How to Keep Your WordPress Blog Secure

by on January 25, 2011 · 24 comments

WordPress Security LockLast week one of my readers asked a very good question:

“Is there anything in particular you recommend to secure a WordPress website? In talking to a tech at my hosting provider, he recommended adding security plugin. Is that something you recommend? Should I worry about security?”

WordPress security can be a deep and technical topic. Just take a look at the explanation on WordPress.org – Hardening WordPress.

So I thought I would put together a short-list of the basics of WordPress security – the essentials that you need to know about to protect your website.

How Do WordPress Sites Get Hacked?

The most common attacks against a WordPress blog usually fall into 2 categories:

  1. Attacking specific vulnerabilities in older versions of WordPress or WordPress Plug-ins.
  2. Attempting to gain access to your blog by using “brute-force” password guessing.

Ok, so if that is the case, what can you do to protect your site against those types of attacks as much as possible?

How To Avoid Getting Hacked

Here are the most important basic things do to to secure your WordPress Blog/Website – no matter which theme you use:

1. Use a good hosting provider

One who is familiar with and supports WordPress. I recommend BlueHost. I’ve noticed a huge variation across different hosting providers in how they handle WordPress installations and file level permissions. BlueHost has always been reliable and secure for me.

2. Keep WordPress up-to-date

WordPress does a good job of identifying issues and updating their code quickly. They will notify you in the Admin Dashboard when new versions are released. Make sure you keep your installation up-to-date.

WordPress Updates

WordPress update notification in the dashboard

3. Be careful which plugins you install

Only use plugins from the WordPress Plugin directory that have a lot of good ratings and are supported by the author. And keep them up-to-date as well. You will get notifications in the WordPress dashboard when there are updates for the plugins you have installed. Keep your use of plugins to a minimum to simplify updates and reduce the chance of vulnerabilities.

WordPress Plug-in Updates

WordPress plugin update notifications in the dashboard

5. Make sure you change the default Admin userid

Create a new one and delete the old one. When you delete the old one, make sure to “attribute all posts and pages” to your new id.

Delete WordPress Admin User

Make sure to attribute your posts to the new user id

6. Backup your WordPress database

By using a plugin like WP-DB-Backup to backup your WordPress database automatically. That way if you do get hacked, you can restore your site. You can find more WordPress backup options here.

These steps are just the bare minimum – the essentials. If you want to dig into the technical details I’ve added some links to advanced resources below.

Advanced Precautions

There are plugins that help you lock down your WordPress installation and scan for issues. Here are a few:

  • Login Lockdown Plugin allows you to limit login attempts to your blog.
  • WP Security Scan scans your WordPress installation for common vulnerabilities and provides recommendations on how to fix them.

You can also consider using WordPress security keys, as described in this post on WP Beginner.

This presentation also goes into some more advanced topics on WordPress Security – How to Protect WordPress.

Discuss!

What are you doing to keep your WordPress blog or website secure? Do you have any questions about it? Let’s discuss it in the comments below!

Article by ยป

Don is an entrepreneur based in Silicon Valley. He founded Expand2Web and is the publisher of the Expand2Web Blog, and the GetFiveStars Customer Feedback and Reviews service.

Don has written 313 articles on Expand2Web

Author Connect ยป Twitter | | Facebook |

See my disclosure about advertising and affiliate links

{ 24 comments… read them below or add one }

Nick Stamoulis February 2, 2011 at 9:47 am

WordPress is a great tool, but like anything can have vulnerablilities. Though blogging is a huge part of online marketing, some people are still hesitant to put their information on the web. Thanks for sharing these tips to help keep your blog secure.

Reply

Don Campbell February 4, 2011 at 10:59 am

My pleasure Nick. Nice to hear from you.

Reply

Ed Andriessen February 4, 2011 at 6:20 am

An ounce of prevention …is worth a pound of cure.

Thanks for the insight on this post. I have several clients that have been very sloppy with their maintenance and password security. Because of this, one of them was recently hacked and called me in a panic because their site was being re-directed.

Several hours and phone calls later, he was back in business (with a big lesson learned by the client).

Believe me, adding a few plug-ins and regular upkeep (the prevention part) to keep your site safe will save you many, many hours of frustration (the cure part) if you need to un-hack your site.

Thanks for the post, Don.

Reply

Scott February 4, 2011 at 6:24 am

I just learned about the security keys and have implemented them on my blog. I have noticed quite a bit more spam comments than normal.

What do you recommend for spam comments?

Thanks for the article Don. Always a pleasure.

Reply

Don Campbell February 4, 2011 at 10:59 am

Hi Scott,
I use either Akismet (which requires a WordPress API key) or the WP Captcha Free plugin which doesn’t require one. I also require moderation of comments before they go live. Both work pretty well for me.

Reply

Reggie February 4, 2011 at 8:15 am

Don,
Thanks for the article; very timely I must say.
I kept putting off adding some to very security measures you mentioned in your post; much to my dismay (and considerable anguish) my site was recently hacked, literally costing me over a thousand dollars to recoup the lost time and money I could have been making.

Like Nick and Eric mentioned, Word Press is a great tool, but laziness and lack of proper security can cost dearly! I won’t be making that mistake again.

By the way, what chat service/plugin is in use on Expand2web’s site? I’m looking into online chat and would like to research this one.

Thanks.

Reply

Don Campbell February 4, 2011 at 11:02 am

Hi Reggie,
Wow that’s quite a story. I’m sorry your site was hacked and I’m glad you’ve got it sorted out now. The live chat plugin I’m using in the sidebar is just Google Talk’s chat. You can get it here.

Reply

Keith Davis February 4, 2011 at 9:14 am

Hi Don
Wordpress security is something to take seriously.
When I first set up my site I started to hear about hacked sites so I stopped writing posts and set up a few security measures.

This post is a fantastic summary of what every wordpress user should be doing.

Nice one Don.

Reply

Jenn February 4, 2011 at 9:45 am

Hi Don,
I had already put all your regular suggestions to use and feel great to have them in place. However, I was just wondering yesterday if there were any other steps that I might want to consider, and what hits my inbox today? Your post with advantaged strategies.
Thanks bunches,
Jenn

Reply

Lynnea Bylund Accounting Services February 4, 2011 at 10:48 am

A great primer, Don, for all of us struggling to bring our Wordpress websites up to speed!

Reply

M. P. Martel February 4, 2011 at 10:09 pm

hey Don,
i’ve been wondering about this, even worrying, ’cause i’ve heard about security issues regarding Wordpress, primarily because these blogs are high targets for hackers… so, thanks a lot for this informative article!

Reply

Keith Davis March 9, 2011 at 1:44 pm

Hi Don
Might pay to install the Wordpress Firewall plugin by SEO Eggheads – don’t ask me what it does technically but it’s one of the plugins that John Hoff recommends in his Wordpress security eBook.

Reply

Morgan Clickner March 23, 2011 at 6:06 am

Don – this is great info to have. We just started using WordPress for our business blog since Google changed its crawling methods.

Reply

Jean August 1, 2011 at 4:48 pm

Thanks for sharing this information.
I use some of them, but will add more. To make sure I can sleep at night. ๐Ÿ™‚

Reply

Shah Sultan Rony October 4, 2011 at 9:35 am

Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.

Reply

aziz November 28, 2011 at 1:14 pm

good post about wp Secure realy i thank you more.

Reply

corporate diary January 9, 2012 at 12:37 am

A great primer, Don, for all of us struggling to bring our Wordpress websites up to speed!

Reply

Gena Minch March 10, 2012 at 12:52 pm

Continue to keep up sharing informative blog. I really enjoyed reading this.

Reply

Roof Cleaning Directory September 10, 2012 at 9:40 am

Great article! As for the plugins, I suggest checking the entire site between adding plugins. Sometimes it’s hard to figure out which plugin caused the problems.

Reply

Andrew November 7, 2012 at 7:46 am

Great tips! Thanks, with Wordpress security is always an issue.

Reply

Mike February 4, 2013 at 4:34 pm

This was an eye opening read! I, not to long ago, bought a WP plugin and it was a trogan. It was outside of the WP library.

Reply

Ogglu December 27, 2012 at 3:03 pm

Great tips! Thanks Don. ๐Ÿ™‚

Reply

Steve Brown May 10, 2013 at 12:38 am

Great Information about WP Website Security. I used to use some of them. I will try to use all of them from now.

Thanks for brilliant tips.:)

Reply

Madiha Durrani March 4, 2014 at 10:22 am

Really great post, just started follow your blog/site. Glad I did

Reply

Leave a Comment

{ 3 trackbacks }

Previous post:

Next post: