9 WordPress Security Tips That You Need To Do Right Now

9 WordPress Security Tips That You Need To Do Right Now

WordPress Security and website security matter.

Do you wake up in the morning and think "How can I secure my WordPress site today?"

No! I didn't think so.

Heck, it is not even what is on my mind and I think about WordPress A LOT. At best, I think "I should check my blog stats." The truth is, we shouldn't have to think about such things but we have no choice.

Bonus: Download a free checklist of the first plugins that I always install on a new WordPress Blog. 

Hackers are out there doing their hacking thing and so we need to take steps to protect our digital property.

There are a host of efforts that you can take to protect your site. You can hire a company like Sucuri https://sucuri.net/. They are fantastic but they aren't cheap.

If you are on a budget and not ready to take on another expense start protecting your site by taking these 9 actions today.

Important Note: Make sure that your site is backed up before you make any changes.

1. Change your admin passwords

It is not uncommon for a WordPress site to have multiple admin accounts. There is absolutely nothing wrong with that, so don't worry.

However, each username and password is an opportunity for a hacker.

This is why you should change the passwords for each admin on a fairly regular basis. My recommendation is to do this quarterly at a minimum.

How do you change the WordPress Admin Passwords?

Step 1: Log into WordPress with a user that has Administrator access.

Step 2: Click on Users

Step 3: Click on Administrator

This just allows you to only see the admin users.

Step 4: Click on Edit under a user

Step 5: Scroll down and click on Generate Password

Step 6: Create new password

Step 7: Write down new password

Step 8: Scroll down and click on "Update User"

Step 9: Repeat process for all Admin Users.

Read This Article: How Do You Keep Up With All Of Those Passwords?

2. Delete Unused Themes

Elegant Themes is one of the most trustworthy WordPress theme shops out there. They create incredible products but even the greatest have vulnerabilities. This is just the reality that we live in.

You can read all about what happened with them right here: https://wptavern.com/critical-security-vulnerability-discovered-in-elegant-themes-products and how they responded. This is how a great and stable developer handles such a situation.

Why am I telling you this story?

Two things have to happen to secure a WordPress theme when a vulnerability is found. First, the developer has to be aware and second the user (that's us) has to notice the update.

That is two points of potential failure and that is often enough for a hacker to have a joy ride. As a WordPress user the easiest way to remove points of failure is to delete all of the themes that you aren't using. Then you only have to keep an eye out for updates on one theme.

A common misconception is that if a theme isn't active on your site, it isn't vulnerable.

Let's clear that up right now. If I a theme is installed on your site it is vulnerable.

How to update a WordPress Theme:

Read This Article: How To Update Your WordPress Theme

Step 1: Log into WordPress Dashboard

Step 2: Click on Appearance

Step 3: Click on Themes

Step 4: Click on Theme to open it up

Step 5: Follow prompts to update theme.

How to delete a WordPress Theme:

Step 1: Log into WordPress Dashboard

Step 2: Click on Appearance

Step 3: Click on Themes

Step 4: Click on Theme to open it up

Step 5: Click on Delete

Step 6: Confirm Deletion

3. Update WordPress

WordPress powers 26% of the web. Users publish about 41.7 million new posts and leave 60.5 million new comments each month. 

That is an outrageous amount of traffic to one platform which means it is a lovely lovely target for hackers. Considering the fact that WordPress is also open source software, it means that hackers can carefully study the code.

This is why updating WordPress when they have security updates is critical.

Of course, there are serious drawbacks to updating the WordPress core because you never know how a plugin is going to react or a theme.

It is not uncommon for a WordPress core update to break a website. Keep in mind that there are several layers to a WordPress site. All of these layers have to work together seamlessly or the site breaks down.

This is why it is critical to backup a website before you make any changes.

4. Update all Plugins

Again this is a risky venture so make sure that your site is backed up. You may also want to verify that this new plugin update isn't going to conflict with the current version of your theme.

Nothing but warnings here!!!

A few months back I had just finished helping a new client with his website. It was completely done and everything was just as he wanted it. Then one of his plugins had an update.

Seems simple enough right?

Well, after hitting update his entire site crashed. It was dead as a dead can be. It took some intense research to discover that the latest version of that plugin would not work properly with the current version of WordPress. In the end we had to restore the site to the previous day.

Thank goodness the client had daily backups from his hosting company.

How to quickly know if plugins have updates waiting.

Step 1: Log into WordPress Dashboard

Step 2: Scroll down until you see Plugins on the left

Step 3: Is there a number next to Plugins?

If yes there are plugins that have updates waiting. If there isn't a number there are no updates at this time.

How to update your WordPress Plugins

Step 1: Log into WordPress Dashboard

Step 2: Click on Plugins

Step 3: Find a plugin that needs updating and click on "update now"

Step 5. Update your theme

6. Hide the login page

Previously, we blogged about how hackers seriously hardcore want to get into your site. The reasons could range from using your site for SEO spam to other nefarious activities. 

Regardless a brute force attack is a time consuming and difficult hack to recover from. While we can never 100% protect ourselves there are some key things that we can do. One of them is to hide our /wp-admin page.

This just makes it a bit more difficult for the hacker to gain access to your WordPress blog.

So here is one more step that you can take today to protect your blog. You can change the log-in page to something secret.

Use WPS Hide Login

  1. Install the plugin
  2. Activate the plugin
  3. Go to WordPress Dashboard
  4. Click on General Settings
  5. Click on General
  6. Scroll down to the bottom and change your "Login url"
  7. Click on "Save Changes"

Important Tip: Make a note of what you changed your login page to and even consider bookmarking it. Whatever you do don't hide it from yourself too.

7. Use Login LockDown

If a hacker has gotten to your login page the fight isn't over. There is still more that you can do. You can limit the number of login attempts over a certain period of time.

Now keep in mind that this works against you too. If you suddenly forget your password and try too many times, you will be locked out.

8. Is your computer secure?

Whether you are on a pc or a mac, you need to make sure that your computer is virus free. The best way to do this is to keep your computer up to date. Outdated software is a playhouse of joy for a hacker. It is how they find their way in. This is exactly why those annoying security updates really matter.

9. Is your web browser up to date?

Currently I run Google Chrome, Firefox and Safari on my primary machine. There are plenty of browsers to choose from these days. Take a moment and go verify that all of your browsers are up to date.


WordPress Security is a crucial part of your business. We all take our site for granted until something goes wrong. Fixing a hacked site or a broken site is time consuming, even for the pros. This is why doing all that you can to prevent attacks is critical. Not only does prevention save you a major headache but it can also save you a great deal of time and money. That is something that we can all get behind.

About the Author

Renee is wild for WordPress and on fire to empower small business owners with the inspiration, tools and strategies for a healthy blog. SMU CAPE instructor, developer, podcaster. Follow @Iteachblogging on Twitter. Get her FREE SEO Guide Here: https://goo.gl/gGrHC2

Leave a Reply 27 comments