In this post I’m going to give you options for how to secure WordPress to make your blog more robust and avoid hacking heartbreak.
The security of your WordPress blog is vitally important. It probably took you a good deal of effort to set up your blog and if you’ve been blogging for any length of time you’ll have personally invested a huge amount into it.
How would you cope if you lost everything because of a flaw in your approach to security?
Why You MUST Secure Your WordPress Blog
WordPress is a big deal. The received estimation is that somewhere around 35% of all web properties in the world run WordPress as the tool that drives their website, ecommerce store or blog. 35% of all web properties means there is a huge target for hackers to take aim at!
Worryingly, in my experience the majority of WordPress bloggers tend to forget about security through the excitement of getting started and it’s a subject that ends up slipping off the radar.
But don’t panic…. actually you should panic a little bit!
There are a whole bunch of things you can do to secure your WordPress blog and many of them don’t require you to be a technical wizard. I should mention, this post will come in two parts:
- Part 1: This post, focusing on relatively simple ways to secure WordPress without plugins. This is particularly suited to beginner bloggers.
- Part 2: A more advanced discussion of WordPress security best practices using plugins and coding that requires a little technical confidence.
Hopefully you’ll be able to implement both tutorials. But even if you only feel confident to take on the steps in this post, you’ll be in a far better place than you are right now.
Simple Solutions to Secure WordPress
1. Use Secure and Reliable WordPress Hosting
Which host do you use? Did you decide on a particular host because of their security protocols and level of service? Or did you make a decision based upon price?
Your WordPress blog will only ever be as secure as your web host, even if you’ve maxed out your security options for locking WordPress down. If your server gets hacked, it’s unlikely that you’ll be able to play any part in fixing problems arising as a result.
- Does your host keep it’s software and hardware up to date?
- Do they use the best tools to monitor server activity?
- Do you see server downtime where you blog is unavailable?
- What about your data? Do they run backups?
- How about the efficiency and quality of their customer service for any issues you have?
All these features have to be a consideration if you want a secure environment for your WordPress blog.
For my money, you can do a lot worse than SiteGround, the host I use. If your current host doesn’t measure up and you need a secure host providing high service uptime, excellent server speed and 24×7 fast support.
Check out my SiteGround review and move your blog to a better place if your host isn’t up to scratch… they’ll even manage your WordPress migration for you!
2. Migrate to SSL and Encrypt Your Data
So I’ve put this into the post explaining less technical solutions to secure WordPress, but I’ll have to get a little technical to explain this one.
SSL stands for Secure Sockets Layer and it’s a method used to encrypt data passing between your blog and someone’s web browser. A blog with SSL enabled is less easy for those with nefarious intentions to intercept data that might be sensitive.
At one time setting up SSL was a pretty fiddly and expensive business, and it still can be to be honest. However most reputable hosting services now include SSL for free and will help you through the process of setting it up. My recommended host SiteGround includes free SSL in all their packages.
SSL is not only important for WordPress security though. When you’ve enabled SSL on your blog, visitors will see the padlock symbol in the URL address bar in their browser as a visual clue the domain is secure.
Google too is very clear on its stand on SSL and tends to favor secure sites in search results… so there is a potential SEO benefit in running SSL on your domain.
3. WordPress User Accounts
For me this is not such a security issue because I only have one account on my WordPress blog right now.
However, for anyone with multiple user accounts, this poses a number of security risks… and the more users with login access, the more risk there is.
If several people have logins to your WordPress blog, the first thing you should do is to make sure they don’t have admin privileges unless absolutely necessary. A well-intentioned, but novice user, could do a heap of damage to WordPress without even realizing.
Only provide your users with the level of access they require and don’t give anyone ANY access at all unless they need it.
4. Passwords to Access WordPress
When was the last time you changed your WordPress password? How about the passwords of anyone with access to your blog?
Probably not that often I’m guessing.
Regularly changing your password, and the passwords of other users, and making them unique for your blog is a way to secure access to your WordPress accounts. Many people resist changing passwords because to be honest it’s a bit of a pain. Passwords can be hard to remember so swapping them out regularly can be confusing.
However there are a couple of things you can do to make changing passwords easier:
- Choose memorable password phrases of four or more unrelated words. For example Shopping-dragons-stop-traffic contains three different character sets: uppercase, lowercase and symbols. This is a pretty hard password to crack.
- If you struggle to remember passwords, use a password manager to save them securely. I recommend RoboForm password manager, which you can find out more about on my Blogging Resources page.
For more about password best practices check out this article by BeyondTrust.
5. Make Sure You’re Not Called Admin
Things have changed in recent times, but back in the day the default name for the WordPress admin account was… “admin”.
Recent versions of WordPress force you to take a username for your account. But if you have an older version of WordPress or you’ve selected the name “admin” as your user name, you might want to change it.
When hackers probe blogs for login vulnerabilities, they’re looking for a username and a password. Since it’s been common knowledge for some time that lots of people choose “admin” as a user name, half the hacking challenge is cracked if you use “admin” as a login.
Changing your username to something less easy to predict makes your WordPress admin account much more secure. However, usernames are locked by WordPress to protect your database and you can’t just change them with a simple amendment in your WordPress dashboard.
If your current username is “admin” and you want to change it, you’ll need to:
- Create a new account in WordPress with a name that’s not so easy to predict.
- Assign admin permissions to it.
- Delete the account called “admin” afterwards.
6. Update WordPress, Themes and Plugins
Have you ever been nagged to update things by WordPress when you’ve logged in to your admin dashboard?
WordPress nags you for very good reason. It’s a fairly secure system, but it’s a free system and WordPress code is available for anyone to look at. Hackers are very good at understanding code and are able to look through it to look for security vulnerabilities. This is why updating WordPress regularly is so important.
WordPress updates often contain code changes that negate potential vulnerabilities people find. If you’re running an old version, you likely have code that contains such vulnerabilities and the older you’re version of WordPress, the less secure it’s likely to be.
The same is true for themes and plugins. Even premium WordPress themes and plugins you’ve paid for can have security holes that need to be plugged. Updating your theme and plugins is the sensible thing to do to protect you against any security vulnerabilities you might have. This not only makes your WordPress blog more secure, it will also deliver any enhancements that have been added.
N.B. Before you update WordPress, your theme or your plugins, make sure you take backups of your WordPress pages, posts and media as well as your databases.
7. Don’t Use Cracked Themes… Ever!
Premium WordPress themes are desirable becasue:
- They’re coded well.
- Adhere to WordPress best policy.
- Often include support long after you’ve purchased them.
- Usually look pretty stunning.
Of course they can also be expensive. Don’t let your desire for a beautiful theme lead you to a free cracked version.
Cracked themes are illegal and pose a severe risk to the security of your WordPress blog. Since they’ve been hacked, you don’t know what the hacker might have inserted into the theme code and you could end up with a totally broken blog or completely locked out of it.
8. Make Regular Backups
While this isn’t something that’s necessarily going to secure WordPress for you, it will help in the event you suffer from an attack.
I previously mentioned creating backups before you update WordPress, themes and plugins. However, making backups should be a regular activity regardless of security, in case anything ever fouls up
I’ve discussed 8 ways to secure WordPress that anyone from beginners to experts can make. Let’s run them again as a summary list:
- Use secure and reliable WordPress hosting: I recommend SiteGround.
- Migrate to SSL to encrypt your data: SiteGround does this for me.
- Manage WordPress user accounts. Restrict access only to those who need it and assign appropriate permissions.
- Manage WordPress passwords. Update them often and use a password that’s difficult to predict.
- Make sure you’re admin user account is not called “admin”.
- Update WordPress, themes and plugins to keep everything up to date and secure.
- Don’t use cracked themes: they’re illegal and may introduce security problems in WordPress.
- Make regular backups in case disaster strikes!
Look out for my post on more advanced tips for how to secure WordPress!
That’s it for now.
Any questions about how to secure WordPress? Leave me a comment below and let’s discuss it!