WordPress Blog Security Best Practices

Whilst WordPress is a brilliant tool for blogging, it’s success is also one of it’s greatest weaknesses. It is used in so many sites that it is a big target for hackers, so if you are using WordPress you must take additional steps to make your site more secure. Here’s a good few security best practices to get you started!

1) Always update to the latest version of WordPress and Plugins


WordPress frequently release security updates – whenever there’s a problem found they will try to patch it as soon as practical. Likewise, plugins and themes that you use can be found to be vulnerable to hackers and these will be updated when needed.

So if you see that little red box there warning you of updates in need of installation, don take a few minutes to check what needs updating and do the update. It could just be the update that gives you a bit more protection.

2) Delete unused plugins


If plugins and themes can be vulnerable to attack then don’t leave them hanging around! If you are not using them then delete them. This applies to any plugins that might be installed that are deactivated and also to any that are active but are there just because you haven’t thought about them.

If they once did a job and are not really needed now, get rid of them. Doing so might also speed up your blog a bit!

3) Review what plugins and themes you install

Any developer can distribute plugins and themes and you don’t really know who they are nor if they have any other intentions. Why are so many plugins and themes released for free?

In nearly all cases it’s because there’s an upgrade to a paid version and with some themes they are hoping for a few useful links back to their own sites (not so useful with recent Google updates). But there will always be that minority of people who want something else.

So before downloading a plugin or theme it is good practice to make sure that you read a few reviews, check the download figures and convince yourself it really is a safe product to use. After all, you are potentially allowing the developer access to your entire blog!

4) Protect your login form

If a hacker takes an interest in your blog, and you don’t need to be a popular blog for this to happen (aged just 5 weeks old and with 1 or 2 visitors a day a hacker took a strong interest in this blog) they might try brute force attempts to gain access to your admin system.

This involves them using a robot (computer) to try to login using a variety of passwords. They can try an unbelievable number of passwords in a very short time. However, there is a flaw in this process in that they (usually) always use the same IP address for these attempts.

So I like to protect my logon form with Limit Login Attempts by Johan Eefeldt. If it detects a number of failed attempts in a short time it blocks the IP address. And if after the block there are more attempts it will block the IP address for longer. You can see how many times it has protected my site recently!


5) Don’t use Admin or Administrator

WordPress used to use the default user of Admin all of the time, but has tightened up it’s security by not doing so. If you have been using WordPress for years, or are just feeling a little short on imagination, do not use with of these user names on your blog.

You can see from the small part of the screen grab above that all of the attempts to get into my blog have used one or the other of these 2 user names. So by using something different you are ensuring that any hackers don’t just need to guess your password, they also need to guess your user name.

If you are using an obvious User name then sign on now, go to Users and create a new administrator id that’s more secret (see the tip first though). Then within users select the Admin user and then change its role to subscriber. Better still, if you can delete the Admin id and move the posts to your new user, but downgrading Admin to a subscriber should prevent many problems.

6) Don’t display your login name as post author

Do you display your author name after posts? Do you know if you do? If you are avoiding using ‘Admin’ then don’t give away your real username by displaying it at the end of posts! Click on Users and then your username and you see the screen below.


The Username is the one you sign on as. Set something different in the Nickname and then set Display name publicly as the Nickname.

7) Make backups of the database

And if it all goes wrong then you are going to need backups. There are plenty of plugins to choose from that can regularly backup your blog for you. I use one that stores the backups on the server and also emails me a copy of the backup files.

To prevent this from cluttering up my email I’ve created a large standalone email box just to receive the backups. But if you do this keep an eye on the box to ensure backups are arriving and that it’s not become full!


Please follow and like us: