Monday, May 20th, 2019

10 Steps you can take to help secure your WordPress blog*


WordPress is perhaps the most popular self hosted blogging platform in use on the internet today. It is also increasing being used as a CMS (Content Management System) for small business websites. This trend is set to increase with the frequent updates with new features continually being added, so if you’re using WordPress it is vitally important that you’re aware that your website is at risk if you have not taken the necessary steps and precautions to increase your site security.

Picture this…  

One day on visiting your WordPress driven blog or website, to your horror you find that all the hard work you’ve put in over the months and years has been wiped out! Your site is now displaying some obnoxious comment saying “you’ve been hacked” or  it may even be displaying some very unsavoury content.

What’s happened is that your site has been hacked by someone possibly as far away as on the other side of the world. Having taken control of your site, the hacker can now display anything he wants on your valuable real estate! This unscrupulous person may have infiltrated your database in addition to having added their own code on your site. What’s more he may even have changed your ‘Admin’ password so you are locked out of your own site!

So faced with this situation, what can you do?

Well, if you’ve been making regular backups of your blog you’re in luck. The likelihood is that you will have to completely remove your site including the database and restore it from an earlier backup. Having been bitten once, this time around you’ll want to pay very close attention to your site security.

If you’ve not been making regular backups or worse still you have no backups at all, then this could be your worst  nightmare. Especially if your site is used to getting a fair amount of traffic and you’re now loosing money from lost product sales not to mention the loss of face and the possibly long lasting damage such an incident could have on your business.

So lets get started and get into the simple steps you can take to increase the security of your WordPress blog or website and to help prevent your site from getting hacked.

10 Steps you can take to help secure your WordPress blog
This is by no means an exhaustive list. Rather this guide is intended to inform the owner of a self hosted WordPress blog about important but relatively easy steps that can be taken to enhance the security of their WordPress driven website or blog.

There are a great number of steps that can be taken to enhance the security of a WordPress driven website, however many of these require technical knowledge on the part of the reader which is beyond the scope of this brief article. In this ’10 steps you can take to help secure your WordPress blog’, I will present some of the ‘easy to implement’ steps that anyone can take to greatly increase the security of their WordPress driven site.

It is highly recommended that you make a full backup of your blog or website before making any of the changes suggested in this article.

1. Keep your WordPress blog up to date
No software platform can be said to be free from bugs and vulnerabilities and hackers are always on the look out to find vulnerability in the software driving dynamic web-sites and blogging platform such as WordPress.

As new vulnerabilities are discovered, software developers are generally quick to release security patches to plug the known security hole.

For this reason you should look to update your WordPress blog as soon as possible following the release of any security patch. These are normally released in the form of an update.

Make a full backup of your MySQL database and the home page of your website or blog before applying a new update. This way in the event a major issue is encountered as a result of the update, you will be able to restore your site from your backup. See section 10 below.

2. Create a ‘Posting User’ to make your regular blog posts
Create a ‘Posting User’ account which you will use to make your regular posts. This user account must not have admin rights. Instead you may give this user ‘Editor’ rights.

Since your posts will usually display the username of the user making the posts, you should not use your admin login to make posts to your blog.

(This may also provide some level of protection should you unknowingly acquire spyware on your computer see point 10).

3. Change the default admin username and use strong user passwords
By default WordPress adopts the admin user ‘admin’  when a new WordPress blog is installed. However if you’re installing your new WordPress blog through your hosting providers cPanel, you are given the option to change the default admin username. You should always choose a more secure username (and make sure that you remember your chosen username).

All user account passwords should use ‘strong passwords’. If you are not familiar with the concept of ‘strong passwords’, there is a wealth of information available o the web. Just Google ‘strong passwords’ for more information.

If your WordPress blog has already been installed using the default ‘admin’ username, create another admin user with a more secure username by creating a new user and assigning admin rights to that user. Log out of your WordPress admin account then log back in using your newly created secure admin account. You can then delete the original WordPress admin account.

Deleting the default ‘admin’ user

If you already have posts under your original ‘admin’ user account, which is quite likely, when you attempt to delete this account be sure to select the option to ‘Attribute all posts and links to:’ … then select another user from the pop-up list. You will most likely want to assign these posts to the user your created in Step 2.

It is also possible to ‘rename’ the original ‘admin’ username using phpMyAdmin. This method is perhaps for the slightly more technically savvy person and since this article is intended to provide simple but effective solutions, the phpMyAdmin method will not be covered in this article.

It is also important to ensure your new ‘admin’ user name is not disclosed anywhere on your site. See the next Step 2. This user is to be used for the administration of your blog (applying updates, making backups etc) and should not be used to make any blog posts.

4. Ensure you have entered your API key in Akismet and it is activated

Akismet Configuration

Akismet Configuration

In general around 80% of comments are spam. Akismet tries to determine if comments entered on your blog are spam by checking the comments against the Akismet web service. You will be allowed to review the comments via the ‘Comments’ admin screen before they are published. You must register at to get an API key.

Your Akismet configuration settings can be found in the ‘Plugin’ section of your blog (you must be logged in as an Admin user to access these settings).

No configuration is necessary other than entering your unique API key and selecting whether you wish to have comments which has been determined as spam to be automatically discarded after 30 days.



5. Protect your admin folder

Restrict access to your admin directory

Restrict access to your admin directory

If you always log into your blog from the same IP addresses i.e. the same internet connections (and they have fixed IP addresses as opposed to dynamic), you can install a .htaccess file in your /wp-admin/ folder (note this is not the .htaccess file in your blog root folder) as shown in this screen shot.

The entry can also be seen below.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Restrict Access To Admin Folder”
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx

Where xx.xx.xx.xx is your IP address. You can list many IP addresses if required by entering each on a separate line e.g.

allow from xx.xx.xx.xx
allow from xx.xx.xx.xx
allow from xx.xx.xx.xx

Be sure to use a ‘plain text’ editor (such as notepad on a PC and TextMate on a Mac) to create this file. Do not use MS Word or other word processing program.

If you do tend to log into your WordPress blog from many different locations, you could instead password protect your /wp-admin/ folder.

This can be accomplished from within your cPanel control panel. Select the ‘Password Protect Directories’ option under the Security section of cPanel. Use a secure username and password. This sill provide an adds layer of protection for this folder.

You may be wondering how you can keep track of all your ‘secure passwords’. If using a PC you could use a Password Manager program such as ‘Roboform’ or ‘1Password’ if using a Mac. These programs lets you manage all your secure logins whilst you only need to remember 1 password yourself. For obvious reasons, make sure you use a secure username and password for your Password manager!

6. Ensure your Plug-ins and Themes are kept up to date
Security vulnerabilities can and do exist both in some plug-ins and themes. You should investigate and ensure that there are no know security issues with any of the plug-ins and themes installed on your blog and ensure your plug-ins and themes are kept up to date.

You should also remove any third party plug-in and themes that you may have installed but are unlikely to be using. Even disabled plug-ins can be a security risk if they contain vulnerabilities.

7. Check that your web host has applied all necessary security patches to the server
It is important to realise that your website or blog can also be hacked if your web hosting company has not taken necessary security measures or has not applied the latest security patches to the server itself.  Contact your website hosting provider and check that they have good security measures in place. Check that they are using secure stable versions of  the web server, MySQL database and other scripting languages such as PHP and that their network itself does not contain security holes.

You should also be aware that if your WordPress blog is hosted on a shared server, then if someone else’s site on the same server becomes compromised, then it is possible that your sites could also be compromised (even if you all your own security measures in place).

8. Install security plug-ins

Secure WordPress Plugin

Secure WordPress Plugin

There are a number of plug-ins available that are designed to helped to secure your WordPress blog. Unfortunately many of these plugins such as ‘Login Lockdown’ have not been updated and so may not have been tested on the latest production version of WordPress (at the time of writing the current WordPress version is 2.9.2).

The ‘Secure WordPress’ Plug-in however currently supports WordPress 2.9.2. This plug-in contains a number of features designed to enhance the security of your blog. For example it will prevent directory browsing of your /plugins/ and /themes/ folder by automatically adding an index.php file in those folders. This prevents the contents of those folders from being listed and exposed to hackers.

9. Lock down your open directories and prevent directory browsing
It’s surprising how many applications and plug-ins developed by programmers provide an open door for would be hackers to gain entry to your web site. A large number of plug-ins for instance do not bother to include an index.php or index.html file in the it’s plug-in directory. This poses a security risk since anyone can browse the files in those directories.

Use .htaccess to block directory listing

Use .htaccess to block directory listing

You can prevent directory browsing by including the following line (as shown in the screen shot) in the .htaccess file found in the root folder of your ‘blog’:

Options All -Indexes

This simple line will protect all open directories in your blog.

Take care not to disturb any of the other entries in your .htaccess file.

If you are sure there is no ‘.htaccess’ file in your WordPress home directory, simply create a plain text file and insert the above line in the file. Ensure you enter a return at the end of the line.

I would highly recommend you make a backup copy of your .htaccess file before making any changes. Be sure to use a ‘plain text’ editor (such as notepad on a PC and TextMate on a Mac) to create this file. Do not use MS Word or other word processing program.

10. Make regular backups of your blog
You should maintain regular backups of your WordPress blog. This includes both the MySQL database and the entire contents of your blog home folder.

How often you should backup your blog will depend on a number of factors. If you post to your blog daily for example and/or you receive a lot of daily comments, you should consider backing up your MySQL database on a daily basis.

Your MySQL database contains all the text on your blog as well as the blog settings. You should only need to backup your blog home folder (as well as your MySQL database) after installing and configuring a new component on your blog such as a new plug-in or theme.

Backup Buddy

Backup Buddy allows backups to be scheduled

A convenient way of achieving these backups is to use a plug-in such as BackupBuddy. BackupBuddy allows you to manually backup both your MySQL database and the home folder of your blog at any time. BackupBuddy also allows multiple backup schedules to be created so that for example your MySQL database (which generally stores all the text on your site as well as most of the configuration settings) is backed up say on a daily or weekly basis, whilst your full blog home folder as well as your MySQL database is backed up monthly.

Backups can be emailed or sent to a remote FTP server or to an Amazon S3 account. If using a remote FTP server, this should ideally be on a different server from your WordPress site. Most reputable hosting providers perform daily backups of their shared servers for disaster recovery purposes, however should your server go down for any length of time, having a separate backup would allow you to re-install you blog on another server and within minutes of your site being restored (assuming you have the right DNS services in place), your website can be back online and being publish from the new server.

BackupBuddy can also automatically send backup notifications via email. Should a backup fail for any reason your email notification would alert you to this fact so remedial action can be taken.

Bonus Tip: Possible vulnerabilities on your own computers
Make sure the computers you use to update your blog is free from spyware, adware, malware and virus infections. You should ensure you have a good quality and up to date anti-virus software installed on the computers. The above security measures will be of little value if there is spyware installed on your computer.

Please feel free to add your comments below.

Though the information provided in this article has been well research by the author it is provided for informational purposes only.  It is highly recommended that a full backup of your website or blog is carried out BEFORE making any changes. Due diligence and care is required when implementing any changes to your website or blog.

No responsibility can be accepted under any circumstances for any issues that may arise out of your interpretation (or mis-interpretation) of any of the statements in this article or from your  attempts to implement any of the authors suggestions. You are advised to seek the assistance of a professional if you are inexperienced or do not feel confident in implementing changes to your web site or blog.

In particular, improper changes made to your website .htaccess file can render your site inaccessible. Extreme care and caution is required in this area. Please seek the assistance of a professional.

Please be aware that some of the links on this website are affiliate links which may provide compensation to our company if a purchase is made.


2 Responses to “10 Steps you can take to help secure your WordPress blog*”
  1. Hi Brad – thank you so much for posting this – do you think you could help me with step #9 sometime? I’m not quite understanding that part. Thanks so much! 🙂

  2. bradlindsay says:

    Hi Joanna, nice to hear from you. I’ve created a step-by-step guide and have sent you an email. Let me know if there is anything else I can do.

What do you think...

Please feel free to tell us what you're thinking...