How to Secure Your WordPress Site in 5 Simple Steps

WordPress security is a hot topic around the blogosphere right now. The recent botnet attacks on a huge number of WordPress sites has some people scrambling to recover their precious data and others acting quickly to put preventative security measures in place.

Then there are those who thought ahead and took action before it was needed. The chances are that they experienced no issues whatsoever because they made themselves a hard target.

The fact is this: while there is no such thing as a 100% secure site, one can make the likelihood of being hacked far smaller by dedicating a small amount of time to making your site more secure than 99% of others out there (as Matt Mullenweg claims). With that in mind, in this post I am going to take you through a simple five step process that will turn your site from a soft target to a real tough cookie.

Step 1: Update Everything

Outdated items on your site represent potential security risks as they can be used by hackers to weasel their way into your site’s backend. That’s why keeping everything up to date is so important.

And when I say everything, I mean everything:

  • The WordPress Core
  • Themes
  • Plugins

Deactivated themes and plugins should also be kept up to date — their mere presence on your site makes them a potential security risk.

A lot of people will get this far then stop but there is in fact one further step you should take: you should very seriously consider removing any themes and plugins on your site that have not recently been updated. You can easily monitor when plugins were last updated with Plugin Last Updated. This adds the Last Updated date to your plugins list on the back end (which should arguably be displayed by default).

Generally speaking, I would say that any plugin not updated within the last twelve months should be considered for deletion.

Step 2: Backup Everything Regularly

I know that it is an obvious suggestion but it would be remiss of me not to include backups. The simple fact is that few things (if anything) are more important to the safety of your site.

If your site is subject to a truly destructive hack (which is always possible), your last line of defense is a recent backup. This means that even if the worst should happen, you’ll still have something to fall back on. If you don’t keep regular backups, then to be quite blunt, you’re screwed.

VaultPress

There are an enormous number of backup solutions out there but my first suggestion would be to choose a hosting provider that includes automatic backups within their service. If you are victim to a hacking attempt that damages your site then you should find that your provider is quick to restore the site to its previous glory.

Beyond that the cream-of-the-crop options are VaultPress and BackupBuddy. They cost money, but my advice is to never skimp on your backup solution. Personally, I’m a VaultPress user (as is WPExplorer) — they offer a comprehensive backup solution as well as additional security features.

Step 3: Change the Default Profile

If you’re still using the default “admin” profile that came packaged with your WordPress installation, now is the time to change.

Why? Because step one for any brute force login attempt is to attempt to login with the “admin” username then run through an enormous number of password attempts in to gain entry. If you create a more unique username then you stop this hacking attempt in its tracks.

Switching profiles and everything that is potentially associated with it (transferring ownership of posts, etc) can seem a pretty daunting task, but it’s an important step in securing your site ans is a lot easier than it sounds. Checkout YouTube for tutorials if you want some extra guidance.

Step 4: Create a Truly Unique Password (and Change it Regularly)

Most people are savvy enough these days to know that their password shouldn’t be “password.” What they may not know is that brute force hacking attempts will try an astonishing number of password combinations in an attempt to access websites. If your password makes sense or is in any way predictable (e.g. is made up of recognizable words or number patterns) then your site is at risk.

In reality, there are three golden rules for best practice password generation:

  1. It must be truly random and unique
  2. It must be used only once (i.e. not across multiple sites)
  3. It must be changed periodically (e.g. once per month)

If you follow these three rules then your site will be a whole lot more secure. In terms of generating truly random passwords, I recommend that you sign up for a free account with LastPass and use that service to (a) generate and (b) store all your passwords.

Step 5: Install Plugin Protection

There are a huge number of plugins out there that claim to boost the security of your site. The sheer choice can be overwhelming, but I’m going to cut through the chaff and recommend what I consider to be the simplest and most effective plugin for you utilize.

Wordfence.

That plugin is Wordfence: a popular and highly-rated free plugin. It includes a wide variety of security features, including (but not limited to):

  • A firewall
  • Malicious IP protection
  • Backdoor scans
  • Malware scans
  • Enhanced login security

Although Wordfence is a freemium model and has a paid version with more options, the plugin itself and the basic service costs you nothing. Installing this on your site is a no brainer.

Conclusion

In reality I am just scratching the surface here. Although putting the above security measures in place will elevate the hardiness of your site above the vast majority of others, there is always more that you can do and always a chance that you could still get hacked anyway.

I’ve covered simple security solutions in this post. If you’ve implemented them all and are still hungry for more, I would advise that you start by checking out the official WordPress security page over at the WordPress.org Codex.

Now it’s your turn — I’d love to know what simple recommendations you have for increasing the security of WordPress sites. It could be simple tips and tricks, plugin suggestions or even a recommended premium service like the aforementioned VaultPress. Fire away in the comments section!

Tom Ewer
Post Author: Tom Ewer

Tom Ewer is a professional blogger, longtime WordPress enthusiast and the founder of WordCandy.

Disclosure: This page contains external affiliate links that may result in us receiving a comission if you choose to purchase said product. The opinions on this page are our own. We do not receive payment for positive reviews.
Got something to say? Join the discussion.
  1. bucurblog says:
    Security is very important to a website / blog that deserves all the attention this articol.Thanks for advice.
  2. Security on our Wordpress sites is of utmost importance to us. We find Wordfence invaluable, but the other security plugins we ALWAYS use are: Bulletproof Security (with added .htaccess code), Bad Behavior, and Wordpress File Monitor Plus. TAC and AntiVirus are useful when first installing a theme too if you have downloaded it from somewhere else than the Wordpress Repository. Cheers... Nice article, and very useful to those that are new to Wordpress. Change that 'admin' username NOW!
  3. Hi Tom, Solid tips to improve the security of WordPress sites. I use limit login attempt plugin and a firewall to minimize the risks. Wordfence is a good option that compiles those options inside. There are also BulletProof Security and Better WP Security. Which is your experience between Wordfence compared to BulletProof and Better Security? I've read mixed results, e.g. with Better Security that is a good complete plugin, but at the same time, sometimes it "touches" several stuff that require expertise to fix later. Cheers, Gera
    • Tom Ewer says:
      Tom Ewer
      Hi Gera, To be honest I wouldn't say I know enough about security to say that one plugin is better than the other, but I use Wordfence. Cheers, Tom
      Author
  4. Hi there, Really nice article. One thing though: In "Step 3: Change the Default Profile" you refer to a video... where's the link? cheers! PedroDK
    • Tom Ewer says:
      Tom Ewer
      Hm...it seems to have disappeared! I'll try and get it back up.
      Author
  5. Paulo Nunes says:
    Use the Cloudfare which is a security service highly recommended and is within my hosting plan, do not pay anything extra to use it. Worth.
    • AJ Clarke | WPExplorer says:
      AJ Clarke | WPExplorer
      Yes, CloudFlare is nice. We used to use it before switching to WPEngine.
      Admin
  6. samediamba says:
    I was recently hacked, and as you say, I was "screwed up". I resorted to BAckWPup, and it works soooo... well for me.
  7. A recent hacking on my church website got me researching on the issue of recovering the website. Thanks for the helpful website and comments!
  8. Michael John says:
    Nice post Tom. Being a WP user for very long; I do know the importance of security and stuff. I have personally experienced couple of my sites getting hacked. So the first thing that one need to do is to secure their site. I was not aware of Wordfence plugin and it works like charm. Thanks for the share bro
  9. Jade Dade says:
    Hello Great help here. I am a website owner. I had installed an SSL Certificate that I allowed to expire as I didn't require it. Now, when I access my website WordPress Admin area, how can I be sure it is actually my admin area and not some phishing front? I ask this as I had a jpeg set up to appear on my login page but it doesn't appear anymore. Any tips and tricks? Thanks.
    • AJ Clarke says:
      AJ Clarke
      You should be able to tell pretty easily if you view your page source. If it's been hacked most likely it would be showing an iFrame in your source code rather then actual HTML from your site. You could always go to Updates and do a re-install of WordPress if you are concerned and it will re-install all the core WordPress files so if any were hacked they will be replaced with clean ones. But basically if the admin was hijacked I don't believe you would even be able to make any edits such as adding posts, menu items, changing settings...etc. Also if you have any concerns of the site security the first thing you should do is change the password. Use the lost password function or reset it via the database if you manually reset the password and can still log into your site, most likely everything is fine. And if you have any concerns about the integrity of the site changing the password is a good place to start.
      Admin

Leave a Reply