If you are a medium sized organisation, internal department or college you may be using WordPress to deliver a learning solution. From blended learning programmes to knowledge bases it has an unrivalled level of flexibility which makes it suitable for much more than just a blog or company website.  With a great design, you can offer your learners an experience which transforms their expectations of elearning from stuffy ‘click-next’ compliance into engaging exploration of great content.  In fact, if you want to see just who trusts WordPress to be their shopfront take a look at the top 40+ WordPress sites and here for 10 WordPress plugins for eLearning. But I digress this is about securing your learning portal.

Unfortunately, the flexibility it provides can often be a double-edged sword. Reports by WordFence show that over 60% of website owners didn’t know their site had been compromised. According to Alexa, 71% of the top 1 Million sites were vulnerable.

So what can you do about it?

1. Use a free service by CloudFlare

CloudFlare is an optimisation and security cloak for your website. It really is impressive and provides a no brainer way to protect the front door of your website and at the same time improve the speed of your site.

The setup is reasonably straight forward and your developer or technically minded person should be able to set this up in a few minutes. Once in place all of your traffic to and from your site will be encrypted (you’ll see the https:// go green note the ‘s‘ indicating secure) appear in the address bar. If you log in to CloudFlare after a few days you can view reports of the malicious traffic prevented from reaching your site.

2. Install the iThemes security plugin

With 4.7 stars and over 3.2K installs iThemes provides an audit and advice on actions you can take to keep your site safe. It can be installed from your WordPress Admin | Plugins | Add New page. Once installed activate the plugin and follow the guided advice. If you have serious traffic coming to your site then I urge you to upgrade to the paid plan which provides a strong level of security.

3. Change the location of your login page from the default

How do sites get hacked?

A website gets hacked typically by a script which can run a set of routine instructions to find the ‘common’ issues with a site. This typically involves looking for the same entry points and documented vulnerabilities.

Your job is to not be common

By being common when your site is discovered the script can rely on standard conventions to try to exploit weaknesses. So a logical step is to provide less surface area for you to be attacked from by obscuring the login page.

With the iThemes plugin installed navigate to here:

WordPress Admin Hide Backend

WordPress Admin Hide Backend

You should next see the following screen. Change the Login Slug (such an eloquent name don’t you think) to something else. Remember to make a note of this. In the example, below I’ve chosen daffyduck.

Once you save the change you will now login to your site at the address you’ve chosen.

Hide wordpress backend

Hide wordpress backend

4. Make your password 3 x longer than you’d ever want it to be

We all hate remembering and storing passwords. Hopefully, in the near future, there will no longer be a need to have passwords. In the meantime, I’d like you to do the following:

  • Put a recurring reminder in your diary for 90 days to change the password.
  • Using a random password generator create an 18 character password (make sure it contains letters, numbers and mixed case).
  • Change your WordPress administrator password.
  • At the same time consider changing the admin username. Admin is the default and changing this make it harder for a script to guess.

An example password would look this:

  • 5&yJyTg3GaiVlfKEEe
  • RPnjRLmS7RPZRHgkd4
  • ssLFGJjdLHpdemcxVa

Unfortunately, this is impossible to remember. Before you consider writing this down consider using a password manager…

5. Store the password in a password safe like LastPass

A password manager is an application which stores your login details. It helps you by keeping each site you log in to have a separate password. This way the next time a site gets compromised and lots of passwords flood the dark web you can sleep easy knowing that you only have one site at risk which you can easily update.

There is some controversy about this but on the whole, I believe its much better than using the same password for everything.


This is a very short set of steps to get you started. In my experience of working with organisations which rely on tools like Moodle, WordPress and Drupal to provide a learning solution there is often an assumption that they are invisible because it’s only for internal staff or a small group of suppliers. However with our increasing use of the cloud, this often isn’t the case without a lot of effort. Just 10 minutes of your time can make a significant difference and start to give you a basic level of security.

If you enjoyed this short guide, please share to your network and don’t forget to follow us using the buttons below.

Until next week…
Paul Brown