Secure Your WordPress

How To Secure Your WordPress Blog From Hackers

Our website is supported by our users and contains affiliate links. We get paid when you purchase or sign up for anything through those links. Read the full disclaimer for more information.

Last Updated on October 26, 2020 by Yovana

Before continuing through this post, have you created your self hosted WordPress site or blog yet? First read How To Create A Self Hosted WordPress Blog. Have your WordPress set up and ready to go? Now you need to know how to secure your WordPress site or blog from the dark side!

We have all heard those handful of bloggers and site owners nagging about the security of WordPress. Guess What? It is not WordPress’s fault.

Even though WordPress is an open source install and any open source script is vulnerable to any number of attacks. Sometimes it is the other way around. Usually it is YOUR fault that your website or blog got hacked.

There are responsibilities that you must take care of if you own a website or blog. Are you taking care of your responsibilities? Is your website safe?

The Ultimate Blogger Freebie Master List

Sign up to get this master list of the top freebies for bloggers; free stock photos, checklists, courses, guides, planners, etc.

Powered by ConvertKit

Here are some of the best ways to secure your WordPress site or blog.

Keep out those hackers!

How To Secure Your WordPress Blog

Install an SSL certificate on your site ASAP.

When you have purchased your hosting and domain for your site or blog, there will be some additional options offered to you upon completing your purchase. Your hosting provider will usually ask if you would like to include an SSL certificate on your newly purchased domain, for an additional small monthly or yearly fee or free (depending on who your hosting provider is). Opt in to that SSL implementation, you will thank yourself in the long run. Investing in security is VERY important for your site’s success. You can also get your SSL certificate for FREE with SiteGround.

Implementing an SSL certificate (SSL stands for Secure Socket Layer) will help secure your admin panel in WordPress and help prevent brute force attacks. The Secure Socket Layer (SSL) ensures secure data transfer between user browsers and the server, making hackers live’s much harder.

The SSL certificate will also have a positive impact on your website’s rankings at Google. Google ranks sites with SSL higher than those without! That means more traffic, more signups, more conversions, and maybe more money for some of you.

Use email as the login ID.

The default login for WordPress is always a username. For more security, use an email ID instead of a username. Why are email ID’s more secure? Because usernames are easier to predict than email ID’s.

Don’t know how to tweak your user login to be your email ID instead of your username? There’s a plugin for that since you probably would not know where to start if you have no WordPress development experience. The WP Email Login works right out of the box upon install and activation, requiring no further configuration. Be sure to test it out upon activation, with the email address that you created your account with.

Use 2-factor authentication.

To further your security measures and protect your site in the best way possible, you can introduce 2-factor authentication at the login page. For 2-factor authentication, login details must be provided for two different components. As the website owner, you can decide what these will be whether they be a password followed by some secret questions, pin number, or special phrase.

This is another thing that you may not know how to implement unless you have some WordPress development background. Of course, there is a plugin for that! The WP Google Authenticator plugin can get this set up for you.

The Ultimate Blogger Freebie Master List

Sign up to get this master list of the top freebies for bloggers; free stock photos, checklists, courses, guides, planners, etc.

Powered by ConvertKit

Be sure to rename your WordPress login URL.

The WordPress login page is usually wp-login.php or wp-admin added onto the end of your site’s URL. Unless you change this, hackers will know the direct URL of your login page and attempt to use brute force attacks to get in. They will use their Guess Work Database (a database of millions of combinations of usernames and passwords they use to guess your login) which is the sheer definition of a brute force attack. And if you don’t have an SSL certificate installed on your host, 9 times of out 10 they will get in. God help you if you have paypal connected to your host at that point. EEK! Can you imagine!? Replacing the login URL diminish 99% of brute force attacks.

Unless you know PHP (the code that WordPress is written in) you have no idea how to do this. Thank goodness for iThemes, who developed a security plugin for this purpose.

Secure Your WordPress with iThemes Security

After installing and activating your iThemes Security plugin, follow these instructions to change your login URL.

  1. Change wp-login.php to something unique and make it hard to guess such as blog_login_panel.
  2. Change /wp-admin/ to something unique and hard to quess such as blog_admin_panel.
  3. Change /wp-login.php?action=register to something unique and hard to guess such as register_blog_panel.

Protect the wp-admin directory.

Your WordPress install exists because of a package of php files split into different directories and placed onto your domain’s hosting server. Your most important directory is your wp-admin directory as it is the heart of your WordPress install and website. You know when you log into your WordPress dashboard, and you see all these great customize able features that you use daily to create pages, posts and keep your blog in tip top shape? That dashboard where you control your entire site’s existence. Imagine if one day you logged in and…you see…nothing. And your site won;t come up. That is because your wp-admin directoy got hacked and your S.O.L.

If the wp-admin directory were to get breached, all of your hard work will be a wash if you don’t perform backups or if your hosting provider does not offer around the clock support of your products. Write this down: note to self, make sure you are backing up your site!

Good news, you can prevent all of this with a password-protected wp-admin directory. This means the site owner will have to enter 2 passwords to access their WordPress dashboard. One password will protect the login page, and the other will protect the admin area.

Is there a plugin for this too, you might ask? Of course! There is a plugin for everything, literally. Use the AskApache Password Protect plugin for securing your admin area. It will automatically generate a .htpasswd file, encrypt the password and configure the correct security-enhanced file permissions. However, this plugin has not been updated for a couple years and may have issues with compatibility on the newer versions of WordPress.

In that case, also check out All In One WordPress Security and Firewall!

Secure Your WordPress with Tips & Tricks

All In One WordPress Security and Firewall has even easier to use features, been rated 5 stars and has over 500,000 installs! It also provides user login security, account security and system file security. It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.

[irp]

The Ultimate Blogger Freebie Master List

Sign up to get this master list of the top freebies for bloggers; free stock photos, checklists, courses, guides, planners, etc.

Powered by ConvertKit

65 thoughts on “How To Secure Your WordPress Blog From Hackers”

  1. you’re really a good webmaster. The site loading speed is amazing. It seems that you’re doing any unique trick. In addition, The contents are masterpiece. you have done a great job on this topic!

  2. Iím not that much of a internet reader to be honest but your blogs really nice, keep it up! I’ll go ahead and bookmark your site to come back down the road. Cheers

  3. My spouse and I stumbled here from a different website and thought I may as well check things out. I like what I see so now i’m following you. Look forward to going over your web page for a second time.

  4. I totally agree! It is our responsibility to make sure that our online account on Facebook, Insta, Twitter and other social media accounts and even on our blogs is safe. This are really great tips!

  5. I have a wordpress blog and these were great tips!! I haven’t really thought about protecting my blog, so I’ll need to try these out

  6. Heya i am for the primary time here. I came across this board and I to find It truly useful & it helped me out much. I’m hoping to present something again and aid others like you helped me.

  7. What a great article. This isn’t something I spend too much time being concerned with but I have friends that have had horrible experiences getting hacked.

  8. I have thankfully not been hacked till date but recently I am facing the issue of too many spammy accounts commenting on the same post over and over again. Do you know of any plugin that could possibly help?

  9. This is informative and helpful post. WordPress based websites get hacked very easily. I appreciate you have share these plugins, they are for sure going to help.

  10. I’m using siteground and I am happy with their security features. I will make a checklist now to triple check the security of my website. This is very helpful. Thank you!

  11. Hackers are all around us and it’s definitely important to learn how to secure our sites and our emails and any other online accounts that we have from them. These are very useful tips and lot of wordpress users can benefit from them.

  12. Wow. Thanks for this. I didn’t even know you can change the WP login to make it more secure. Will bookmark this for later so I can check how secure my site is and make changes accordingly.

  13. I had no idea this was something to worry about! But I feel much better already knowing there are ways I can protect my blog from hackets, whew! Very important topic — great post.

  14. These are really great and important tips! It’s scary, how easy it is to hack a WordPress blog. I will look into the SSL certificate!

  15. Great info. I know a few people who have been dealing with hackers for a little bit now and its so frustrating for them and so scary!

  16. It is so important to protect your site. I forget the plugin I use, but I had my husband (who is an IT guy) set it all up for me. It is insane to see the number of potential malicious attacks each day.

  17. This post has so much useful information for those of us that need to protect all our hard work. You also laid it out in such an easy-to-understand way for non-tech people such as myself! I am printing this out to look at again and action the things I need to. Thank you.

  18. Very informative and helpful information! This is good to know. A lot of this I never knew so this helps me a ton to protect my website/blog.

  19. Thanks for the tips on securing the WordPress blog. My husband got hacked into and keeps getting hacked into so I need to remember all these important security tips.

  20. This is so helpful! I keep thinking that no one will want to hack my little travel blog, but that’s so naive! It doesn’t really matter what the website is. Hackers are everywhere!

  21. Yep, yep, yep. Got all these and a bag of chips for my site to keep hackers away. I just saw in my dashboard that one app kept out like 20K hacker log-ins! Gasp!

  22. Great and useful content. I was actually thinking of starting a blog using WordPress and will definitely be taking your advice!
    Thanks

  23. Great list, lovely lady! Securing our websites is so easy to overlook, but it can be devastating if we don’t.
    Keep up the dabbling and live unstoppable!

  24. Es ist schade, dass ich mich jetzt nicht aussprechen kann – ist erzwungen, wegzugehen. Aber ich werde befreit werden – unbedingt werde ich schreiben dass ich in dieser Frage denke.
    zackariEt

  25. That was a very useful post, thank you for all the information provided. Now I know how to do to protect my blog from hackers. It didn’t happen to be attacked so far, but you never know, so better to be prepared.

  26. Hackers are constantly finding new ways to get your website. Keeping up with them sometimes seems like a wild goose chase, but it’s necessary.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top