Our website is supported by our users and contains affiliate links. We get paid when you purchase or sign up for anything through those links. Read the full disclaimer for more information.
Last Updated on October 26, 2020 by Yovana
Before continuing through this post, have you created your self hosted WordPress site or blog yet? First read How To Create A Self Hosted WordPress Blog. Have your WordPress set up and ready to go? Now you need to know how to secure your WordPress site or blog from the dark side!
We have all heard those handful of bloggers and site owners nagging about the security of WordPress. Guess What? It is not WordPress’s fault.
Even though WordPress is an open source install and any open source script is vulnerable to any number of attacks. Sometimes it is the other way around. Usually it is YOUR fault that your website or blog got hacked.
There are responsibilities that you must take care of if you own a website or blog. Are you taking care of your responsibilities? Is your website safe?
The Ultimate Blogger Freebie Master List
Sign up to get this master list of the top freebies for bloggers; free stock photos, checklists, courses, guides, planners, etc.
Table of Contents
Here are some of the best ways to secure your WordPress site or blog.
Keep out those hackers!
Install an SSL certificate on your site ASAP.
When you have purchased your hosting and domain for your site or blog, there will be some additional options offered to you upon completing your purchase. Your hosting provider will usually ask if you would like to include an SSL certificate on your newly purchased domain, for an additional small monthly or yearly fee or free (depending on who your hosting provider is). Opt in to that SSL implementation, you will thank yourself in the long run. Investing in security is VERY important for your site’s success. You can also get your SSL certificate for FREE with SiteGround.
Implementing an SSL certificate (SSL stands for Secure Socket Layer) will help secure your admin panel in WordPress and help prevent brute force attacks. The Secure Socket Layer (SSL) ensures secure data transfer between user browsers and the server, making hackers live’s much harder.
The SSL certificate will also have a positive impact on your website’s rankings at Google. Google ranks sites with SSL higher than those without! That means more traffic, more signups, more conversions, and maybe more money for some of you.
Use email as the login ID.
The default login for WordPress is always a username. For more security, use an email ID instead of a username. Why are email ID’s more secure? Because usernames are easier to predict than email ID’s.
Don’t know how to tweak your user login to be your email ID instead of your username? There’s a plugin for that since you probably would not know where to start if you have no WordPress development experience. The WP Email Login works right out of the box upon install and activation, requiring no further configuration. Be sure to test it out upon activation, with the email address that you created your account with.
Use 2-factor authentication.
To further your security measures and protect your site in the best way possible, you can introduce 2-factor authentication at the login page. For 2-factor authentication, login details must be provided for two different components. As the website owner, you can decide what these will be whether they be a password followed by some secret questions, pin number, or special phrase.
This is another thing that you may not know how to implement unless you have some WordPress development background. Of course, there is a plugin for that! The WP Google Authenticator plugin can get this set up for you.
The Ultimate Blogger Freebie Master List
Sign up to get this master list of the top freebies for bloggers; free stock photos, checklists, courses, guides, planners, etc.
Be sure to rename your WordPress login URL.
The WordPress login page is usually wp-login.php or wp-admin added onto the end of your site’s URL. Unless you change this, hackers will know the direct URL of your login page and attempt to use brute force attacks to get in. They will use their Guess Work Database (a database of millions of combinations of usernames and passwords they use to guess your login) which is the sheer definition of a brute force attack. And if you don’t have an SSL certificate installed on your host, 9 times of out 10 they will get in. God help you if you have paypal connected to your host at that point. EEK! Can you imagine!? Replacing the login URL diminish 99% of brute force attacks.
Unless you know PHP (the code that WordPress is written in) you have no idea how to do this. Thank goodness for iThemes, who developed a security plugin for this purpose.
After installing and activating your iThemes Security plugin, follow these instructions to change your login URL.
- Change wp-login.php to something unique and make it hard to guess such as blog_login_panel.
- Change /wp-admin/ to something unique and hard to quess such as blog_admin_panel.
- Change /wp-login.php?action=register to something unique and hard to guess such as register_blog_panel.
Protect the wp-admin directory.
Your WordPress install exists because of a package of php files split into different directories and placed onto your domain’s hosting server. Your most important directory is your wp-admin directory as it is the heart of your WordPress install and website. You know when you log into your WordPress dashboard, and you see all these great customize able features that you use daily to create pages, posts and keep your blog in tip top shape? That dashboard where you control your entire site’s existence. Imagine if one day you logged in and…you see…nothing. And your site won;t come up. That is because your wp-admin directoy got hacked and your S.O.L.
If the wp-admin directory were to get breached, all of your hard work will be a wash if you don’t perform backups or if your hosting provider does not offer around the clock support of your products. Write this down: note to self, make sure you are backing up your site!
Good news, you can prevent all of this with a password-protected wp-admin directory. This means the site owner will have to enter 2 passwords to access their WordPress dashboard. One password will protect the login page, and the other will protect the admin area.
Is there a plugin for this too, you might ask? Of course! There is a plugin for everything, literally. Use the AskApache Password Protect plugin for securing your admin area. It will automatically generate a .htpasswd file, encrypt the password and configure the correct security-enhanced file permissions. However, this plugin has not been updated for a couple years and may have issues with compatibility on the newer versions of WordPress.
In that case, also check out All In One WordPress Security and Firewall!
All In One WordPress Security and Firewall has even easier to use features, been rated 5 stars and has over 500,000 installs! It also provides user login security, account security and system file security. It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
[irp]
The Ultimate Blogger Freebie Master List
Sign up to get this master list of the top freebies for bloggers; free stock photos, checklists, courses, guides, planners, etc.
Daniella is the creator and author of iliketodabble.com. When their wife Alexandra and them aren’t globetrotting or playing with their 7+ animals, they are dabbling and working towards a future of financial freedom.
Thanks Daniella! I needed the blog security info in this article, great job explaining it on simpler terms for us newbies 🙂
Glad this was helpful for you!
I am always looking online for ideas that can assist me. Thank you!
you’re really a good webmaster. The site loading speed is amazing. It seems that you’re doing any unique trick. In addition, The contents are masterpiece. you have done a great job on this topic!
It is in reality a great and useful piece of information. I’m happy that you shared this helpful information with us. Please stay us informed like this. Thanks for sharing.
Thanks for being so knowledgable! I’m definitely going to try some of these out now that I have WordPress!!
thanks for reminding me that I have to add a SSL certificate. I have been so busy, that I keep on forgetting, but that is too important to slack on. Blessings!
IÃm not that much of a internet reader to be honest but your blogs really nice, keep it up! I’ll go ahead and bookmark your site to come back down the road. Cheers
My spouse and I stumbled here from a different website and thought I may as well check things out. I like what I see so now i’m following you. Look forward to going over your web page for a second time.
oh my gosh! thank you. I just switched over to wordpress so there is a lot of new information. thank you for this! already ready to go!
These are great tips, my blog was hacked twice this year. I signed up with Securi and am using their firewall which has really helped.
I totally agree! It is our responsibility to make sure that our online account on Facebook, Insta, Twitter and other social media accounts and even on our blogs is safe. This are really great tips!
great post, my blogger site was hacked and never able to be recovered, and when I first moved to wordpress it got hacked as well. Great article!
This is such a great post with great information! Thank you for including the links to each resource as well!
These are great tips! I think this is a real concern nowadays and people should be taking all these steps.
I have a wordpress blog and these were great tips!! I haven’t really thought about protecting my blog, so I’ll need to try these out
Heya i am for the primary time here. I came across this board and I to find It truly useful & it helped me out much. I’m hoping to present something again and aid others like you helped me.
Yes!! I so needed to read this right now, so many of us have recently had our blogs hacked, thank you so much!
What a great article. This isn’t something I spend too much time being concerned with but I have friends that have had horrible experiences getting hacked.
I have thankfully not been hacked till date but recently I am facing the issue of too many spammy accounts commenting on the same post over and over again. Do you know of any plugin that could possibly help?
If you go to the settings page->dicussion-> you can block certain spammy accounts from posting again.
This is informative and helpful post. WordPress based websites get hacked very easily. I appreciate you have share these plugins, they are for sure going to help.
I’m using siteground and I am happy with their security features. I will make a checklist now to triple check the security of my website. This is very helpful. Thank you!
Really helpful post, thank you for much for sharing. Security seems to be something that people overlook – will be sharing this with my readers too
Dani x | http://www.flourishingfreelancer.com
This was super informative and useful – I don’t use wordpress but my friend does, so I will be sure to pass this on to her! x
Lots of love,
Marina Rosie xx
http://marinawriteslife.blogspot.fr/
great tips! It’s really important to check all of these coz some people may log in and add a code to steal money and so on x
Hackers are all around us and it’s definitely important to learn how to secure our sites and our emails and any other online accounts that we have from them. These are very useful tips and lot of wordpress users can benefit from them.
Wow. Thanks for this. I didn’t even know you can change the WP login to make it more secure. Will bookmark this for later so I can check how secure my site is and make changes accordingly.
I had no idea this was something to worry about! But I feel much better already knowing there are ways I can protect my blog from hackets, whew! Very important topic — great post.
These are really great and important tips! It’s scary, how easy it is to hack a WordPress blog. I will look into the SSL certificate!
These are great tips! I have Site Ground too and they are so helpful when problems do arise!
Great tips! It’s a shame that we even have to take measurements like these to keep hackers out. I sort of feel like screaming, do you (hackers) not have anything better to do with your life!?
Great info. I know a few people who have been dealing with hackers for a little bit now and its so frustrating for them and so scary!
Definitely going to bookmark this for future use.
It is so important to protect your site. I forget the plugin I use, but I had my husband (who is an IT guy) set it all up for me. It is insane to see the number of potential malicious attacks each day.
Mayday’s Facebook just got attacked by a hacker yesterday! Tips like these are so important in these times.
Why doesn’t anyone tell you these things when you first start your blog? Thank you for these tips. I’ve got a few things to tweak now.
This post has so much useful information for those of us that need to protect all our hard work. You also laid it out in such an easy-to-understand way for non-tech people such as myself! I am printing this out to look at again and action the things I need to. Thank you.
Thanks for all these security ideas. I have been considering changing to SSL. I like the other ideas too.
Very informative and helpful information! This is good to know. A lot of this I never knew so this helps me a ton to protect my website/blog.
I didn’t know wordpress bloggers had to worry about this. Good article and I will be sharing it.
Very useful post though I am not a wordpress user. It is so difficult to keep the hackers away..
Well needed post for all the bloggers out there. Thanks!
Omg this is exactly what I needed! Thank you for these helpful tips.
These are great tips. I get so scared about this because I’ve seen other bloggers go through it. I changed to a more secure server for this reason.
Thanks for the tips on securing the WordPress blog. My husband got hacked into and keeps getting hacked into so I need to remember all these important security tips.
I love the two step authentication. It’s seriously been a life saver, especially when I was using wordpress.
This is so helpful! I keep thinking that no one will want to hack my little travel blog, but that’s so naive! It doesn’t really matter what the website is. Hackers are everywhere!
Yep, yep, yep. Got all these and a bag of chips for my site to keep hackers away. I just saw in my dashboard that one app kept out like 20K hacker log-ins! Gasp!
I didn’t know about the rename of the wp login url. Thank you.
Great and useful content. I was actually thinking of starting a blog using WordPress and will definitely be taking your advice!
Thanks
Great tips, and so important. Thank you!
Where else would i get these tips? I love your blog.
http://lifestyle360.co.ke
I had no idea that hackers would target blogs! Thanks for sharing!
I hadn’t even thought of that.
These are some great tips that I had not thought of!! I am going to change some of my stuff now based on this! Thank you so much!!
Great list, lovely lady! Securing our websites is so easy to overlook, but it can be devastating if we don’t.
Keep up the dabbling and live unstoppable!
Es ist schade, dass ich mich jetzt nicht aussprechen kann – ist erzwungen, wegzugehen. Aber ich werde befreit werden – unbedingt werde ich schreiben dass ich in dieser Frage denke.
zackariEt
Sigh…reading this is scary already….I hear it’s a nightmare going through an experience with a hacked site…This is very useful
Thanks son much for sharing! Very helpful 🙂
That was a very useful post, thank you for all the information provided. Now I know how to do to protect my blog from hackers. It didn’t happen to be attacked so far, but you never know, so better to be prepared.
Simple but useful tips for enhancing blog security. Thank you for sharing.
Hackers are constantly finding new ways to get your website. Keeping up with them sometimes seems like a wild goose chase, but it’s necessary.
True that!
Excellent post