How to secure your WordPress blog

Let’s be honest: When was the last time you thought about the security of your WordPress blog? Between dealing with the day-to-day issues of publishing your blog posts—like sizing your images correctly and making sure your affiliate links are nofollow—it’s not surprising if it’s the last thing you’re worried about.

But that’s the thing. Security isn’t a concern, until suddenly, it is—the day your site gets hacked. But, don’t panic! Though site security sounds scary and technical, there are plenty of simple things you can do to secure your site, most of which can be completed in one evening. In today’s post, we’re going over six simple things you can do to secure your WordPress blog.

1. Run updates regularly.

We get it — that little update button never seems to go away. And you aren’t entirely sure each update won’t mess up your site! However, keeping your WordPress install, plugins, and theme up-to-date is extremely important. Updates often contain security fixes, sometimes to improve the overall security of your site, other times in direct response to a vulnerability that has been found.

It’s always possible that an update can have unintended effects on your site, altering the display in some way. That’s why we recommend paying attention to the updates you run, to narrow down the source of the issue. Ultimately, a minor cosmetic issue is much easier to deal with than your site being hacked!

2. Delete plugins and themes no longer in use.

We know we mention this a lot, but we hope that you will take it to heart and be ruthless with the delete button. Unused plugins and themes are a potential security vulnerability for your blog, because they may not receive update notifications when they are deactivated.

If you’re keeping something installed because you think you might use it again, give it a week, then delete. Most plugins and themes retain their settings in your database. If you decide to use them again months later, your settings will likely be in tact upon install. Even if they aren’t, it probably won’t take too long to set up again, and you may not use the same settings anyway. It’s just not worth the risk.

3. Update your login.

Like any other login you have, one of the easiest ways to keep it secure is to update your password often. Go to Users, click on your username, then scroll down to the Account Management section and click on the Generate Password button. It will automatically generate a strong password for you. While you’re there, click the button below to log out anywhere else that you’re logged in, to ensure that no one can access your admin area if you’ve logged in from a public computer. You can use a service like LastPass to manage your passwords, so you don’t have to remember a long and complicated password.

Additionally, if your username is “admin,” it’s time to create a new username! This was once the common default set by auto-installers, still in use by some, and it’s the first username hackers will try to get into your site. Create a new user for yourself under Users > Add New, and make sure you set the Role as Administrator. (And while you’re at it, don’t use an easy to guess username, like your blog name or your first name, either!) You won’t be able to use your current email address, but you can switch it later. Login under your new username, then go to Users and delete the “admin” username, and assign all content to your new username. Then, you can edit your new profile and update your email address.

4. Protect your login form.

One of the most common ways hackers try to gain access to WordPress sites is through Brute Force Attacks. It’s the most basic way to try to break in—they just try username and password combinations over and over again, until one works. Updating your login is the first step to preventing a successful Brute Force Attack —these attacks usually work when a site owner hasn’t changed the “admin” username, and used a very basic password.

The second step is protecting your login form. Someone trying to login to your site with several unsuccessful attempts in a row is likely launching a Brute Force Attack. Installing the Limit Login Attempts Reloaded plugin prevents hackers from making unlimited attempts. Once they reach a certain number of failed attempts, set by you in the plugin settings, they are blocked from making further attempts for a specified time limit. This makes it much harder to automate the process and increases the time it will take to guess the correct login combination.

Another plugin you can install is the WPS Hide Login plugin, which will allow you to change the URL of your login page. The login page is an easy target for hackers because it’s the same across WordPress sites (it’s that /wp-admin piece after your site URL). The WPS Hide Login plugin allows you to change that last part, to anything you wish, but isn’t obvious to would-be hackers. Before installing this plugin, make sure this functionality isn’t already included in the security plugin you use (which we’ll cover in the next step!).

5. Install a security plugin.

Security plugins offer a suite of features to help protect and monitor your site against potential threats. Perhaps the most important feature is firewall protection — each security company maintains a database of known threats and automatically blocks them from accessing your site. They can also boost protection against Brute Force Attacks and scan your site for potential issues. We recommend WordFence, Sucuri, and iThemes Security. Each offer the same basic functionality, with their own unique additional features, and in some cases, additional support and cleanup. Where they really differ is in pricing structure — Sucuri offers malware removal, but it’s also the most expensive. Each offer free versions of their plugins, so you can test before you buy — and for many bloggers, the free version will be sufficient.

6. Upgrade your hosting.

As with your site speed, your site security is largely dependent on the quality of your web host and the server they have your site on. Basic shared hosting is notoriously vulnerable to security issues. If you’re currently on a basic shared hosting plan, don’t panic — but do make these security updates a priority. Set up a plugin like UpdraftPlus or BackWPup to backup your site automatically to Dropbox or Google Drive, so that if your site is hacked, you have clean files to restore it. And when it’s in your budget, upgrade to managed WordPress hosting like Flywheel or WPEngine, which have built-in security measures to protect your site.


Is there anything else you want to know about keeping your blog secure? Let us know in the comments!

Make your blog stand out.

Ready to start, redesign, or monetize your lifestyle blog? Get it done this week with Your Blogging Roadmap, our free choose-your-adventure guide to achieve your next big blogging goal.

Click the button below to get started, and we’ll send you a step-by-step daily plan and emails to keep you motivated, so you can blog better — or, as we like to say, blog in italics.