How To Secure Your WordPress Site

How To Secure Your WordPress SiteThere have been a lot of attacks recently on WordPress sites. There have been several articles discussing this, including  this one in Website Magazine. It is critical that you learn how to secure your WordPress site.

Typically, hackers set up programs, or bots, that repeatedly try different ways to break into your site.  They can then install malware or completely mess up all your work.  You don’t want this to happen!


How To Secure Your WordPress Site

Here are just 4 things that you really need to do to protect your WordPress site:

1. Install the Limit Login Attempts plugin

I know this saved my site more than once!  I get emails periodically from this plugin stating that several unsuccessful login attempts came from some specified IP address.  The plugin then blocked that IP address from any more attempts for 24 hours.  You can control the settings of this plugin and how quickly it will block someone.  You can get it from

2. Do Not Use admin as an administrator of your site!

This is always the first username hackers will attempt to login!  If you are using that username, here are the steps to change it:

  1. Create a new user with the same role as the “admin” user. This is typically the Administrator role. You may have to use a different email address when creating this user as each user must have a unique email address.
  2. Log out.
  3. Log in as the new user.
  4. Delete the “admin” user.
  5. When asked what to do with the posts and links owned by the “admin” user, select the “Attribute all posts and links to” option, choose the new user from the drop down list, and click “Confirm Deletion”.
  6. Once the user is removed, you can change the new user’s email address if a different one was used to create it.

3. Use  a Strong Password.

It is important to use passwords that are not easily guessed.  So, try to use words that are not in the dictionary (I know, that one is hard!)  Also used special characters, a mixture of  lower and upper case letters, and intermix numbers in there too.

Most importantly, make sure to change any administrator passwords immediately. Be sure those password meet the security requirements set forth by WordPress  and include upper and lowercase letters, at least eight characters long, and include special characters.

4. Backup Your Site!

You need to keep backups of your site to protect yourself in case it does get hacked.  By using a good backup system, you can restore your site to a known good state without loosing too much of your work.  There are free backup plugins and paid ones.  A free one I have used is WP DB Backup.  I have now started using Backup Buddy, which is a paid plugin created by iThemes. I really like this one. There is even a “cloud” option you can use to store your backups – they call it a “stash”.

5. Keep WordPress and all your plugins up to date.

Make sure you keep your site up-to-date.  Having old versions of plugins or WordPress installed can create security “holes” for hackers to break in.  Log into your WordPress dashboard often and check for updates.

How To Secure Your WordPress Site

These are just 4 basic steps on to secure your wordpress site.  But, they are critical in protecting your work and your business.


  1. Excellent tips Carol.
    Those are all very important steps to take.

    I haven’t used backup buddy before, so I was interested in your experience.
    I have started using the plugin login lockdown, which locksdown the login after so many failed attempts.

    Great post,
    martin recently posted…Are You Sabotaging Your Own Emails?My Profile

  2. Great tips Carol. I already have a backup but will check out the login thing as I haven’t done that yet. Will check on the admin part as well. I don’t log in as Admin so don’t think I am affected.
    Linda O’Rourke recently posted…On Your BikeMy Profile

  3. Great tips- I use Wordfence and a strong password… Wordfence takes care of the login attempts thing within its framework. It does so much more than that. I also keep my site backed up!
    MelAnn recently posted…Revolutionary? Me? How?My Profile

  4. Good advice. We got word last week that hacker activity had ramped up and were advised to install the Limit Login Attempt plugin – I’d already covered all the other steps you’ve outlined here, so I figured I might as well add that to the collection. Would you believe, less than a day later my site was hit – multiple times! Thank heaven the Limit Login Attempt plugin kept the bad guys out and prevented damage – I only knew about the attack because of the message(s) on the screen telling me the site was locked down when I tried to sign in. Whew!
    marquita herald recently posted…Finding Hope When You Need It MostMy Profile

    • Backup Buddy is a premium plugin that does automatic backups on your website. These are good to have in case your site gets hacked or breaks for any reason. You can restore a back-up and be back up an running quickly.

      Wordfence is a free security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups.

      Does that help?

  5. Brilliant Carol,
    i should have read this earlier- we got seriously hacked yesterday. My site on genesis was okay my other site are a mess- i am taking action on your points now- I have had problems with back up buddy??? Conflicts and slowing my site down
    Suzie Cheel recently posted…BEach Inspiration: Be ClearMy Profile

    • Hmmm… I haven’t noticed any issues with Backup Buddy? Maybe it’s just certain plugins? I would contact support – I am sure they can help! 🙂

      Hope you get all your sites back up and running!

Leave a Reply to marquita herald Cancel reply

Your email address will not be published. Required fields are marked *

CommentLuv badge