Keep Your WordPress Blog Secure


As users of the web, we have to be careful with security and make sure hackers do not get into our bank accounts, emails, and our websites/blogs. Here, I outline some simple things that you can do to make sure your WordPress blog/website isn’t the next one that gets hacked.

The Basics:

Don’t use a simple, short password!

This is probably one of the most simplest things you can do to make sure your blog is safe. Using a combination of upper- and lower-case letters, numbers, and symbols is going to make your password harder to crack – and the more, the merrier! I would recommend using a password no shorter than 8 characters long, and try to make it as long as possible. Most websites allow long passwords, so don’t be shy!

And, try to not use the same password for everything. I know this can be a tad annoying, but you can write them down so you don’t forget (in a safe place of course!). Accounts we don’t log into very often are generally the passwords we tend to forget. So, make them as difficult as possible to crack! If they’re written down, then you don’t have to remember every single password for every account. Make the ones you use on a regular basis easier to remember, but hard to crack. Then for the others, have the passwords in a safe place for the not-as-often occasion you need to login.

(If you do write down your passwords, don’t label what they are for too, just in case. Just keep a list so you know the possible passwords you have used if you happen to forget.)

Create a username other than “admin”.

A really typical username for WordPress blogs is “admin”, and if you’re about to create a blog, it’s best to use something other than that. If “admin” is the username, that is one less thing for a hacker to worry about when trying to hack into your account. So use something else!

If your blog was set-up for you, than you may have been given “admin” to use. Instead, go to Users > Add New and create yourself a new login account with a different username, making sure to give yourself the Administrator role and a strong, and different, password. Then logout and re-login with the new username. Now go back to Users and delete the user account “admin”. Make sure to select “attribute all links and posts to” and choose your new username in the drop-down list on the next page to transfer all your posts to your new username. Then delete the “admin” account.

Be sure to uncheck the “Anyone can register” option under Settings > General if you don’t want any other users than yourself using your blog. You can also control who is allowed to comment on your posts under Settings > Discussion, which can help stop spam.

And also note, if you’re going to have other users than yourself have access to the Admin back-end, be sure to assign proper user roles. You don’t want to give Administrator access to those that shouldn’t have it!

Plugins Can Help:

Here are some plugins that can help make WordPress more secure.


SI CAPTCHA Anti-Spam adds a Captcha image to forms for “comments, registration, lost password, login, or all.” Users will have to look at the image and type the code that they see in the textbox. This is great for preventing spam, as well as added security.

Secure WordPress

Secure WordPress does a whole bunch of great stuff like hiding the version of WordPress you’re running, adds “index.php” to plugin and theme folders, also blocks bad queries, and more.


Now, if your WordPress blog does happen to get hacked or compromised, then this handy plugin will keep you from losing all your content. WP-DB-Backup allows you to backup your database where your posts etc. are stored. You’re able to backup to your computer whenever you like, and have an email sent to you with a backup either hourly, twice daily, once daily, or once weekly. If your database were to be compromised, you will not have to re-write all those posts!

Keep WordPress Up-To-Date:

Another easy thing to do is keep WordPress up-to-date. With a click of a button (if you have the user capabilility) you can update WordPress in less than a minute when a new update is released. There will be a message at the top of the Dashboard alerting that a new version is available, and you can update WordPress under Dashboard > Updates (as well as update themes and plugins, too!).

If you don’t have the capabilities to do so, make sure whoever developed the website for you either gives you the ability to do so, or updates it for you.

Updating doesn’t necessarily mean you’re 100% protected from hacks, but it does prevent hackers from exploiting old vulnerabilities in previous WordPress versions.

If possible, remove the “Admin Login” link.

Another way to add a bit more security is to remove, if possible, the link for logging into the Admin section. It is much better to go to the login page and save it as a bookmark than to have it available for hackers to get to.

Keep a Copy of Other Files:

Don’t forget to also keep track of the plugins and themes you’re using for your blog, with either a clean copy stored on your computer or the names written down. This way, if your blog is hacked, you can remove all the old plugin and theme files and reinstall them with clean ones. Generally, everything in your “wp-content” file you’ll want to keep a copy of, even if it’s not necessarily up to date – you can either install these copies and update within the Admin back-end, or search for the themes and plugins and install the latest versions from there. It’s better to have an outdated version than to have corrupted files!

It’s also a good idea to have any images you’ve uploaded stored on your computer, and keep a copy of the file “wp-config.php”. The rest of the files are all core WordPress files which can be restored with a fresh download of the latest version of WordPress.

Care to share?

What steps do you take to keep your WordPress blog more secure? If you have any comments or would like to share other plugins or strategies to help other web users keep their blogs safe, please comment below!

And, if you think you might have been hacked, check out the WordPress Codex for some steps on what to do next.