management or overall performance of all your WordPress projects. Remember that Google likes performant websites and ranks them higher in the search results.

Discover more ways to turbocharge your WordPress Performance here.

To keep it short and simple: a fast and well-optimized WordPress website will do the work. And happy visitors can become satisfied customers later on.

Cloud Spectator WordPress Hosting Analysis Report

The Truth about Managed vs Unmanaged WordPress Hosting

Unmanaged vs managed WordPress Hosting

Quick Quiz: What Type of WordPress Hosting do you need – Managed vs unmanaged hosting?

1. Are you more of a (a) Do-it-yourself (DIY) type or b) Plug-and-play kind of person?
2. Do you usually (a) go with the flow or (b) need a backup plan?
3. When traveling, do you prefer (a) shared accommodation or (b) space for yourself?
4. Looking at your lifestyle, do you (a) go for the basic stuff or (b) comfort and security

Unmanaged vs Managed WordPress Hosting Verdict

Well, based on the above criteria, Plesk can tell you which type of WordPress user you are – the managed vs unmanaged hosting type. If you mostly picked (a), then you are an unmanaged hosting type, whereas mostly (b) choices reveal your managed WordPress hosting preference.

Disclaimer: There is no right or wrong answer and you’re fine either way. However, having a full perspective can help you make the best business decisions later on. Keep reading for more info on your business needs, the core differences and benefits of the two different hosting types.

Managed Hosting: The Plug & Play Type

Managed WordPress Hosting Types

Your profile tells Plesk you are part of a managed hosting category for your WordPress. You trust and rely on someone else for your hosting solution, while you focus on your core business. Going deeper, you can choose from the following managed hosting types: a) Shared; b) Cloud; c) Virtual Private Hosting (VPS); d) Dedicated. 

Love Shared Hosting?

This hosting plan is typically the cheapest. Your site shares resources with other accounts on the same server. Shared hosting is a good option as long as website traffic and your end-user base don’t outgrow the server’s resources. The downside is that noisy/resource-hogging neighbors will affect your site as all websites have to share space on the same server.

Scale up to Cloud Hosting

Multiple physical servers work together and the network shares virtual resources. If you choose cloud hosting, it means you want flexibility, resilience, and redundancy. Also, you prefer a pay-as-you-go model. However, for cloud hosting, you need good planning abilities and management skills of this environment.

VPS Hosting Fan?

This means you prefer a virtual instance on a physical server with its copy of an operating system (OS). Plus, your own resources such as CPU, RAM or any other data. You can always add more resources on your plate without the need to migrate your website.

Moreover, you get a similar level of flexibility and benefits as with a dedicated server, but with a shared cost of services. This means almost full freedom. Because you have access to everything and can install any software you want and need. No dependency on traffic or audience.

Your Own Dedicated Hosting

Are you playing in the league of big numbers of visitors? Then dedicated hosting is for you. You probably have an online store with lots of rich media that need to max out on RAM. It’s also the most secure option and provides the highest level of system control.

Therefore, you can keep noisy neighbors out of the picture. However, know that dedicated servers usually come with monthly pricing or some kind of long-term commitment. So you need to think carefully in advance regarding how many resources you’re going to need.

Unmanaged Hosting (DIY) – The Good and The Bad

Based on Plesk analysis, you love being in the ‘techy weeds’. As a DIY type, you prefer to build, configure, maintain and secure your server. While also ensuring that your website is up and performing well. As basic needs’ fulfillment is enough for you, a server with only an Operating System (OS) installed will do. You need to install and configure any additional software such as WordPress, Apache, PHP or MySQL.

Why Unmanaged Hosting Can Be Tricky

If this tips you over between managed vs unmanaged hosting, then you’re dedicated to the tricky craft of managing your website(s) and server. You love it and it costs you almost nothing. However, this may take too much time and keep you away from other more important stuff for your business and growth. Also, you may be saving money now, but in the long run, this may not be as beneficial. Consider this: your site has always been a bit slow to load, but imagine it in two years’ time. When your business and website traffic grow.

Backup plans take too much time and energy for you, but if the worst happens you may pay for it in other ways. For example, after a few days off you find your site compromised and filled with spam links to random websites. Or when something goes wrong with your manual WordPress updated and the website goes down. Constantly having to monitor your site and implement performance and security optimizations may drain you. Thus, possibly crippling your business eventually.

Plesk and WordPress Hosting –  Plug, Play and More

You’ll see many options in the WordPress managed hosting candy shop. So it’s hard to choose. But for the ones who prefer a turnkey solution for their websites, Plesk WordPress Edition with WordPress Toolkit is the right combination.

Watch and see how quick you can activate your WordPress hosting solution with Plesk.

Top Plesk WordPress Hosting Benefits

Especially when compared to shared or VPS providers, this WordPress hosting provides better maintenance and data integrity. According to market benchmarks, data hosting providers offering the ability to change the version of PHP used for WordPress score higher.

24/7 customer support 

Managed WordPress Hosting is intuitive and requires a few clicks installation. But the house’ specialty, the sweet cherry on top of the Plesk’s WordPress Hosting is our customer support. From onboarding to finish, all clients get 24/7 attention from our side, including website support and tech support for non-developers.

Automated WordPress Security, Backups and Upgrades

Another advantage you’ll welcome with open arms is the free WordPress vulnerability scanner when you create a new site. Plesk’s WordPress Toolkit security scanner goes beyond the basics and implements the latest security recommendations and best practices from WP Codex and WP security experts.

Performance and Speed 

Get Plesk with your WordPress Hosting and you’ll have this included in WP-CLI. Thus helping clients import a database, create a new user, update themes and plugins in a flash using the WP-CLI. Speaking of plugins, for an enhanced customers’ WordPress experience, any caching plugin will significantly improve your WordPress performance.

Global Hosting Insights - Cloud Spectatpor Analysys report

WordPress Security Guide 2019

WordPress Security Guide

With so many websites relying on WordPress it’s no surprise that millions of website owners are out looking for the best ways to secure their WordPress sites. The widespread prevalence of WordPress also makes it a target for hackers, with tens of thousands of websites getting infected with malware, becoming the sources of phishing schemes and getting blacklisted by search engines. In this guide we cover everything you need to know about WordPress security, including a comprehensive list of do-it-yourself WordPress security tips for hands-on website owners. Read on to see how you can protect your website against even the most determined attacker.

Why WordPress security is so important

At its core WordPress is very secure, the CMS is audited by hundreds of expert coders who write security into WordPress. Nonetheless WordPress can still be hacked and often it is due to a lack of basic security practices.

WordPress sites that are hacked can be very damaging for the owner as it inevitably leads to a loss of reputation while also leading to financial loss. A hacker can rob a business of its confidential user data, can install software that leads to further damage down the road or even install malicious programs on your user’s PCs.

Google plays a strong role in policing websites. First, it can exclude potentially hacked websites from search results – and indeed it blacklists tens of thousands of sites every week. Google also warns users away from infected sites by displaying a warning in Chrome. The resulting warnings can lead to a huge drop in traffic for website owners.

The responsibility for securing a website lies, of course, with the website owner. It’s no different from business security at a physical place of business. Essentially, your website is your premises and you need to ensure that it is secured.

General WordPress security tips

At Plesk we appreciate that risk elimination is very difficult to achieve, if large and well-protected government and military websites can be hacked it is clearly difficult for even the most capable security regimes to eliminate risk. That’s why we believe in risk reduction instead. These are the first, most actionable steps we suggest that you take.

Pick a host you can trust

Though much of your WordPress security regime is simply up to you, there is one element that you probably do not control: security on the server hosting side. In fact, it can be argued that picking a secure shared hosting provider is your very first step in getting WordPress security up to scratch.

With shared hosting you share the physical and software hosting environment with many other users. So, when one user’s website gets hacked it can spread across to yours. This is called cross-contamination and can mean that your site gets infected through no fault of your own.

Therefore, you need to select a host that you can really trust. One option is to use a managed WordPress hosting company which can offer a range of services that help you secure your WordPress site, including advanced security configurations and automatic backups and updates.

User permissions and passwords

A stolen password is like handing the keys to a hacker, which is why stolen passwords are so commonly involved in compromised WordPress websites. One way to “steal” a password is to guess it, if you use a weak password a hacker can easily guess it and get access to your WordPress instance.

Instead, choose strong passwords for both your WP logins as well as every other area of your hosting solution including FTP and MySQL. This goes for your email addresses too as a hacked email account can be used to reset passwords.

Also watch out for user permissions, don’t hand out your admin credentials to just anyone. Where your website works using a larger team including contributors you need to ensure you control access by limiting user privileges to the absolute minimum. Don’t give users full administrator access unless they really need it.

Always update WordPress

If your host doesn’t provide automatic WordPress updates you should make sure you execute these updates yourself, regularly. As open-source software the WP codebase is regularly updated, with minor changes to the code automatically installed. However major new releases of WordPress require user intervention for the update to install.

Updates also stretch across to the stacks of plugins and custom themes that so many websites make use of. Here, too, you must ensure that 3rd-party updates are tested and installed in a timely manner. Both WordPress core updates and 3rd-party updates are key to ensuring your WordPress website is impervious to hackers.

Getting a third party involved to boost WordPress security

We’ve outlined some of the basic elements of good WordPress security. Later in this WordPress security guide we will cover DIY steps, but one way to ensure your WordPress site is really secure is to make use of a third party security service.

In this section we will cover the WordPress security tips you can follow that doesn’t require an understanding of how WordPress works, and which you can implement just by pointing and clicking. For beginner users these steps are ideal as they are easy to implement yet effective. Let’s take a look.

Activate an automatic backup solution

Earlier in this article we highlighted how it is almost impossible to make a website 100% secure against hacker attacks. You can reduce the probability of a successful attack but not eliminate it. So, website owners must assume there is a chance of a successful attack. Effective backups are the most important defence against a successful attack as it allows you to restore your website should the worst happen.

Thankfully it’s not hard to get WordPress backups into place, and you have a choice of paid-for and free solutions. However, you must save your backups in a remote location – not in your main hosting account. Otherwise, if your hosting account is compromised, your backup is simultaneously compromised. Instead store your backups in cloud storage such as OneDrive, Dropbox or AWS.

Backup frequency is important, depending on how often your site is updated it should be at least once a day but for many scenarios ongoing backups that mirror all site changes are the better option, especially where user registrations are involved. Some of your best no-coding backup solutions include VaultPress as well as Backup Buddy.

Install a third-party WordPress security plugin

Backups are your first step, but you should go further when setting out your WordPress security measures. Understanding what happens on your site is important, so you need a monitoring tool that can audit everything from failed access attempts, scanning efforts performed by malware and the integrity of WordPress core files.

One excellent tool is from a company called Sucuri. The Sucuri plugin installed directly into your WP instance and is free to install and use. You start by generating a free (API) key which will activate logging as well as automatic integrity checks and various other core Sucuri features. We also recommend that you fully activate the WP “hardening” features offered by Sucuri – simply click “Harden” next to every option on the relevant Sucuri tab.

Sucuri’s hardening features essentially automatically lock down a number of areas the are often targeted by WP hackers. There is one hardening option that Sucuri uses that is not included in the free plug-in, it is effectively a firewall for websites, we cover it in the next section.

In fact, we will also cover some of Sucuri’s hardening features in a later section where we show you how to manually harden your WordPress site, thought note that these options are typically for the more technically savvy.

Overall Sucuri is really easy to set up because, once you’ve ticked all the “Harden” boxes, it’s job done, you don’t need to change much else. However we do suggest that you customise the email notifications that Sucuri sends as these can be bothersome.

To stop your inbox cluttering up too much with notifications you should edit the settings in Sucuri so you only get a message when there is a major change, for example when a new plugin is installed or when a new user registers.

Overall the Sucuri plugin is a top choice for automatic WordPress protection and we encourage you to browse through the different sections of the plugin including its malware monitoring, logs and the list of failed logins. However, you can take Sucuri to the next level if you are willing to pay for a subscription.

Get a firewall for your website

Also called a Website Application Firewall or WAF, a firewall for your website is one of the best ways to keep your website safe and secure. Why? Because a firewall protects your website from malicious traffic before this traffic even reaches your website.

Clearly, stopping intruders from reaching your site in the first instance is top WordPress security priority but Sucuri offers more. In the unlikely chance that intrusion succeeds Sucuri can also do a cleanup and can help you remove your sites from black lists, in fact the company guarantees that it can do so. Sucuri will do the fix themselves.

It’s not cheap to get a hacked website fixed and it can take a long time, which makes hacks costly. Sucuri’s technicians charge over $200 per hour, but you get access to the full Sucuri service for just $199 in subscription fees. Note that you have other choices for website application firewalls, one example would be Cloudflare.

The DIY WordPress security guide

We’ve given a number of important pointers that should get your WordPress site to a point where it is reasonably safe from attack, but if you are more technically minded you can go further and do a few more things to help you get your WordPress site as safe as can be. Some of the following instructions require a bit of knowledge of coding, but other steps are simple to complete. Let’s take a look.

Stop PHP file execution where it’s not needed

Some WordPress directories are not intended to run code, instead these just store files. For example, /wp-content/uploads/. Hackers can, for example, upload PHP code to these directories and then execute the malicious code. Stop hackers from doing so by blocking PHP code execution where WordPress doesn’t need it.

It’s simple to do so, open a pure text editor such as Windows’ Notepad and paste this text:

<Files *.php>
deny from all
</Files>

You then need to save the code to a file called .htaccess and upload it to the directory you want to block PHP code execution in, such as /wp-content/uploads/. However don’t add this code to just any WordPress directory as it can stop your site from working.

Alternatively, simply use the Sucuri plugin to help you, blocking PHP file execution in unnecessary directories is one of the hardening options included in the plug-in.

Change file editing permissions

WP comes with a code editor built-in which allows you to edit the files used by plugins and themes, but we recommend that this is turned off. This direct access can cause problems when used by a rogue actor. It’s easy to switch off the ability to edit plugin and theme files. Just add this code to your wp-config.php file:

// Disallow file edit

define( 'DISALLOW_FILE_EDIT', true );

Of course, as we explained, Sucuri allows you to change this setting right in the Sucuri plugin’s control panel, ideal if you’re not keen on editing configuration files.

Don’t use “admin” for the administrator account

Older WordPress installations started out with “admin” as the username for the main administrator account so many WordPress website owners still access their sites via the “admin” account. This matters because of a lot of automated WordPress attacks rely on hitting “admin” with a guessed password to get into the WordPress instance.

Now, WordPress forces users to choose a different administrator username so that “admin” is no longer the default for a new installation. That said some auto-installers that do a one-click install can still make use of “admin”. If you see that your administrator username is “admin” you should really change it.

Unfortunately you can’t simply rename an existing user, so if your administrator username is “admin” you’d need to change it some other way. You do have three options. First, you can create a new administrator account with a different name and delete the old one. The “Username Changer” plugin can also do it for you. Finally, you could simply hack into the WordPress database via phpMyAdmin and make the change yourself.

Change the WordPress database name

A bit like the issue around standard administrator usernames, WordPress assigns a “wp” prefix to the WordPress database, and all its tables. This hasn’t changed and hackers can try and search for WordPress tables using this prefix. Changing it can trip up hackers, but you must be extremely careful when you make this change as it can break your WordPress site so we recommend that you read our detailed instructions before you try to do it.

Set a password for the WordPress login and admin pages

Make life harder for hackers by setting up further password protection server-side that asks for login details before your server presents the WordPress wp-admin directory and the login page inside of it.

Each hosting solution will have a different way of making this change, but it can prevent hackers from running a DDoS attack or some other tricks that try to access the WordPress admin directory.

Stop directory browsing and indexing

Hackers can try to find out whether your site has a vulnerability by browsing the content of your site’s directories. Many hosting solutions leave directory browsing enabled by default providing an opportunity for hackers.

It’s not just hackers you need to be worried about. Directory browsing lets anyone who is curious hunt through the files on your website to find images and other documents or to copy down your directory structure. We strongly suggest that you disable the ability to browse directories as there is rarely any purpose for doing so.

To stop directory indexing you need to edit the .htaccess file for the root directory on your website. You can do so using the file manager on your website’s control panel. You need to add this line to the .htaccess file:

Options -Indexes

Do that and you will stop unwanted users from exploring the file content of your website’s directories.

Disable XML remote procedure calls

XML remote procedure calls, or XML-RPC, can magnify the impact that a brute-force hacker attack has on your WordPress instance. It is a powerful protocol and though it is useful on the one hand (you can connect other websites and apps using XML-RPC) it does carry risks.

XML-RPC has been enabled by default since WordPress 3.5 but it can open the door to hackers. Instead of using 500 individual password attempts on your site, a hacker can simply use system.multicall, a function in XML-RPC, to try these login attempts. In fact this function can try thousands of password with just twenty to fifty XML-RPC requests.

If you are not using XML-RPC the general recommendation is to disable it so that it does not open the door to hackers. You have three options: the most direct and least resource-heavy is doing so by using .htaccess. Alternatively, you can use the Sucuri WAF to do it for you.

Put a cap on the number of chances to login

Hackers often use a technique called “brute force” to try and get into a website if they don’t know the password. They simply keep trying the username against a list of potential passwords. WordPress usually allows users to try to log in as many times as they like, but you can change this. First, a website application firewall can do this for you as it will automatically block brute force attempts.

Alternatively, download a plugin called Login LockDown and install it. We have more detailed instructions on how to install a WordPress plugin elsewhere, consult these if you need more help. You have to set up the plugin once you’ve installed it, visit the Settings > Login LockDown page to do so.

Put a time limit on idle users

Hackers don’t always work from faraway corners in the world. When your administrator walks away from their PC while logged into WordPress they can open your site to security risks. Just as a lot of important sites like financial services force a log out after a period of inactivity you should also consider forcing a log out when a user is idle.

One way to do so is using the “Idle User logout” plugin. Once you’ve installed it go to the Settings > Idle User Logout page and set up the plugin. Here you can set the time duration that you prefer. Make sure to uncheck the “Disable in wp admin” option for maximum security.

Mix up the WP login screen with a security question

Again, in an effort to trip up automated hacking attempts you can make it more difficult to get past your WordPress login screen by setting up a separate security question which hackers won’t expect.

Thwart unauthorised access by installing a plugin. We recommend “WP Security Questions”, again easy to install as a plug-in if you follow our simple instructions. To activate this plugin go to Settings and then to the Security Questions page where you can customise the security question.

Set Alternative WordPress Login URL

Everyone who have an idea about WordPress CMS is aware that it is possible to access WordPress site via wp-login.php. No doubt it is awesome when we talk about the simplicity of WP usage, however not really acceptable when WordPress security is the subject to be concerned of.

There are numerous ways on how to change the default WordPress login URL,  however we suggest to use WPS Hide Login or Better WP Security plugins for this purpose.

What to do when every WordPress security effort fails

The are so many facets to protecting your website against WordPress hacking threats. It is not uncommon for even the most switched-on website owners to trip up when they set up protection for their sites and that is why it is so important to have a dependable backup solution and reliable website security partners.

Should the worst happen you should consider letting a security expert do the clean-up as it can be difficult to get rid of everything a hacker installs. It is easy for intruders to leave what is called a “backdoor” which can enable future intrusion attempts. A company such as Sucuri can help fix your site for you. These security companies know what to do to ensure that a website is 100% safe after clean-up. That said, a backup of your site is important too because it makes the repair and clean-up process far easier.

Alternative approach is to use Plesk as a hosting platform for your VPS or dedicated server and enjoy the power of WordPress Toolkit – an ultimate WordPress management solution which will help not only to harden WordPress security, but also to run updates, manage themes/plugins/databases, edit global settings and lots more.