December 5

9 WordPress Security Tips That You Need To Do Right Now


Do you wake up in the morning and think "How can I secure my WordPress site today?"

No! I didn't think so.

Heck, it is not even what is on my mind and I think about WordPress A LOT. At best, I think "I should check my blog stats." The truth is, we shouldn't have to think about such things but we have no choice.

Bonus: Download a free checklist of the first plugins that I always install on a new WordPress Blog. 

Hackers are out there doing their hacking thing and so we need to take steps to protect our digital property.

There are a host of efforts that you can take to protect your site. You can hire a company like Sucuri They are fantastic but they aren't cheap.

If you are on a budget and not ready to take on another expense start protecting your site by taking these 9 actions today.

Important Note: Make sure that your site is backed up before you make any changes.

[clickToTweet tweet=”WordPress Security and website security matter. 9 tips to secure your site. ” quote=”WordPress Security and website security matter. 9 tips to secure your site. “]

1. Change your admin passwords

It is not uncommon for a WordPress site to have multiple admin accounts. There is absolutely nothing wrong with that, so don't worry.

However, each username and password is an opportunity for a hacker.

This is why you should change the passwords for each admin on a fairly regular basis. My recommendation is to do this quarterly at a minimum.

How do you change the WordPress Admin Passwords?

Step 1: Log into WordPress with a user that has Administrator access.

Step 2: Click on Users

Step 3: Click on Administrator

This just allows you to only see the admin users.

Step 4: Click on Edit under a user

Step 5: Scroll down and click on Generate Password

Step 6: Create new password

Step 7: Write down new password

Step 8: Scroll down and click on "Update User"

Step 9: Repeat process for all Admin Users.

Read This Article: How Do You Keep Up With All Of Those Passwords?

2. Delete Unused Themes

Elegant Themes is one of the most trustworthy WordPress theme shops out there. They create incredible products but even the greatest have vulnerabilities. This is just the reality that we live in.

You can read all about what happened with them right here: and how they responded. This is how a great and stable developer handles such a situation.

Why am I telling you this story?

Two things have to happen to secure a WordPress theme when a vulnerability is found. First, the developer has to be aware and second the user (that's us) has to notice the update.

That is two points of potential failure and that is often enough for a hacker to have a joy ride. As a WordPress user the easiest way to remove points of failure is to delete all of the themes that you aren't using. Then you only have to keep an eye out for updates on one theme.

A common misconception is that if a theme isn't active on your site, it isn't vulnerable.

Let's clear that up right now. If I a theme is installed on your site it is vulnerable.

How to update a WordPress Theme:

Read This Article: How To Update Your WordPress Theme

Step 1: Log into WordPress Dashboard

Step 2: Click on Appearance

Step 3: Click on Themes

Step 4: Click on Theme to open it up

Step 5: Follow prompts to update theme.

How to delete a WordPress Theme:

Step 1: Log into WordPress Dashboard

Step 2: Click on Appearance

Step 3: Click on Themes

Step 4: Click on Theme to open it up

Step 5: Click on Delete

Step 6: Confirm Deletion

3. Update WordPress

WordPress powers 26% of the web. Users publish about 41.7 million new posts and leave 60.5 million new comments each month. 

That is an outrageous amount of traffic to one platform which means it is a lovely lovely target for hackers. Considering the fact that WordPress is also open source software, it means that hackers can carefully study the code.

This is why updating WordPress when they have security updates is critical.

Of course, there are serious drawbacks to updating the WordPress core because you never know how a plugin is going to react or a theme.

It is not uncommon for a WordPress core update to break a website. Keep in mind that there are several layers to a WordPress site. All of these layers have to work together seamlessly or the site breaks down.

This is why it is critical to backup a website before you make any changes.

4. Update all Plugins

Again this is a risky venture so make sure that your site is backed up. You may also want to verify that this new plugin update isn't going to conflict with the current version of your theme.

Nothing but warnings here!!!

A few months back I had just finished helping a new client with his website. It was completely done and everything was just as he wanted it. Then one of his plugins had an update.

Seems simple enough right?

Well, after hitting update his entire site crashed. It was dead as a dead can be. It took some intense research to discover that the latest version of that plugin would not work properly with the current version of WordPress. In the end we had to restore the site to the previous day.

Thank goodness the client had daily backups from his hosting company.

How to quickly know if plugins have updates waiting.

Step 1: Log into WordPress Dashboard

Step 2: Scroll down until you see Plugins on the left

Step 3: Is there a number next to Plugins?

If yes there are plugins that have updates waiting. If there isn't a number there are no updates at this time.

How to update your WordPress Plugins

Step 1: Log into WordPress Dashboard

Step 2: Click on Plugins

Step 3: Find a plugin that needs updating and click on "update now"

Step 5. Update your theme

6. Hide the login page

Previously, we blogged about how hackers seriously hardcore want to get into your site. The reasons could range from using your site for SEO spam to other nefarious activities. 

Regardless a brute force attack is a time consuming and difficult hack to recover from. While we can never 100% protect ourselves there are some key things that we can do. One of them is to hide our /wp-admin page.

This just makes it a bit more difficult for the hacker to gain access to your WordPress blog.

So here is one more step that you can take today to protect your blog. You can change the log-in page to something secret.

Use WPS Hide Login

  1. Install the plugin
  2. Activate the plugin
  3. Go to WordPress Dashboard
  4. Click on General Settings
  5. Click on General
  6. Scroll down to the bottom and change your "Login url"
  7. Click on "Save Changes"

Important Tip: Make a note of what you changed your login page to and even consider bookmarking it. Whatever you do don't hide it from yourself too.

7. Use Login LockDown

If a hacker has gotten to your login page the fight isn't over. There is still more that you can do. You can limit the number of login attempts over a certain period of time.

Now keep in mind that this works against you too. If you suddenly forget your password and try too many times, you will be locked out.

8. Is your computer secure?

Whether you are on a pc or a mac, you need to make sure that your computer is virus free. The best way to do this is to keep your computer up to date. Outdated software is a playhouse of joy for a hacker. It is how they find their way in. This is exactly why those annoying security updates really matter.

9. Is your web browser up to date?

Currently I run Google Chrome, Firefox and Safari on my primary machine. There are plenty of browsers to choose from these days. Take a moment and go verify that all of your browsers are up to date.


WordPress Security is a crucial part of your business. We all take our site for granted until something goes wrong. Fixing a hacked site or a broken site is time consuming, even for the pros. This is why doing all that you can to prevent attacks is critical. Not only does prevention save you a major headache but it can also save you a great deal of time and money. That is something that we can all get behind.


WordPress Security

You may also like

Let’s talk about revenue

Let’s talk about revenue

Are You Willing?

Are You Willing?
Leave a Reply

Your email address will not be published. Required fields are marked

  1. I haven’t been hacked on my site yet but someone gained remote access to my computer years ago and I still remember what a pain it was to fix – and how scary. Prevention is the key. Make it so hard they’ll pick on someone else. Great tips.

  2. Great list of things we should be doing to protect our sites. As I was going down you list, I was feeling pretty good that I had done everything. Then I got to hiding the login. Ooops! Will be taking care of that right away.

  3. As you know, my website was hacked and disappeared! Boy, was that ever stressful. And also as you know, I did hire sucuri. Worth every penny!
    But mostly, thank God I have you, Renee! I sure wouldn’t want to be navigating these waters without you!

  4. I am bookmarking this page and will come back when I am fresh (that would be in the morning) and change the passwords. Thank you so much for not only making a recommendation, but also giving beautifully clear instructions on how to accomplish it!

  5. Thanks for all the valuable tips in this post, Rene! I think I am pretty safe, but I did forward your suggestions to my developer…just to make sure. Although we don’t do daily backups, he does them enough to also have a very current website version ready. We just updated to WP 4.7 and I believe the spacing of my content in now more in the centre, with lots of white space in the sidebar and left margin. We’re constantly checking vulnerabilities of my site and taking the actions to stay secure. Appreciate your insights as always!

    1. Webly,

      Yes, it sure is. To be fair security is also a bit of effort and it keeps us from creating content. However, since we spend some much time and tears on our blog, we seriously need to keep it secure.

      Good Luck!

  6. Some great suggestions, Renee! I asked my web host (a friend) and she said she backs up my website every evening, so I do all updates the first thing in the morning before I do anything else. Saves a lot of aggravation in case I have to get a back up from her. I did go through my site and delete old themes at your suggestion and tomorrow I will work on your other suggestions. Thanks!

  7. Thank you for these great list of tips. This is something i Never thing about, so i need a kick up the behind sometimes to remind me of these things.

  8. Renee, these are wonderful tips and I love how you have explained everything so clearly. Hopefully many will take your advice and perform some, if not all, of these tasks to keep their website secure!

    1. Mindy!

      Thank you so much. Blog security, WordPress Security and Website Security are so darn important. We all don’t like to think about it but it is urgent. In Today’s world we have to lock our cars. We also need to lock up our blogs.

      Blog on,

  9. This is on my to-do list for sure! I’ve done the latest WP update, but I need to go back and do some of the other tasks. Thanks for the reminder! I’m also going to cross reference your suggested plugins too.

  10. Thanks for identifying these. Nowadays, it is really important to back up all the time. Even though you pay for back up, it is a great idea as it is like your insurance. You never know when you would have an attack.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch

0 of 350