5 Steps to Ensure Your WordPress Blog Is Secure

social media how toIs your WordPress blog safe from malicious people?

Would you like to make your WordPress blog more secure?

Most often, people don’t think about security measures until it’s too late. But there are some simple steps you can take to keep your blog safe.

Why Secure Your WordPress Blog?

A blog that has been hacked can suffer from loss of content, stolen data and expensive downtime. Maintaining the security of your blog helps you protect your reputation and provide your visitors with the best service possible.

Because WordPress is such a popular platform for blogging, it’s a regular target for hacking attacks launched by people who find and exploit weaknesses and vulnerabilities in websites.

Here are 5 simple security measures that you should implement on your business blog today to protect it from hacking attacks.

#1: Delete the “Admin” Username

Hackers look for blogs that use the default WordPress admin username because it’s half of the information they need to gain entry to your blog. When you use “Admin” as your username, you save the hacker a lot of time. All they’d need to do next is to figure out your password. Once that happens, they can enter your blog and do whatever they want.

The first step in making your blog secure is to create a new user profile for yourself and delete the default admin username. This makes it more difficult for someone to hack into your business blog.

To create a new username profile, open the WordPress admin navigation, go into Users and click on Add New.

role of administrator

Create a new user profile and change the role to administrator.

Fill in your details and make sure to give yourself the role of an administrator so you have the ability to make any necessary changes on your blog. After your new username is created, log out of your WordPress dashboard and log back in with your new user details.

Go back into Users and delete the default admin user. At this stage, WordPress gives you the option to transfer the posts authored by the admin user to your new user profile; choose that and you won’t lose any of your content or data.

#2: Use a Strong User Password

No matter how much awareness is raised around the danger of using a simple password, many people continue to use simple passwords that are easy for them to remember. Unfortunately, this also makes those passwords easier to crack.

It’s important that you use a strong and secure password. It should be a minimum of eight characters long with uppercase and lowercase letters, numbers and special characters.

To change your WordPress password to a stronger character string, go into Users and choose Your Profile. At the bottom of that page, fill in the New Password fields.

adding new password

WordPress interface for adding a new password.

Make this a requirement for every member of your blogging team as each login password presents a potential gateway for hackers to try to enter.

#3: Update to the Latest WordPress Version

In response to security vulnerabilities, the WordPress software, themes and plugins are regularly updated with the latest patches and fixes.

When a WordPress update is available, you’ll see a prominent notification across the top of your dashboard.

new update available

You’ll see a yellow notification banner across the top of your WordPress dashboard when there’s a new update available for you to install.

Updating is a simple 1-click process in your dashboard so you won’t need to leave your browser or do any manual uploading via FTP.

#4: Back Up Your Blog Database

Backing up your database is an important part of keeping your blog secure.

WordPress makes the backup process simple with both free and paid options. WP-DB-Backup, a free option, is one of the most downloaded WordPress backup plugins and is a simple solution for beginners.

To install WP-DB-Backup, go into Plugins and choose Add New. Type “WP-DB-Backup” in the search box. Click Install Now and then click OK.

new plugin

It’s easy to find and install a plugin to back up your blog. Under Plugins, click Add New and search for WP-DB-Backup or another backup plugin.

From the Plugins screen, Activate the plugin.

After the plugin has been activated, you’ll have a new addition to your navigation in Tools named Backup. From Backup, you can either back up your database immediately or you can set the backup to occur on a regular schedule. The backup files can be downloaded to your hard drive or sent to your server via email.

backup options

WP-DB-Backup gives you the option to save to server, download or email.

You’ll appreciate knowing you always have an up-to-date backup of your blog in the event something does happen.

#5: Limit Login Attempts With a Plugin

The Limit Login Attempts plugin is especially useful in helping to repel brute-force hacker attacks by blocking access to the login page after a series of incorrect login attempts have been made. As administrator, you decide how many login attempts to allow before the plugin launches the block.

Install this plugin by going into Plugins and choosing Add New, just as you did to find the WP-DB-Backup mentioned above.

This time, search for “Limit Login Attempts,” click Install and then OK. Activate the plugin from the Plugins screen and you will have a new Limit Login Attempts option in your Settings.

To set the number of allowable login attempts and other limits, click on Limit Login Attempts, fill in the options and click on Change Options to save your work.

login attempts plugin

Limit Login Attempts plugin settings in your WordPress dashboard.

Bonus Tip: Here’s one last tip to help keep your blog safe. Remember to research any plugins you are interested in. This is one tactic used by others to try to attack your blog. So only install plugins from reputable sources and check the reviews on WordPress.org.

Keep your business blog safe.

These are five things you can quickly put in place to help make your business blog more secure. They will go a long way in protecting your blog from the majority of hacking attempts and give your blog more security than many of the other blogs published today.

What do you think? How often do you think about the security of your blog? What other precautions do you recommend to keep a blog safe? Write your comments and questions in the box below.

Tags: , , , , , , , , , , ,

About the Author, Marko Saric

Marko Saric is a bloger at HowToMakeMyBlog.com, a site that teaches you everything you need to know on starting a blog and making it a success. Other posts by »

More Info
  • http://www.intervistedisuccesso.com/ Leonardo Plebani

    NIce post! Thanks God I did all of them :)

  • http://www.EntrepreneurOnFire.com/ John Lee Dumas

    Marko, really great tips! Thank you for sharing these. Backing up your database is huge, and I don’t think a lot of people really think about this. When everything is online, it’s easy to assume that you’ll be able to somehow recover it if something happens, but that’s clearly not always the case. Happy 4th of July!

  • FreddieFulton

    I like the idea of limiting the plugin attempts. That is one I haven’t done and will. Good read

  • http://www.AchieveTheGreenBeretWay.com/welcome Michael Martel

    Thanks for the Limit Login Attempts plugin. I hadn’t heard of it and it is a great thing to have.

  • http://www.howtomakemyblog.com/ Marko Saric

    I’m glad you did :)

  • http://www.howtomakemyblog.com/ Marko Saric

    Sure it is. You’re welcome.

  • http://www.howtomakemyblog.com/ Marko Saric

    Glad you liked the tips, the plugin helps!

  • http://www.howtomakemyblog.com/ Marko Saric

    Definitely! Happy 4th of July!

  • StartaBlogg.com

    Really great post, just started follow your blog/site. Glad I did.

  • Insuziswords

    Thanks so much Mark! I never gave this a thought before, but will follow your suggestions now!

  • Tom Hodgson

    A developer called bit51 also do a great plugin which covers all of this in one plugin. It’s called better wp security and I think it works very well. Just be weary of some of the tweaks though as they aren’t compatible with all themes. The bulk of the functionality works very well though.

  • http://monkeyhill.ca/ Kevin Fukawa

    I would also recommend that people hide the version of WordPress that they are running. I’m not suggesting that this take the place of keeping your version of WordPress up-to-date, but knowing what version your website is using is very helpful info for hackers.

  • AmandahBlackwell

    Great tips!

    Don’t forget to update plugins. And… Try not to use too many because they could slow down your blog.

  • http://www.howtomakemyblog.com/ Marko Saric

    good advice Amandah!

  • http://www.howtomakemyblog.com/ Marko Saric

    Interesting, thanks for sharing!

  • http://www.howtomakemyblog.com/ Marko Saric

    Glad you did!

  • http://www.howtomakemyblog.com/ Marko Saric

    I’m happy to hear that!

  • http://www.howtomakemyblog.com/ Marko Saric

    Good tip Kevin!

  • Paul

    Really enjoyed the post and the tips. Checked out your site and really enjoyed a lot of your articles. Look forward to seeing more of your stuff. Thanks and Happy forth of July

  • http://www.howtomakemyblog.com/ Marko Saric

    Thanks very much Paul, happy 4th of July to you too!

  • http://tyronneratcliff.com/ Tyronne Ratcliff

    Great tip Kevin!

  • AmandahBlackwell


  • http://indispensablemarketing.com/ Patrick McFadden

    Thanks Maro for sharing these great steps to ensure that all of our WP Blogs are secure.

  • http://www.francesccasadella.com/ Francesc Casadellà

    Hi Marko, great post! Just a question, it’s strange you don’t say anything about adding a CAPTCHA Code to prevent the access on all the forms like the Contact Form. I thought sometimes it’s an Open Door for hackers, isn’t it?

  • Laura Mann Weed

    Fantastic tips!!! An extremely clear and well-written tutorial!! Thanks.

  • http://www.salyris.com/ Sean Cook

    Wordfence Security is a free enterprise class security plugin that
    includes a firewall, anti-virus scanning, malicious URL scanning and
    live traffic including crawlers. Wordfence is the only WordPress
    security plugin that can verify and repair your core, theme and plugin
    files, even if you don’t have backups.

  • http://www.thewebmasteryacademy.com/ Kim Matheson

    Perfect information thanks so much guess what I am going to do now. Head over to my blog and secure it. It would be a disaster to lose your blog considering all the work and effort you put into it. Cheers Kim

  • http://www.thewebmasteryacademy.com/ Kim Matheson

    Oh and happy 4th of July :)

  • nancyseeger

    Good tips, heading over to your blog to add to my Feedly! Would add having a good webhost that is proactive with security good addition to having your back. I was pleased to see the webhost I recommend to my clients during the initial Botnet attacks, limited login attempt failures to 10. Certainly helps eliminate another potential point of failure.

  • Britta Wein

    wp security is a great plugin I started using a while ago and I am super happy with it. Mark, could you check it out and let us know what you think?

  • Britta Wein

    How can you hide it ?

  • Britta Wein

    Sounds awesome!

  • Miguel Martinez

    One of my blogs got hacked yesterday, I was so dumb to keep the admin user… had no backup, the stupidest thing is that I took these 5 steps for the other blog I have, that one is working fine an secure, dont know why I didnt do it for the other… :(

  • http://monkeyhill.ca/ Kevin Fukawa

    If you’re a developer, you can remove it by adding a funcion to your functions.php file in your (child) theme’s directory. If you’re not a developer, you can use a plugin like Better WP Security to do it for you.

  • http://www.howtomakemyblog.com/ Marko Saric

    You’re welcome!

  • http://www.howtomakemyblog.com/ Marko Saric

    Seems like a good plugin!

  • http://www.salyris.com/ Sean Cook

    I like it because it emails me when plugins and themes need updates. Just set the options after you first install it. There is also subscription-based options, but the free version does most of what people need. :)

  • http://www.howtomakemyblog.com/ Marko Saric

    Had a quick look and definitely looks worth having!

  • http://www.howtomakemyblog.com/ Marko Saric

    Thanks Francesc! I haven’t come across any issues like that through the Contact Form plugin.

  • http://www.howtomakemyblog.com/ Marko Saric

    Happy 4th of July to you too :)

  • http://www.howtomakemyblog.com/ Marko Saric

    Sounds good Kim!

  • http://www.howtomakemyblog.com/ Marko Saric

    Seems like an interesting plugin to test out!

  • http://www.howtomakemyblog.com/ Marko Saric

    Glad you liked it Laura!

  • http://www.howtomakemyblog.com/ Marko Saric

    :( sorry to hear that Miguel.

  • http://www.howtomakemyblog.com/ Marko Saric

    Thanks Nancy. Definitely a good tip as well!

  • http://www.handmadetalk.com/ Mark Evans

    Great post Marko, thank you! Can you advise on how best to handle the backups? I wouldn’t want them on my MacBook and would use up my storage limit quickly if I sent to my hosting account servers. Any tips?

  • http://plrvideohq.com/ Steve Dougherty

    Great tips Marko.

    Sean & Nancy have some awesome tips as well – having a great webhost and using the WordFence plugin are a couple of solid layers of added security in addition to your 5 steps.

    Thanks for the post.

  • http://www.moflow.ca/ Marlene Oliveira

    Thank you for the tips! I just looked into WP-DB-Backup and got this message:

    “This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.”

    Do you have any recommendations for something more current?

  • http://davezan.com/ DaveZ

    Wait, doesn’t WordPress (readily) hide the version number from outside (prying) eyes already?

  • http://davezan.com/ DaveZ

    I wondered for a while why the article didn’t include other ways to secure one’s WordPress blog. Then, I realized it’s especially written for beginners.

    You ought to write something like “5 more steps to ensure your WordPress blog is secure” as your next one. :)

  • Stacey Mathis

    My WordPress blog was hijacked about a year ago, so I know this feeling. It’s horrifying. This is a much-needed post.

  • Elias

    Great tips. Let me just add 2 more important tips, 1st start by changing your wordpress database prefix, don’t use WP and 2nd, config your .htaccess file to prevent DOS attack.

  • http://www.francesccasadella.com/ Francesc Casadellà

    Thanks for answering Marko, it’s good news that you never had this problem via Contacts Forms, i’m going to implement your 5 Steps recomendations on my blogs so may be it doesn’t happen to me again ;)

  • Chandrashekar Reddy

    it’s cool. i think every one using admin as a user name. Thanks for the information.

  • Rogier Borst

    6) Install WordPress in a subdirectory with a funny, long name ( ie ‘ilovethesmellofnapalm’ ), move index.php from that folder to the root and change the line ‘require(‘./wp-blog-header.php’);’ to ‘require(‘./ilovethesmellofnapalm/wp-blog-header.php’);’. This way hackers might not even find the login page.

    Oh, and I forgot: in settings -> general set ‘WordPress Address (URL)’ to your long path and ‘Site Address (URL)’ to your domain (without the funny dir).
    You’ll log in at my.domain.com/ilovethesmellofnapalm, but your visitors will go to my.domain.com

  • http://rowell.dionicio.net/ Rowell Dionicio

    Some other tips I would suggest are:

    1. Change your password regularly.
    2. Secure your admin page with SSL.

  • Yvette

    Thanks for your great tips. Do you also know how to reduce the amount of spam comments in WP? I get about 100 a day and it’s a hassle to review and delete them. Also, it seems like I regularly go to our website and something is not functioning correctly (due to a non-working plug-in). Is this typical? Or is this because the plug-in may need an update?

  • Yvette

    Yikes, by mistake I changed all of the files from ADMIN to my user name and I didn’t hit the right button and I think I may have deleted all of our files! Is there any way to get back?

  • LeiLani

    Hello Marko, nice post with easy to follow advice. Kudos. One question though – any thoughts for additional security measures for a multi-site setup?

  • http://www.howtomakemyblog.com/ Marko Saric

    i hope so too :)

  • http://www.howtomakemyblog.com/ Marko Saric

    I get them sent to my email account, it’s a good option to me.

  • http://www.howtomakemyblog.com/ Marko Saric

    Thanks Marlene. I would recommend to have a look around WordPress plugin section, there’s quiet a few there. Test them to see what works best for you.

  • http://www.howtomakemyblog.com/ Marko Saric

    Yeah, this was written as simple tips that beginners can do – good idea for a follow up!

  • http://www.howtomakemyblog.com/ Marko Saric

    Thanks for the nice words Steve!

  • http://www.howtomakemyblog.com/ Marko Saric

    Thanks for the advice Elias!

  • http://www.howtomakemyblog.com/ Marko Saric

    Sorry to hear that Stacey, hope you got it all back up!

  • http://www.howtomakemyblog.com/ Marko Saric

    Definitely good tips Rowell!

  • http://www.howtomakemyblog.com/ Marko Saric

    Nice one Rogier! :)

  • http://www.howtomakemyblog.com/ Marko Saric

    You’re welcome!

  • http://www.howtomakemyblog.com/ Marko Saric

    Do you use Akismet or other spam plugin? That usually works for me.

  • I Am Rosa

    Although I haven’t tried it myself yet, several others above have recommended Better WP Security.

  • http://www.howtomakemyblog.com/ Marko Saric

    Thanks Lei. For multisite make sure that everyone understands that security is vital so they keep their login details safe and don’t make you vulnerable to any risks.

  • http://www.howtomakemyblog.com/ Marko Saric

    :( Did you have a backup? If not your host might be able to help with a backup.

  • http://www.moflow.ca/ Marlene Oliveira

    Thank you! This is new territory for me, so appreciate the specific recommendation.

  • Eddie

    Nice and useful. I would also recommend Wordfence plugin. Easy to install, easy to maintain. Since installation I have not had a single problem with hackers (knock;knock on the wood)

  • http://www.topicalsearch.com/ Yaniv Kimelfeld

    Bad Behavior is another plugin that can protect WP and other PHP platforms (e.g. MediaWiki). It also has a good integration with reverse proxies like CloudFlare, which is another method to protect your website.

  • http://blainejeffery.com/ Blaine Jeffery

    Hi, just curious about recommending this WP-DB Backup plugin with this warning:
    This plugin hasn’t been updated in over 2 years.
    It may no longer be maintained or supported and may have compatibility
    issues when used with more recent versions of WordPress.

  • http://www.fitnesscheerleader.com/ Janice – Fitness Cheerleader

    I would also add that you should not install your WordPress in a top level folder & instead “hide” it in a child level folder. I also purchased a back up service from my web host that backs up all my files & databases on a monthly, weekly and daily basis allowing me to do 1 click restores from my cpanel

  • http://www.outoftheboxwebsites.com.au/ Jane Hinchey

    I have my backups sent to my Amazon S3 account, with an email telling me that everything has backed up successfully (or not)! You could also use a Dropbox account.

  • http://www.handmadetalk.com/ Mark Evans

    Thanks for the reply Marko.

  • http://www.handmadetalk.com/ Mark Evans

    Thank Jane, I like the Dropbox idea. I can set up a dedicated folder and just keep the most recent backup which will not require much storage space.

  • Gaurav Dhankhar

    Nice article but don’t you think that using too much plugins would slow down our website loading speed?

  • http://monkeyhill.ca/ Kevin Fukawa

    No. If you visit a WordPress site and view source, you’ll see a meta tag that clearly states what version of WordPress the website is using. An up-to-date version will say:

  • http://trackallmystuff.com/Welcome-From-Disqus/ Rich Miller

    These are 5 great actionable tips. I especially love the suggestion to delete the Admin account. I never looked at it like giving away 1/2 of the security. Thanks for these.

  • Laura The Spruiker

    What a great post. Such sensible advice.

  • Liz

    I’m new to the world of blogging and, being a writer, anything remotely techie scares me stupid. So thanks for the idiot-proof step-by-step instructions!

  • Pingback: iBiz Maintenance Tip: 5 Steps to Ensure Your WordPress Blog Is Secure()

  • lauren

    Thank you for this!

  • http://jeffmurnan.com/ Jeff Murnan

    This was really helpful, thanks for the tips! I totally agree on #1 & #2, it’s amazing how many people forget about the basics of pw security.

    Sometimes the hardest part of updating is the worry that it make break something. I recommend people create a mirror dev version of their site so they can test before taking the plunge on a major upgrade.

  • http://www.paulund.co.uk/ Paul

    A big one for me is to get a good web host. They will do automatic backups of your database and your files. If you theme gets hacked some hosts will even find the malware and fix it for you free of charge.

  • sanjay Singh

    Really great post, just started follow your blog is very helpful thanks for sharing

  • Aadil Lakhi

    Excellent article.

    Regarding point #1 – Deleting the Admin username. This is excellent advice but users should take note when deleting the admin user, WordPress asks if existing blog posts should be attributed to another user. So, if you select an Admin user (now called Messi or whatever), this username is publicly visible when clicking on the author of an article.

  • http://cosmetics--discount.blogspot.com/2013/08/get-good-nights-sleep-once-and-for-all.html Pavel Novák

    Thank you for info about secure WordPress blog!!

  • lali

    great tips. your sidebar social media bar has pinterest icon overlapping over flattr for me in chrome.j

Check out the Social Media Examiner Show!
Join our Social Media Marketing Networking Club
Check out the Social Media Marketing Podcast!