WordPress Security 101 – Protect Your Site from Hackers
Hackers are a constant threat and lots of people have lost their sites to because they don’t know enough about basic WordPress security practices. That’s right – hackers can tamper with your hard work and take your hard-won page views back down to zero or delete your whole site. Obviously, no one wants this to happen. So I’m going to share a little tutorial on how to beef up your WordPress security with a few simple changes.
Here’s something you probably don’t know. Your site has been attempted by a hacker TODAY. Probably several times today. Most people don’t know this, but when you have proper security software on board, it shows you the actual numbers of attacks – it’s a LOT more than you would suspect! Here’s how to prevent hackers from getting into your site. Â
Note that some of these WordPress security changes may cost some money. This post contains affiliate links, so I may make a bit of spare change for sharing them with you. But relax – it’s good karma to help out other bloggers and site owners. Someday they may return the favor. Â
Choose your Host Carefully – Price isn’t the Big Trigger, Proper WordPress Security Is
Your first line of defense is a good host. I strongly recommend Siteground. STRONGLY recommend. Here’s why
- Terrific customer service. I can usually get a live person on chat within 30 seconds. Most of the time, they can fix stuff on the spot if a plugin has crashed my site. Time is critical if your site has been hacked! Â
- Free SSL. FREE! I had to pay for it on my last host.
- Free backups – we’ll talk more about that in a minute, but they offer GOOD backups.
- Weekly security scans for cheap. I think I pay maybe $20 per year to have my sites scanned weekly. It’s not all you need, but it gives you a little extra peace of mind.
- Plus they have a number of built-in security protocols to make your site more secure.
Here’s a whole article about my previous “cheapo” host and why I made the switch to Siteground and I’m so happy I did. It actually saved me a good bit of money and made my site more secure. I now have 3 sites with Siteground and they’re renewed for a 3 year term. That’s how much I trust them.
Choose a Premium Theme
No, you do NOT want a free theme!! You think you do, but I promise you, you DON’T. You know that old saying, you get what you pay for. Yup. A free theme is not going to be well coded and good code is EVERYTHING in a theme. A premium theme will be properly responsive on mobile (my last cheapo theme was not mobile-responsive – ugh!) and it will be properly coded for security. That’s so important. And when you’re a paying customer you get updates. Free themes rarely send out security updates when the hackers come up with newer and better ways to worm their way into your site.
With a free theme, you get crappy code that is thrown together by someone who isn’t going to make money on it. Why would you want that? Save money somewhere else, but invest in a quality theme!
I buy my themes through Bluchic. Both my sites use their Isabelle theme but they have about 10 different types of themes. They are beautiful, they are wonderfully mobile response, and they are properly coded. And they’re easy to update. If you buy a Bluchic theme using my LINK, I’ll even install it for you for at a discount in your own brand colors. Now that’s a great deal. Here’s a peek at the Isabelle theme – I’ve built at least a dozen sites with this theme in every color scheme imaginable:
Username and Password – Do it RIGHT!
This is where a lot of my clients go wrong. Really wrong. When you set up a new site, the first thing you do is set up your user name and password. Here is what your username SHOULDN’T BE:
- Admin (never, NEVER use this!)
- The name of your site (nope, definitely not)
- Your name or anyone’s name (too easy to guess)
- Your Email (still too easy)
Hackers are trying to get into your site every single day, I promise you. Lots of ’em. All they need are two things – your username and your password. That’s all. So why would you give away half the equation before they even start? Instead, pick a phrase or something funky that you can easily remember – I-c00k-f00d (those are zeros), #sm@rtbl0ggr, something like that.
And your password – make it HARD. Don’t use your kids names, or your dog’s name, or anything recognizable. Here’s a little trick I like to use. We type passwords in a lot, right? So make them something motivational – Im#Awes0meX365 or something that gets you pumped up! Then it’s easy for you to remember, but hard to hack. PS: I also like password keeper apps like 1Password to store your zillion passwords for everything. I’m always yelling at my husband because he is constantly resetting his passwords. With a password keeper, you won’t have to do that.
Note that I do NOT use LastPass. I know it’s very popular, but I have a very low trust level with it. See my post on LastPass and Loom and why I WON’T use them because I feel they compromise my personal security. Â
This is funny! You can just watch the first three minutes. We all need a good laugh sometimes.
Quick Fix
If you’ve got one of these bad user names – don’t despair. I can fix it for you for free in about 5 minutes. Just leave me a comment below – be sure to include your Email so I can get back to you. If you do it yourself, be sure to learn how to do it correctly because you can mess it up if you aren’t careful.
WordPress Security Plugins
Next find a good WordPress security plugin that will show you how to prevent hackers from getting into your site. These plugins are designed to prevent certain addresses from accessing your account and will also alert you of bot activity and multiple login attempts. Some can even block whole countries that are known for a lot of hacker activity. I’ve got different suggestions depending on the size of your site – see below:
IF YOU HAVE A BIG SITE WITH LOTS OF MATERIAL ON IT OR IF YOU ARE MAKING MONEY FROM YOUR SITE
Spend the money for a premium security package. Securi Scanner and Wordfence Premium Security are both good and pretty simple to install, although I think WordFence is a memory hog. Check around a bit and do your research to find the best fit for you. Plan on spending at least a couple hundred bucks. It’s worth it, I PROMISE. A hacked site is very expensive to clean and a lost or compromised site can cost you a lot in revenue.
IF YOU ARE A NEW BLOGGER OR JUST HAVE A TINY SITE
You can probably get by with one of the free or low-cost security plugins. I’ve used All in One Security and that’s pretty good, or use the free version of WordFence, plus the weekly scans from Siteground. So far, that’s worked pretty well.
Always Have a Backup. Of course YOU have a backup – right???
The other half of the equation is to have good backups. I have a whole post about this called “I Thought My Site was Backed Up“. The one time I did get hacked, I was horrified to discover that my previous “cheapo” host only kept 24 hours worth of backups, even though I’d paid extra for the feature. By the time you find out you’ve been hacked, figure out what to do about it and open a ticket with your host, that 24 hour clock is DONE.
Siteground (remember them?) keeps 30 days of backups! But I also do my own backups via a free service called UpdraftPlus.com.  This girl is BIG on backups after nearly losing my whole site to a hacker!
UPDATE, UPDATE, UPDATE
Last, but not least, keep your WordPress blog up to date. Every time you get one of those pesky update notices – DO IT. Keep your theme updated, your WordPress version and your plugins. They are usually updating them to fix a security issue – basically to keep hackers OUT.
Here’s a smart tip for updating your plugins. Do them one at a time. Yes, just ONE at a time. How many at a time? ONE! Â
Why? If you grab six plugins and update them all at once, sometimes the code doesn’t play nicely. I’ve had several different times when a plugin CRASHED my site. Fortunately, since I do them separately, I can tell Siteground t it was THIS plugin and they can go right in and reset it. But if I don’t know, they’ll just have to start removing stuff until the find the right one – ugh!
Misc Stuff
Remove all spam comments too. I use the Akismet free plugin to catch most of them, but if some get through, I remove them IMMEDIATELY. You don’t want those bad links and junk on your site.
True story – I have one client who had 83,000 THOUSAND! of these nasty, nasty comments on her site. They had links to every conceivable adult site and products imaginable. Things you do NOT want associated with your nice, family-friendly blog. Google does NOT like that and I’m surprised they didn’t shut her down. It took me 3 days to get rid of all of them and still preserve her legitimate comments.
Remove unused plugins too. Sometimes they are abandoned by the developer and they can develop bugs or backdoors for hackers. If it hasn’t been updated in a few months, you don’t want it on your site. WordFence will alert you of potentially abandoned plugins.
Also you want to remove all those junk themes that WordPress puts on your site automatically. These themes could have backdoors or other vulnerabilities that could let hackers in, and they are just taking up space on your site – they are usually named twenty-nineteen, twenty-eighteen – I don’t think they did a twenty-twenty theme, but just get rid of them. Just click on Appearance, Themes, and then click on each theme (other than the one you are using!), and hit Delete.
Try these tips how to protect a WordPress site from hackers. Any precaution is worth taking when it comes to protecting yourself and your business! Â
Here are some other posts you might enjoy:
6 Brilliant Facebook Groups for New Bloggers
5 Ways to Repurpose Your Blog Content for More Traffic
7 Essential Upgrades for Your Blog
This sent chills down my spine. I will be extra mindful with everything when it comes to my site. Thank you so much.
Thank you! I’m glad you found it helpful. It’s so smart to pay close attention to your site security.
This made me go in and double-check all my passwords!
Fabulous! That’s exactly why I wrote that post.
Great post, very insightful tips on-site security. I use the Akismet plugin too and it works wonders for my site. Wordfence is actually a pretty good plugin too (firewall for added security), I did, however, have some theme incompatibilities with Wordfence. How has it been for you?
Thanks for the compliment. I haven’t had any problems with WordFence, other than I feel it bogs my speed down a little. I may cancel it when it’s time for renewal and go with another option that is less of a memory hog.
I can’t imagine that happening to anybody. Have to get this done as soon as possible now. Great tips. Thanks for sharing.
I’m so glad you found these tips helpful.
Great post!
I haven’t made the move to a self hosted blog, but when I do I’m definitely going to have your post opened to keep in mind!
XO Steph
Good for you Steph. Reach out if you have any problems.
There is a lot to think about when starting out. The reading seems endless on blog development. This helps a lot.
I know! Blogging has such a steep learning curve. That’s what keeps VA’s like me in business.
Great tips! Thank you so much for this information. You make a good point about not updating your plugins as a bulk action. I found this super helpful.
Thanks! I learned that one the hard way, by breaking my site with an update and not knowing which plugin was responsible – ugh.
Great tips. My host recently let my SSL certificate expire on accident. Good times.
Sounds like a crummy host. I figure I wasted about $500 by sticking with my former host. Nice name!
Thank you so much. There were a few things I forgot to add to my site and it scared me honestly.
Actually, that’s great that it scared you a little bit. I do see a lot of people being really careless with their security and that can end badly. Hopefully you’ll take action to patch up those holes!
Wow!! I am shocked. This post makes me what to get in gear to avoid ever getting hacked. This is invaluable information every single blogger needs to know. Thanks for sharing!!
Yes, these guys are very serious and they’ve got lots of tools at their disposal, so keep your site SAFE.
This was really comprehensive and helpful. I got a notification the other day that someone tried to log in to my account using the admin username. Really happy I was one step ahead, but now I have some more tips from this post.
Yep. I’ve got one guy that got some old usernames for my blog on some kind of a hacker website. I’ve since removed them, but he tries them like clockwork about 5 times per day for the last 6 months! Seriously. These guys are incredibly persistent. So be smart about both your login and your password. Super important.
Thank you for this post! I bookmarked it. There are so many things to do as a blogger, that I think quite a few people skip one or two of these steps sometimes.
Thank you. Yes, I definitely see clients every day who are being just a little too careless with these tasks.
Great post! I will definitely be bookmarking this page for a constang reminder to myself. I appreciate the information!!
Thanks! I’m glad you found it helpful.
So much helpful information here!! Thank you!