3 Essential WordPress Security Tips


There are a lot of reasons I feel lucky I don't have a huge blog.  I don't pay massive fees for my server and bandwidth (since my site is self-hosted).My email accounts stay manageable, it's easier to interact with my followers, and it hopefully means I don't receive as much flack and dislike online.

It also means that my site is less likely to get hacked by outsiders.

This doesn't mean it can't happen, but it means it's a bit less likely to happen than to a site like IFB.

My best pal recent shared with me some trials and tribulations for her own site: seeing spam pages come up in search results on her site in lieu of content.  Accidentally crashing her site and losing all of the content when she deleted the files (and hint: your host may not always have a backup). An increase in hack attempts when she ran a shop through her site as well.

She shared those tips with me, and I wanted to share them to you.  Because losing 6 years of posts? That SUCKS.

Basic Security for Your WordPress Blog:

Don't use the “Admin” username & password combination:

When you create a self-hosted WordPress site, it prompts you to create a username and password.  Often, WordPress encourages you to use “Admin” as the username.  Using Admin means everyone on a WordPress site has the same primary username, making it easier for hackers to figure out step #1 of hacking into your site — your account name.  No one will see your account name but you, so make it as unique as you'd like.

If you've been using the Admin login for a while, that's okay– so was I!  To make the change & get rid of that ADMIN username, I create a second user (let's call her OMGAshleyRules).  I transferred the ownership of all posts from ADMIN to OMGAshleyRules.  Admin no longer had written and posted any of the articles on my site; OMGAshleyRules had.  At that point, logged in as user OMGAshleyRules and deleted the Admin user.

If you want more step by step instructions, this post has step by step instructions on how to delete the default  WP admin username.

Don't use the default login URL.

Again, by default, WordPress makes the login page for every site website.com/wp-login.php.  It's easy for hackers to type in the /wp-login.php (or /wp-admin) extension onto your website URL to get to the login page of your site.  But you can actually make the login page have any URL you'd like!  This is a harder for websites like IFB where we have thousands of user to login, but if it's just you?  Make that login url /heytimetoblog.php or whatever your heart dreams of!

The easiest way to do this is to install a specialty plugin like HC Custom WP-Admin URL to help you change the login or you can use a security plugin like the one below.  If you're really skilled with coding and feel comfortable altering your .htaccess files, you can follow these instructions on how to change the /wp-login.php page.

Install a security plugin.

This seems like a no brainer, but I've gone my entire 6+ years without one!  My best friend recently recommended Better WP Security, which has great ratings.  I appreciate that it's really clear about what you need to do to secure your site (see below for an example from my site) and focuses on various areas of weakness on your site — ones I didn't even know existed or were prone to hacking attacks!

This plugin identfies security breaches and color codes them based on the level of importance (see the color coded scale at the bottom). All red updates are security risks and should be updated immediately!  Anything that is in yellow (I have 4 below) is partially secure, and you should take steps to secure them.


I could really write a whole post about how to use this plugin (even though I'm still learning), but know that this plugin identifies what may need to be fixed immediately, or what they recommend you fix– but that may have consequences related to your plugins or theme settings.

If you don't feel comfortable with coding, I like that Better WP Security can and will edit core files – like the .htaccess and wp-config.php files.  It can even help fix your admin username and the /wp-login.php page for you!

Bonus Tip: please, please, back up your site regularly!

This is one of those “I didn't do it until I've either lost my site or have a friend who loses their site” moments.  It wasn't until I saw several blogger friends crash their sites and lose their data, that I realized how important it is to back up your site.  There are lots of options to help you do this – Better WP Security can help you do it, or you can use a plugin like WordPress Database Backup (this is what I use).

How often you back up will be based on your blogging habits – if you post 3 times a day, you may want to set up a daily back up.  If you post irregularly, you may want to schedule an update once a week.  No matter how you schedule it, in the event that a page gets hacked or you lose your site, those backups will be essential in rebuilding your site.

Now ‘fess up – have you actually taken precautions for protecting your site's security before reading this?  Have you ever had your site hacked — and if so, do you have any extra tips and suggestions to help the rest of us?

[Image source: Shutterstock.com]

Leave a Reply

Your email address will not be published.

15 Responses

  1. Simon

    These are important tips that I totally recommend. We only use wordpress blogs and there open source-ness makes it pretty vulnerable to hacking and spam, especially with no added security. Have had viagra/cialis links sneak into old posts that weren’t noticed for a while, super annoying to have to go through and remove them all. It’s also good to only stick to plugins that are trusted and safe as well.

    • Ashley Robison

      “Have had viagra/cialis links sneak into old posts that weren’t noticed for a while, super annoying to have to go through and remove them all.”

      Yes! That’s exactly what happened to Mallory (the friend who inspired this post). She’d search for a post of hers on Google and find the links — yuck!

  2. Erin

    My blog was hacked and I lost 7 years worth of posts. I did have everything backed up, but surprisingly, WordPress couldn’t upload everything. I thought I lost a lot of content. However, I remembered that I had subscribed via email to my own RSS feeds, so I had all of my posts sent to me daily over the last few years. Might want to try something like that too! It totally saved my blog.

    • Ashley Robison

      Oh no, Erin, that’s so scary!!!

      I’ve been following my own site via RSS feeder (and know my friend managed to pull some of her old posts back that way), but never thought about the email subscriptions – that’s a great idea!

  3. Miss Monet

    I’ve recently transitioned from wordpress.com to a self hosted wordpress.org site so these tips are very helpful!! Thank you!!

  4. Tiera

    Thanks for the plugin recommendations; I’m gonna look into the backup and security plugins. One tip I’ve read over & over (and to which I’ve heeded!) is to remove all unused plugins. I’m not sure how, but apparently having inactive ones is another way for those slimy hackers to get into your site.

    • Ashley Robison

      That’s crazy – who knew they could get in via unused plugins? I typically try to delete the ones I’m not using (just in case they’re sucking up load time and bandwidth), but it makes me feel better KNOWING I do that!

  5. Victoria

    Thanks for these tips – I’ve done number’s one and three now. I see what you mean about Better WP Security being a bit of a beast! But at least it’s now installed and I can take the time to go through and sort out any issues it’s highlighted.

    The tip about getting posts emailed to your personal email is a fab idea too – thanks Erin! I use WordPress Backup to Dropbox, which is really handy.

    Victoria | shabby-chic-home.com

    • Ashley Robison

      Ooh, that’s a great idea about backing it up onto Dropbox! I’ll have to look and see if I can find that option. It’s much easier than keeping an email file with backups!

      And isn’t that plugin a behemoth? I try to tackle 1 or 2 “fixes” a day, until I know it’s feeling good & secure. Better safe than sorry, right?

  6. hitokirihoshi

    I’ll install this Better WP Security, thanks for recommendation.

    I was almost lost all my data that I created for almost 4 years. Good thing i have web developer friend, who helped me to transfer and retrieve my files.

    Yeah backup your files regularly and secure your data.

  7. Ryan

    Thanks for sharing your helpful tips with others. Unfortunately, it is quite easy to find the login page, even if you change the name. Better WP Security is a good plugin, but there are several different layers to security. We are working on a security plugin that should make sites a lot more secure.

  8. Kaja

    These first two tips I’d not thought of. Essential to keep your data safe and effective. Thanks for sharing, Ashley.