social media how toIs your WordPress blog safe from malicious people?

Would you like to make your WordPress blog more secure?

Most often, people don’t think about security measures until it’s too late. But there are some simple steps you can take to keep your blog safe.

Why Secure Your WordPress Blog?

A blog that has been hacked can suffer from loss of content, stolen data and expensive downtime. Maintaining the security of your blog helps you protect your reputation and provide your visitors with the best service possible.

Because WordPress is such a popular platform for blogging, it’s a regular target for hacking attacks launched by people who find and exploit weaknesses and vulnerabilities in websites.

Here are 5 simple security measures that you should implement on your business blog today to protect it from hacking attacks.

#1: Delete the “Admin” Username

Hackers look for blogs that use the default WordPress admin username because it’s half of the information they need to gain entry to your blog. When you use “Admin” as your username, you save the hacker a lot of time. All they’d need to do next is to figure out your password. Once that happens, they can enter your blog and do whatever they want.

The first step in making your blog secure is to create a new user profile for yourself and delete the default admin username. This makes it more difficult for someone to hack into your business blog.

To create a new username profile, open the WordPress admin navigation, go into Users and click on Add New.

role of administrator

Create a new user profile and change the role to administrator.

Fill in your details and make sure to give yourself the role of an administrator so you have the ability to make any necessary changes on your blog. After your new username is created, log out of your WordPress dashboard and log back in with your new user details.

Go back into Users and delete the default admin user. At this stage, WordPress gives you the option to transfer the posts authored by the admin user to your new user profile; choose that and you won’t lose any of your content or data.

#2: Use a Strong User Password

No matter how much awareness is raised around the danger of using a simple password, many people continue to use simple passwords that are easy for them to remember. Unfortunately, this also makes those passwords easier to crack.

It’s important that you use a strong and secure password. It should be a minimum of eight characters long with uppercase and lowercase letters, numbers and special characters.

To change your WordPress password to a stronger character string, go into Users and choose Your Profile. At the bottom of that page, fill in the New Password fields.

adding new password

WordPress interface for adding a new password.

Make this a requirement for every member of your blogging team as each login password presents a potential gateway for hackers to try to enter.

#3: Update to the Latest WordPress Version

In response to security vulnerabilities, the WordPress software, themes and plugins are regularly updated with the latest patches and fixes.

When a WordPress update is available, you’ll see a prominent notification across the top of your dashboard.

new update available

You’ll see a yellow notification banner across the top of your WordPress dashboard when there’s a new update available for you to install.

Updating is a simple 1-click process in your dashboard so you won’t need to leave your browser or do any manual uploading via FTP.

#4: Back Up Your Blog Database

Backing up your database is an important part of keeping your blog secure.

WordPress makes the backup process simple with both free and paid options. WP-DB-Backup, a free option, is one of the most downloaded WordPress backup plugins and is a simple solution for beginners.

To install WP-DB-Backup, go into Plugins and choose Add New. Type “WP-DB-Backup” in the search box. Click Install Now and then click OK.

new plugin

It’s easy to find and install a plugin to back up your blog. Under Plugins, click Add New and search for WP-DB-Backup or another backup plugin.

From the Plugins screen, Activate the plugin.

After the plugin has been activated, you’ll have a new addition to your navigation in Tools named Backup. From Backup, you can either back up your database immediately or you can set the backup to occur on a regular schedule. The backup files can be downloaded to your hard drive or sent to your server via email.

backup options

WP-DB-Backup gives you the option to save to server, download or email.

You’ll appreciate knowing you always have an up-to-date backup of your blog in the event something does happen.

#5: Limit Login Attempts With a Plugin

The Limit Login Attempts plugin is especially useful in helping to repel brute-force hacker attacks by blocking access to the login page after a series of incorrect login attempts have been made. As administrator, you decide how many login attempts to allow before the plugin launches the block.

Install this plugin by going into Plugins and choosing Add New, just as you did to find the WP-DB-Backup mentioned above.

This time, search for “Limit Login Attempts,” click Install and then OK. Activate the plugin from the Plugins screen and you will have a new Limit Login Attempts option in your Settings.

To set the number of allowable login attempts and other limits, click on Limit Login Attempts, fill in the options and click on Change Options to save your work.

login attempts plugin

Limit Login Attempts plugin settings in your WordPress dashboard.

Bonus Tip: Here’s one last tip to help keep your blog safe. Remember to research any plugins you are interested in. This is one tactic used by others to try to attack your blog. So only install plugins from reputable sources and check the reviews on

Keep your business blog safe.

These are five things you can quickly put in place to help make your business blog more secure. They will go a long way in protecting your blog from the majority of hacking attempts and give your blog more security than many of the other blogs published today.

What do you think? How often do you think about the security of your blog? What other precautions do you recommend to keep a blog safe? Write your comments and questions in the box below.

Tags: , , , , , , , , , , ,

Get Social Media Examiner’s Future Articles in Your Inbox!

Join 465,000+ of your peers! Get our latest articles delivered to your email inbox and get the FREE Social Media Marketing Industry Report (56 pages, 90 charts)!

More info...
  • NIce post! Thanks God I did all of them 🙂

  • Marko, really great tips! Thank you for sharing these. Backing up your database is huge, and I don’t think a lot of people really think about this. When everything is online, it’s easy to assume that you’ll be able to somehow recover it if something happens, but that’s clearly not always the case. Happy 4th of July!

  • FreddieFulton

    I like the idea of limiting the plugin attempts. That is one I haven’t done and will. Good read

  • Thanks for the Limit Login Attempts plugin. I hadn’t heard of it and it is a great thing to have.

  • I’m glad you did 🙂

  • Definitely! Happy 4th of July!

  • Glad you liked the tips, the plugin helps!

  • Sure it is. You’re welcome.

  • Insuziswords

    Thanks so much Mark! I never gave this a thought before, but will follow your suggestions now!


    Really great post, just started follow your blog/site. Glad I did.

  • Tom Hodgson

    A developer called bit51 also do a great plugin which covers all of this in one plugin. It’s called better wp security and I think it works very well. Just be weary of some of the tweaks though as they aren’t compatible with all themes. The bulk of the functionality works very well though.

  • AmandahBlackwell

    Great tips!

    Don’t forget to update plugins. And… Try not to use too many because they could slow down your blog.

  • I would also recommend that people hide the version of WordPress that they are running. I’m not suggesting that this take the place of keeping your version of WordPress up-to-date, but knowing what version your website is using is very helpful info for hackers.

  • I’m happy to hear that!

  • Glad you did!

  • Interesting, thanks for sharing!

  • good advice Amandah!

  • Good tip Kevin!

  • Paul

    Really enjoyed the post and the tips. Checked out your site and really enjoyed a lot of your articles. Look forward to seeing more of your stuff. Thanks and Happy forth of July

  • Great tip Kevin!

  • Thanks very much Paul, happy 4th of July to you too!

  • AmandahBlackwell


  • Thanks Maro for sharing these great steps to ensure that all of our WP Blogs are secure.

  • Hi Marko, great post! Just a question, it’s strange you don’t say anything about adding a CAPTCHA Code to prevent the access on all the forms like the Contact Form. I thought sometimes it’s an Open Door for hackers, isn’t it?

  • Laura Mann Weed

    Fantastic tips!!! An extremely clear and well-written tutorial!! Thanks.

  • Wordfence Security is a free enterprise class security plugin that
    includes a firewall, anti-virus scanning, malicious URL scanning and
    live traffic including crawlers. Wordfence is the only WordPress
    security plugin that can verify and repair your core, theme and plugin
    files, even if you don’t have backups.

  • Perfect information thanks so much guess what I am going to do now. Head over to my blog and secure it. It would be a disaster to lose your blog considering all the work and effort you put into it. Cheers Kim

  • Oh and happy 4th of July 🙂

  • nancyseeger

    Good tips, heading over to your blog to add to my Feedly! Would add having a good webhost that is proactive with security good addition to having your back. I was pleased to see the webhost I recommend to my clients during the initial Botnet attacks, limited login attempt failures to 10. Certainly helps eliminate another potential point of failure.

  • Britta Wein

    wp security is a great plugin I started using a while ago and I am super happy with it. Mark, could you check it out and let us know what you think?

  • Britta Wein

    How can you hide it ?

  • Britta Wein

    Sounds awesome!

  • Miguel Martinez

    One of my blogs got hacked yesterday, I was so dumb to keep the admin user… had no backup, the stupidest thing is that I took these 5 steps for the other blog I have, that one is working fine an secure, dont know why I didnt do it for the other… 🙁

  • If you’re a developer, you can remove it by adding a funcion to your functions.php file in your (child) theme’s directory. If you’re not a developer, you can use a plugin like Better WP Security to do it for you.

  • Had a quick look and definitely looks worth having!

  • I like it because it emails me when plugins and themes need updates. Just set the options after you first install it. There is also subscription-based options, but the free version does most of what people need. 🙂

  • Seems like a good plugin!

  • You’re welcome!

  • Thanks Francesc! I haven’t come across any issues like that through the Contact Form plugin.

  • Glad you liked it Laura!

  • Seems like an interesting plugin to test out!

  • Sounds good Kim!

  • Happy 4th of July to you too 🙂

  • Thanks Nancy. Definitely a good tip as well!

  • 🙁 sorry to hear that Miguel.

  • Great post Marko, thank you! Can you advise on how best to handle the backups? I wouldn’t want them on my MacBook and would use up my storage limit quickly if I sent to my hosting account servers. Any tips?

  • Thank you for the tips! I just looked into WP-DB-Backup and got this message:

    “This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.”

    Do you have any recommendations for something more current?

  • Great tips Marko.

    Sean & Nancy have some awesome tips as well – having a great webhost and using the WordFence plugin are a couple of solid layers of added security in addition to your 5 steps.

    Thanks for the post.

  • Wait, doesn’t WordPress (readily) hide the version number from outside (prying) eyes already?

  • I wondered for a while why the article didn’t include other ways to secure one’s WordPress blog. Then, I realized it’s especially written for beginners.

    You ought to write something like “5 more steps to ensure your WordPress blog is secure” as your next one. 🙂

  • Stacey Mathis

    My WordPress blog was hijacked about a year ago, so I know this feeling. It’s horrifying. This is a much-needed post.

  • Elias

    Great tips. Let me just add 2 more important tips, 1st start by changing your wordpress database prefix, don’t use WP and 2nd, config your .htaccess file to prevent DOS attack.

  • Thanks for answering Marko, it’s good news that you never had this problem via Contacts Forms, i’m going to implement your 5 Steps recomendations on my blogs so may be it doesn’t happen to me again 😉

  • Chandrashekar Reddy

    it’s cool. i think every one using admin as a user name. Thanks for the information.

  • Rogier Borst

    6) Install WordPress in a subdirectory with a funny, long name ( ie ‘ilovethesmellofnapalm’ ), move index.php from that folder to the root and change the line ‘require(‘./wp-blog-header.php’);’ to ‘require(‘./ilovethesmellofnapalm/wp-blog-header.php’);’. This way hackers might not even find the login page.

    Oh, and I forgot: in settings -> general set ‘WordPress Address (URL)’ to your long path and ‘Site Address (URL)’ to your domain (without the funny dir).
    You’ll log in at, but your visitors will go to

  • Some other tips I would suggest are:

    1. Change your password regularly.
    2. Secure your admin page with SSL.

  • Yvette

    Thanks for your great tips. Do you also know how to reduce the amount of spam comments in WP? I get about 100 a day and it’s a hassle to review and delete them. Also, it seems like I regularly go to our website and something is not functioning correctly (due to a non-working plug-in). Is this typical? Or is this because the plug-in may need an update?

  • Yvette

    Yikes, by mistake I changed all of the files from ADMIN to my user name and I didn’t hit the right button and I think I may have deleted all of our files! Is there any way to get back?

  • LeiLani

    Hello Marko, nice post with easy to follow advice. Kudos. One question though – any thoughts for additional security measures for a multi-site setup?

  • i hope so too 🙂

  • I get them sent to my email account, it’s a good option to me.

  • Thanks Marlene. I would recommend to have a look around WordPress plugin section, there’s quiet a few there. Test them to see what works best for you.

  • Thanks for the nice words Steve!

  • Yeah, this was written as simple tips that beginners can do – good idea for a follow up!

  • Sorry to hear that Stacey, hope you got it all back up!

  • Thanks for the advice Elias!

  • You’re welcome!

  • Nice one Rogier! 🙂

  • Definitely good tips Rowell!

  • Do you use Akismet or other spam plugin? That usually works for me.

  • I Am Rosa

    Although I haven’t tried it myself yet, several others above have recommended Better WP Security.

  • Thanks Lei. For multisite make sure that everyone understands that security is vital so they keep their login details safe and don’t make you vulnerable to any risks.

  • 🙁 Did you have a backup? If not your host might be able to help with a backup.

  • Thank you! This is new territory for me, so appreciate the specific recommendation.

  • Eddie

    Nice and useful. I would also recommend Wordfence plugin. Easy to install, easy to maintain. Since installation I have not had a single problem with hackers (knock;knock on the wood)

  • Bad Behavior is another plugin that can protect WP and other PHP platforms (e.g. MediaWiki). It also has a good integration with reverse proxies like CloudFlare, which is another method to protect your website.

  • Hi, just curious about recommending this WP-DB Backup plugin with this warning:
    This plugin hasn’t been updated in over 2 years.
    It may no longer be maintained or supported and may have compatibility
    issues when used with more recent versions of WordPress.

  • I would also add that you should not install your WordPress in a top level folder & instead “hide” it in a child level folder. I also purchased a back up service from my web host that backs up all my files & databases on a monthly, weekly and daily basis allowing me to do 1 click restores from my cpanel

  • I have my backups sent to my Amazon S3 account, with an email telling me that everything has backed up successfully (or not)! You could also use a Dropbox account.

  • Thanks for the reply Marko.

  • Thank Jane, I like the Dropbox idea. I can set up a dedicated folder and just keep the most recent backup which will not require much storage space.

  • Gaurav Dhankhar

    Nice article but don’t you think that using too much plugins would slow down our website loading speed?

  • No. If you visit a WordPress site and view source, you’ll see a meta tag that clearly states what version of WordPress the website is using. An up-to-date version will say:

  • These are 5 great actionable tips. I especially love the suggestion to delete the Admin account. I never looked at it like giving away 1/2 of the security. Thanks for these.

  • Laura The Spruiker

    What a great post. Such sensible advice.

  • Liz

    I’m new to the world of blogging and, being a writer, anything remotely techie scares me stupid. So thanks for the idiot-proof step-by-step instructions!

  • Pingback: iBiz Maintenance Tip: 5 Steps to Ensure Your WordPress Blog Is Secure()

  • lauren

    Thank you for this!

  • This was really helpful, thanks for the tips! I totally agree on #1 & #2, it’s amazing how many people forget about the basics of pw security.

    Sometimes the hardest part of updating is the worry that it make break something. I recommend people create a mirror dev version of their site so they can test before taking the plunge on a major upgrade.

  • A big one for me is to get a good web host. They will do automatic backups of your database and your files. If you theme gets hacked some hosts will even find the malware and fix it for you free of charge.

  • sanjay Singh

    Really great post, just started follow your blog is very helpful thanks for sharing

  • Aadil Lakhi

    Excellent article.

    Regarding point #1 – Deleting the Admin username. This is excellent advice but users should take note when deleting the admin user, WordPress asks if existing blog posts should be attributed to another user. So, if you select an Admin user (now called Messi or whatever), this username is publicly visible when clicking on the author of an article.

  • Thank you for info about secure WordPress blog!!

  • lali

    great tips. your sidebar social media bar has pinterest icon overlapping over flattr for me in chrome.j

  • Thanks for helpful post, After reading your post i realize that our wordpress blogs are huge danger. I like the idea of limiting the plugin attempts. That is one I haven’t done and will. make strog password and other key point describe is beast to cover our website from hackers.

  • Thanks for this but would you know which is the best plugin to assist me in auto post sharing?

    I publish content regularly onto my site and then have to manually share it to all my other social media sites like facebook, twitter, google+, linkedin, pinterest, stumbleupon, blogger, tumblr, digg, redit, to name a few.

    It would save me a great deal of time if there was a plugin that would do all the sharing for me automatically once I post content.

    Your advise will be greatly appreciated.

  • I wasn’t sure about JetPack comments since I’ve had some problems–mostly with emptying jetpack feedbacks–I literally got hit with 20000 feedbacks spams in one day. To clear them, you have to send to trash, then delete. Moving anymore than 50 at a time would crash my site.