Secure Your WordPress

How To Secure Your WordPress Blog From Hackers

This page contains affiliate links and we may receive compensation when you click through, purchase or sign up for anything through those links. Read the full disclaimer for more information.

Before continuing through this post, have you created your self hosted WordPress site or blog yet? First read How To Create A Self Hosted WordPress Blog. Have your WordPress set up and ready to go? Now you need to know how to secure your WordPress site or blog from the dark side!

We have all heard those handful of bloggers and site owners nagging about the security of WordPress. Guess What? It is not WordPress’s fault.

Even though WordPress is an open source install and any open source script is vulnerable to any number of attacks. Sometimes it is the other way around. Usually it is YOUR fault that your website or blog got hacked.

There are responsibilities that you must take care of if you own a website or blog. Are you taking care of your responsibilities? Is your website safe?

The Ultimate Blogger Freebie Master List

Sign up to get this master list of the top freebies for bloggers; free stock photos, checklists, courses, guides, planners, etc.

Powered by ConvertKit

Here are some of the best ways to secure your WordPress site or blog.

Keep out those hackers!

How To Secure Your WordPress Blog

Install an SSL certificate on your site ASAP.

When you have purchased your hosting and domain for your site or blog, there will be some additional options offered to you upon completing your purchase. Your hosting provider will usually ask if you would like to include an SSL certificate on your newly purchased domain, for an additional small monthly or yearly fee or free (depending on who your hosting provider is). Opt in to that SSL implementation, you will thank yourself in the long run. Investing in security is VERY important for your site’s success. You can also get your SSL certificate for FREE with SiteGround.

Implementing an SSL certificate (SSL stands for Secure Socket Layer) will help secure your admin panel in WordPress and help prevent brute force attacks. The Secure Socket Layer (SSL) ensures secure data transfer between user browsers and the server, making hackers live’s much harder.

The SSL certificate will also have a positive impact on your website’s rankings at Google. Google ranks sites with SSL higher than those without! That means more traffic, more signups, more conversions, and maybe more money for some of you.

Use email as the login ID.

The default login for WordPress is always a username. For more security, use an email ID instead of a username. Why are email ID’s more secure? Because usernames are easier to predict than email ID’s.

Don’t know how to tweak your user login to be your email ID instead of your username? There’s a plugin for that since you probably would not know where to start if you have no WordPress development experience. The WP Email Login works right out of the box upon install and activation, requiring no further configuration. Be sure to test it out upon activation, with the email address that you created your account with.

Use 2-factor authentication.

To further your security measures and protect your site in the best way possible, you can introduce 2-factor authentication at the login page. For 2-factor authentication, login details must be provided for two different components. As the website owner, you can decide what these will be whether they be a password followed by some secret questions, pin number, or special phrase.

This is another thing that you may not know how to implement unless you have some WordPress development background. Of course, there is a plugin for that! The WP Google Authenticator plugin can get this set up for you.

The Ultimate Blogger Freebie Master List

Sign up to get this master list of the top freebies for bloggers; free stock photos, checklists, courses, guides, planners, etc.

Powered by ConvertKit

Be sure to rename your WordPress login URL.

The WordPress login page is usually wp-login.php or wp-admin added onto the end of your site’s URL. Unless you change this, hackers will know the direct URL of your login page and attempt to use brute force attacks to get in. They will use their Guess Work Database (a database of millions of combinations of usernames and passwords they use to guess your login) which is the sheer definition of a brute force attack. And if you don’t have an SSL certificate installed on your host, 9 times of out 10 they will get in. God help you if you have paypal connected to your host at that point. EEK! Can you imagine!? Replacing the login URL diminish 99% of brute force attacks.

Unless you know PHP (the code that WordPress is written in) you have no idea how to do this. Thank goodness for iThemes, who developed a security plugin for this purpose.

Secure Your WordPress

After installing and activating your iThemes Security plugin, follow these instructions to change your login URL.

  1. Change wp-login.php to something unique and make it hard to guess such as blog_login_panel.
  2. Change /wp-admin/ to something unique and hard to quess such as blog_admin_panel.
  3. Change /wp-login.php?action=register to something unique and hard to guess such as register_blog_panel.

Protect the wp-admin directory.

Your WordPress install exists because of a package of php files split into different directories and placed onto your domain’s hosting server. Your most important directory is your wp-admin directory as it is the heart of your WordPress install and website. You know when you log into your WordPress dashboard, and you see all these great customize able features that you use daily to create pages, posts and keep your blog in tip top shape? That dashboard where you control your entire site’s existence. Imagine if one day you logged in and…you see…nothing. And your site won;t come up. That is because your wp-admin directoy got hacked and your S.O.L.

If the wp-admin directory were to get breached, all of your hard work will be a wash if you don’t perform backups or if your hosting provider does not offer around the clock support of your products. Write this down: note to self, make sure you are backing up your site!

Good news, you can prevent all of this with a password-protected wp-admin directory. This means the site owner will have to enter 2 passwords to access their WordPress dashboard. One password will protect the login page, and the other will protect the admin area.

Is there a plugin for this too, you might ask? Of course! There is a plugin for everything, literally. Use the AskApache Password Protect plugin for securing your admin area. It will automatically generate a .htpasswd file, encrypt the password and configure the correct security-enhanced file permissions. However, this plugin has not been updated for a couple years and may have issues with compatibility on the newer versions of WordPress.

In that case, also check out All In One WordPress Security and Firewall!

Secure Your WordPress

All In One WordPress Security and Firewall has even easier to use features, been rated 5 stars and has over 500,000 installs! It also provides user login security, account security and system file security. It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.


The Ultimate Blogger Freebie Master List

Sign up to get this master list of the top freebies for bloggers; free stock photos, checklists, courses, guides, planners, etc.

Powered by ConvertKit

65 thoughts on “How To Secure Your WordPress Blog From Hackers”

  1. Avatar

    Thanks Daniella! I needed the blog security info in this article, great job explaining it on simpler terms for us newbies 🙂

Leave a Comment

Your email address will not be published. Required fields are marked *