WordPress Security 101 - Protect Your Site from Hackers

WordPress Security 101 – Protect Your Site from Hackers

Love this post? Please share and pin it!

Affiliate Disclosure

Hackers are a constant threat and lots of people have lost their sites to because they don’t know enough about basic WordPress security practices.  That’s right – hackers can tamper with your hard work and take your hard-won page views back down to zero or delete your whole site.  Obviously, no one wants this to happen.  So I’m going to share a little tutorial on how to beef up your WordPress security with a few simple changes.

Here’s something you probably don’t know.  Your site has been attempted by a hacker TODAY.  Probably several times today.  Most people don’t know this, but when you have proper security software on board, it shows you the actual numbers of attacks – it’s a LOT more than you would suspect!  Here’s how to prevent hackers from getting into your site.  

WordPress Security Tips to Prevent Hackers


Note that some of these WordPress security changes may cost some money.  This post contains affiliate links, so I may make a bit of spare change for sharing them with you.  But relax – it’s good karma to help out other bloggers and site owners.  Someday they may return the favor.  

Choose your Host Carefully – Price isn’t the Big Trigger, Proper WordPress Security Is

Your first line of defense is a good host.  I strongly recommend Siteground.  STRONGLY recommend.  Here’s why

  • Terrific customer service.  I can usually get a live person on chat within 30 seconds.  Most of the time, they can fix stuff on the spot if a plugin has crashed my site.  Time is critical if your site has been hacked!  
  • Free SSL.  FREE!  I had to pay for it on my last host.
  • Free backups – we’ll talk more about that in a minute, but they offer GOOD backups.
  • Weekly security scans for cheap.  I think I pay maybe $20 per year to have my sites scanned weekly.  It’s not all you need, but it gives you a little extra peace of mind.
  • Plus they have a number of built-in security protocols to make your site more secure.

Here’s a whole article about my previous “cheapo” host and why I made the switch to Siteground and I’m so happy I did.  It actually saved me a good bit of money and made my site more secure.  I now have 3 sites with Siteground and they’re renewed for a 3 year term.  That’s how much I trust them.

Choose a Premium Theme

No, you do NOT want a free theme!!  You think you do, but I promise you, you DON’T.  You know that old saying, you get what you pay for.  Yup.  A free theme is not going to be well coded and good code is EVERYTHING in a theme.  A premium theme will be properly responsive on mobile (my last cheapo theme was not mobile-responsive – ugh!) and it will be properly coded for security.  That’s so important.  And when you’re a paying customer you get updates.  Free themes rarely send out security updates when the hackers come up with newer and better ways to worm their way into your site.

With a free theme, you get crappy code that is thrown together by someone who isn’t going to make money on it.  Why would you want that?  Save money somewhere else, but invest in a quality theme!

I buy my themes through Bluchic.  Both my sites use their Isabelle theme but they have about 10 different types of themes.  They are beautiful, they are wonderfully mobile response, and they are properly coded.  And they’re easy to update.  If you buy a Bluchic theme using my LINK, I’ll even install it for you for at a discount in your own brand colors.  Now that’s a great deal.  Here’s a peek at the Isabelle theme – I’ve built at least a dozen sites with this theme in every color scheme imaginable:

WordPress Security 101 - Protect Your Site from Hackers


Username and Password – Do it RIGHT!

This is where a lot of my clients go wrong.  Really wrong.  When you set up a new site, the first thing you do is set up your user name and password.  Here is what your username SHOULDN’T BE:

  • Admin (never, NEVER use this!)
  • The name of your site (nope, definitely not)
  • Your name or anyone’s name (too easy to guess)
  • Your Email (still too easy)

Hackers are trying to get into your site every single day, I promise you.  Lots of ’em.  All they need are two things – your username and your password.  That’s all.  So why would you give away half the equation before they even start?  Instead, pick a phrase or something funky that you can easily remember – I-c00k-f00d (those are zeros), #sm@rtbl0ggr, something like that.

And your password – make it HARD.  Don’t use your kids names, or your dog’s name, or anything recognizable.  Here’s a little trick I like to use.  We type passwords in a lot, right?  So make them something motivational – Im#Awes0meX365 or something that gets you pumped up!  Then it’s easy for you to remember, but hard to hack.  PS:  I also like password keeper apps like 1Password to store your zillion passwords for everything.  I’m always yelling at my husband because he is constantly resetting his passwords.  With a password keeper, you won’t have to do that.

Note that I do NOT use LastPass.  I know it’s very popular, but I have a very low trust level with it.  See my post on LastPass and Loom and why I WON’T use them because I feel they compromise my personal security.  


This is funny!  You can just watch the first three minutes.  We all need a good laugh sometimes.



Quick Fix

If you’ve got one of these bad user names – don’t despair.  I can fix it for you for free in about 5 minutes.  Just leave me a comment below – be sure to include your Email so I can get back to you.  If you do it yourself, be sure to learn how to do it correctly because you can mess it up if you aren’t careful.

WordPress Security Plugins

Next find a good WordPress security plugin that will show you how to prevent hackers from getting into your site. These plugins are designed to prevent certain addresses from accessing your account and will also alert you of bot activity and multiple login attempts.  Some can even block whole countries that are known for a lot of hacker activity.  I’ve got different suggestions depending on the size of your site – see below:


Spend the money for a premium security package.  Securi Scanner and Wordfence Premium Security are both good and pretty simple to install, although I think WordFence is a memory hog.  Check around a bit and do your research to find the best fit for you.  Plan on spending at least a couple hundred bucks.  It’s worth it, I PROMISE.  A hacked site is very expensive to clean and a lost or compromised site can cost you a lot in revenue.


You can probably get by with one of the free or low-cost security plugins.  I’ve used All in One Security and that’s pretty good, or use the free version of WordFence, plus the weekly scans from Siteground.  So far, that’s worked pretty well.

Always Have a Backup.  Of course YOU have a backup – right???

The other half of the equation is to have good backups.  I have a whole post about this called “I Thought My Site was Backed Up“.  The one time I did get hacked, I was horrified to discover that my previous “cheapo” host only kept 24 hours worth of backups, even though I’d paid extra for the feature.  By the time you find out you’ve been hacked, figure out what to do about it and open a ticket with your host, that 24 hour clock is DONE.

Siteground (remember them?) keeps 30 days of backups!  But I also do my own backups via a free service called UpdraftPlus.com.   This girl is BIG on backups after nearly losing my whole site to a hacker!


Last, but not least, keep your WordPress blog up to date.  Every time you get one of those pesky update notices – DO IT.  Keep your theme updated, your WordPress version and your plugins.  They are usually updating them to fix a security issue – basically to keep hackers OUT.

Here’s a smart tip for updating your plugins.  Do them one at a time.  Yes, just ONE at a time.  How many at a time?  ONE!  

Why?  If you grab six plugins and update them all at once, sometimes the code doesn’t play nicely.  I’ve had several different times when a plugin CRASHED my site.  Fortunately, since I do them separately, I can tell Siteground t it was THIS plugin and they can go right in and reset it.  But if I don’t know, they’ll just have to start removing stuff until the find the right one – ugh!

WordPress Security 101 - Protect Your Site from Hackers

Misc Stuff

Remove all spam comments too.  I use the Akismet free plugin to catch most of them, but if some get through, I remove them IMMEDIATELY.  You don’t want those bad links and junk on your site.

True story – I have one client who had 83,000 THOUSAND! of these nasty, nasty comments on her site.  They had links to every conceivable adult site and products imaginable.  Things you do NOT want associated with your nice, family-friendly blog.  Google does NOT like that and I’m surprised they didn’t shut her down.  It took me 3 days to get rid of all of them and still preserve her legitimate comments.

Remove unused plugins too.  Sometimes they are abandoned by the developer and they can develop bugs or backdoors for hackers.  If it hasn’t been updated in a few months, you don’t want it on your site.  WordFence will alert you of potentially abandoned plugins.

Also you want to remove all those junk themes that WordPress puts on your site automatically.  These themes could have backdoors or other vulnerabilities that could let hackers in, and they are just taking up space on your site – they are usually named twenty-nineteen, twenty-eighteen – I don’t think they did a twenty-twenty theme, but just get rid of them.  Just click on Appearance, Themes, and then click on each theme (other than the one you are using!), and hit Delete.

Try these tips how to protect a WordPress site from hackers. Any precaution is worth taking when it comes to protecting yourself and your business!  


Here are some other posts you might enjoy:

6 Brilliant Facebook Groups for New Bloggers

5 Ways to Repurpose Your Blog Content for More Traffic

7 Essential Upgrades for Your Blog


WordPress Security 101 - Protect Your Site from Hackers

Instagram Logo

Pinterest Logo

Facebook Logo


Blogging resources I highly recommend for YOU:

Legal Templates

You are required by law to have a certain package of legalese on your blog.  You need to have copyright notices, privacy policies, and various other terms and conditions to protect yourself from being sued.  The package I recommend is created by Amira Law - a lawyer who specializes in all aspects of blogging and internet business legalities.  Learn more about these Legal Templates HERE.

Pinterest Strategy Planner

My Pinterest Strategy Planner is a terrific tool to help you build a complete Pinterest strategy to grow your traffic.  Perfect for beginners, it shows you how to plan out your keywords, set up your boards correctly, choose which pinners to Follow, come up with your brand standards and so much more!  It's little a little self-paced course, but it's a lot cheaper than most courses and you can work at your own pace and track your progress in the included spreadsheets.  Order your Pinterest Strategy Planner HERE.

Hire Me

I'd like to be Your Fairy Techmother. I can build you a simple website, teach you LinkedIn strategies or SEO basics, coach you on how to make money with your blog - and so much MORE. I'm experienced, reliable, and pretty affordable. I've got 15 years experience as a Blogger and Virtual Assistant (VA). I can also set up Email lists, automations and build pop-ups for your site. Let's talk and see how I can help you. To learn more - go HERE.  

Love this post? Please share and pin it!

Similar Posts


  1. This sent chills down my spine. I will be extra mindful with everything when it comes to my site. Thank you so much.

  2. Great post, very insightful tips on-site security. I use the Akismet plugin too and it works wonders for my site. Wordfence is actually a pretty good plugin too (firewall for added security), I did, however, have some theme incompatibilities with Wordfence. How has it been for you?

    1. Thanks for the compliment. I haven’t had any problems with WordFence, other than I feel it bogs my speed down a little. I may cancel it when it’s time for renewal and go with another option that is less of a memory hog.

  3. Great post!

    I haven’t made the move to a self hosted blog, but when I do I’m definitely going to have your post opened to keep in mind!

    XO Steph

  4. Great tips! Thank you so much for this information. You make a good point about not updating your plugins as a bulk action. I found this super helpful.

    1. Actually, that’s great that it scared you a little bit. I do see a lot of people being really careless with their security and that can end badly. Hopefully you’ll take action to patch up those holes!

  5. Wow!! I am shocked. This post makes me what to get in gear to avoid ever getting hacked. This is invaluable information every single blogger needs to know. Thanks for sharing!!

  6. This was really comprehensive and helpful. I got a notification the other day that someone tried to log in to my account using the admin username. Really happy I was one step ahead, but now I have some more tips from this post.

    1. Yep. I’ve got one guy that got some old usernames for my blog on some kind of a hacker website. I’ve since removed them, but he tries them like clockwork about 5 times per day for the last 6 months! Seriously. These guys are incredibly persistent. So be smart about both your login and your password. Super important.

  7. Thank you for this post! I bookmarked it. There are so many things to do as a blogger, that I think quite a few people skip one or two of these steps sometimes.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.