Hackers are a constant threat and lots of people have lost their sites to because they don’t know enough about basic WordPress security practices. That’s right – hackers can tamper with your hard work and take your hard-won page views back down to zero or delete your whole site. Obviously, no one wants this to happen. So I’m going to share a little tutorial on how to keep your site secure with a few simple changes.
Here’s something you probably don’t know. Your site has been attempted by a hacker TODAY. Probably several times today. Most people don’t know this, but when you have proper security software on board, it shows you the actual numbers of attacks – it’s a LOT more than you would suspect!
Note that some of these WordPress security changes may cost some money. This post contains affiliate links, so I may make a bit of spare change for sharing them with you. But relax – it’s good karma to help out other bloggers and site owners. Someday they may return the favor. PS: Read to the end – I have an special offer for the non-techy people!
Choose your Host Carefully
Your first line of defense is a good host. I strongly recommend Siteground. STRONGLY recommend. Here’s why
- Terrific customer service. I can usually get a live person on chat within 30 seconds. Most of the time, they can fix stuff on the spot if a plugin has crashed my site. Time is critical if your site has been hacked!
- Free SSL. FREE! I had to pay for it on my last host.
- Free backups – we’ll talk more about that in a minute, but they offer GOOD backups.
- Weekly security scans for cheap. I think I pay maybe $20 per year to have my sites scanned weekly. It’s not all you need, but it gives you a little extra peace of mind.
Here’s a whole article about my previous “cheapo” host and why I made the switch to Siteground and I’m so happy I did. It actually saved me a good bit of money and made my site more secure.
Choose a Premium Theme
No, you do NOT want a free theme!! You think you do, but I promise you, you DON’T. You know that old saying, you get what you pay for. Yup. A free theme is not going to be well coded and good code is EVERYTHING in a theme. A premium theme will be properly responsive on mobile (my last cheapo theme was not mobile-responsive – ugh!) and it will be properly coded for security. That’s so important. And when you’re a paying customer you get updates. Free themes rarely send out security updates when the hackers come up with newer and better ways to worm their way into your site.
With a free theme, you get crappy code that is thrown together by someone who isn’t going to make money on it. Why would you want that? Save money somewhere else, but invest in a quality theme!
I buy my themes through Bluchic. Both my sites use their Isabelle theme but they have about 10 different types of themes. They are beautiful, they are wonderfully mobile response, and they are properly coded. And they’re easy to update. If you buy a Bluchic theme using my LINK, I’ll even install it for you for at a discount in your own brand colors. Now that’s a great deal. Here’s a peek at the Isabelle theme – I’ve built at least a dozen sites with this theme in every color scheme imaginable:
Username and Password – Do it RIGHT!
This is where a lot of my clients go wrong. Really wrong. When you set up a new site, the first thing you do is set up your user name and password. Here is what your username SHOULDN’T BE:
- Admin (never, NEVER use this!)
- The name of your site (nope, definitely not)
- Your name or anyone’s name (too easy to guess)
- Your Email (still too easy)
Hackers are trying to get into your site every single day, I promise you. Lots of ’em. All they need are two things – your username and your password. That’s all. So why would you give away half the equation before they even start? Instead, pick a phrase or something funky that you can easily remember – I-c00k-f00d (those are zeros), #sm@rtbl0ggr, something like that.
And your password – make it HARD. Don’t use your kids names, or your dog’s name, or anything recognizable. Here’s a little trick I like to use. We type passwords in a lot, right? So make them something motivational – Im#Awes0meX365 or something that gets you pumped up! Then it’s easy for you to remember, but hard to hack. PS: I also like password keeper apps like 1Password or LastPass to store your zillion passwords for everything.
This is funny! You can just watch the first three minutes. We all need a good laugh sometimes.
If you’ve got one of these bad user names – don’t despair. I can fix it for you for free in about 5 minutes. Just leave me a comment below – be sure to include your Email so I can get back to you.
Next find a good WordPress security plugin that best suits your needs. These plugins are designed to prevent certain addresses from accessing your account and will also alert you of bot activity and multiple login attempts. Some can even block whole countries that are known for a lot of hacker activity. I’ve got different suggestions depending on the size of your site – see below:
IF YOU HAVE A BIG SITE WITH LOTS OF MATERIAL ON IT OR IF YOU ARE MAKING MONEY FROM YOUR SITE
Spend the money for a premium security package. Securi Scanner and Wordfence Premium Security are both good and pretty simple to install, although I think WordFence is a memory hog. Check around a bit and do your research to find the best fit for you. Plan on spending at least a couple hundred bucks. It’s worth it, I PROMISE. A hacked site is very expensive to clean and a lost or compromised site can cost you a lot in revenue.
Consider hiring a WordPress person (like me) to manage your site. There are a lot of little things that can trip you up and really you’d be better off spending your time on more income-producing activities. Check out the special offer at the bottom of this page.
IF YOU ARE A NEW BLOGGER OR JUST HAVE A TINY SITE
You can probably get by with one of the free or low-cost security plugins. I’ve used All in One Security and that’s pretty good, or use the free version of WordFence, plus the weekly scans from Siteground. So far, that’s worked pretty good.
Always Have a Backup. Of course YOU have a backup – right???
The other half of the equation is to have good backups. I have a whole post about this called “I Thought My Site was Backed Up“. The one time I did get hacked, I was horrified to discover that my previous “cheapo” host only kept 24 hours worth of backups, even though I’d paid extra for the feature.
By the time you find out you’ve been hacked, figure out what to do about it and open a ticket with your host, that 24 hour clock is DONE. Siteground (remember them?) keeps 30 days of backups! But I also do my own backups via a free service called UpdraftPlus.com. This girl is BIG on backups after nearly losing my whole site to a hacker!
UPDATE, UPDATE, UPDATE
Last, but not least, keep your WordPress blog up to date. Every time you get one of those pesky update notices – DO IT. Keep your theme updated, your WordPress version and your plugins. They are usually updating them to fix a security issue – basically to keep hackers OUT.
Here’s a smart tip for updating your plugins. Do them one at a time. Yes, just ONE at a time. How many at a time? ONE!
Why? If you grab six plugins and update them all at once, sometimes the code doesn’t play nicely. I’ve had several different times when a plugin CRASHED my site. Fortunately, since I do them separately, I can tell my host it was THIS plugin and they can go right in and reset it. But if I don’t know, they’ll just have to start removing stuff until the find the right one – ugh!
Remove all spam comments too. I use the Akismet free plugin to catch most of them, but if some get through, I remove them IMMEDIATELY. You don’t want those bad links and junk on your site.
True story – I have one client who had 83,000 THOUSAND! of these nasty, nasty comments on her site. They had links to every conceivable adult site and products imaginable. Things you do NOT want associated with your nice, family-friendly blog. Google does NOT like that and I’m surprised they didn’t shut her down. It took me 3 days to get rid of all of them and still preserve her legitimate comments.
Remove unused plugins too. Sometimes they are abandoned by the developer and they can develop bugs or backdoors for hackers. If it hasn’t been updated in a few months, you don’t want it on your site. WordFence will alert you of potentially abandoned plugins.
Also you want to remove all those junk themes that WordPress puts on your site automatically. These themes could have backdoors or other vulnerabilities that could let hackers in, and they are just taking up space on your site – they are usually named twenty-nineteen, twenty-eighteen – I don’t think they did a twenty-twenty theme, but just get rid of them. Just click on Appearance, Themes, and then click on each theme (other than the one you are using!), and hit Delete.
Try these tips to secure your blog. Any precaution is worth taking when it comes to protecting yourself and your business!
Here’s the special offer I promised you. If you are the non-techy type who doesn’t want to be bothered with all this WordPress Security stuff, I’m happy to help! I have a WordPress Monthly Maintenance Service. For a very reasonable monthly price, I will keep your theme and plugins updated, fix your site security, add new plugins and do small fixes for you. Just click the LINK for more info.
Blogging resources I love and recommend:
Tailwind – I’ve been working with Tailwind for about five years. They are the pin scheduler of choice and it is jam-packed with great features. If you haven’t already, sign up for a FREE month of Tailwind HERE.
Legal Templates – You are required by law to have a certain package of legalese on your blog. You need to have copyright notices, privacy policies, and various other terms and conditions to protect yourself from being sued. The package I recommend is created by Amira Law – a lawyer who specializes in all aspects of blogging and internet business legalities. Learn more about these Legal Templates HERE.
Pinterest Resources – Pinterest is definitely my jam. I can do a personalized Pinterest/Tailwind audit where I go over your account with a 30-point checklist and then set up a Zoom call with you to give you TONS of suggestions. Order the Pinterest Audit HERE.
HIRE ME – I make a full-time living taking great care of my blogger peeps. I’ve done Pinterest Management for the last six years for dozens of clients. I can set up mailing lists, automations and build pop-ups for people. I can also build you a simple website in just a few days. To learn more – go HERE.
Here are some other posts you might enjoy: