How to Keep Your Blog & Online Accounts Safe – Part 2 – Securing WordPress

6 tips for securing WordPress. Keep your blog safe from hackers!

Last Updated: October 2016

These tips are specific to self-hosted WordPress.org blogs.

Do not have a username called “admin”

“Admin” is the default WordPress username, which it’s the first thing everything tries. Every single failed login attempt for Nose Graze has used the username “admin” (which doesn’t exist for me). By simply using a different name, you are already one step ahead of hackers. There’s more information on how to do this in the WordPress Codex. There are also plugins that can help you do it. See the security plugins section for an example.

Enforce strong passwords… everywhere

This is particularly important if you are a co-blogger or have a lot of guest bloggers with their own accounts on your blog. Every single account needs a strong password. There are plugins you can install that force your users to use a “strong password”. I’ll talk more about this later when I go over security plugins.

Ideally, all your passwords should follow the guidelines I outlined in my Passwords & Recovery Questions post, but at the very minimum, your administrative accounts need to be strong. The passwords should be at least 10 characters and contain a mix of letters (upper and lowercase), numbers, and symbols.

Delete any old or inactive accounts

Does your ex-co-blogger from 6 months ago still have an active account on your blog? If they’re no longer co-blogging with you, then there is no reason to keep that account active. Having unused accounts (especially unused admin accounts) is a security risk! Delete the account or at least downgrade it to a Subscriber level. Every additional account you have is one more way for someone to try to hack into your site or guess your password.

Back up your site!

There are many plugins and services to help you back up your site. One of my clients swears by VaultPress, but I’ve never tried it because it’s paid (the cheapest plan is $15 per month). Other people love Updraft Plus and BackUpBuddy. There are so many different options and ways you can save your backups, including: backup to folder, backup to FTP server, back up to dropbox, backup by e-mail, etc. You can easily schedule backups so you don’t have to worry about remembering to do it yourself!

Install a brute force protection plugin

Honestly, you don’t need a massively “heavy” plugin for security. The main thing you need is something to protect against brute forcing. Brute forcing is when a bot/script/person sits at your login page trying different passwords over and over again. You need a plugin to say, “You’ve had enough guessing! CYA!”

The best and simplest plugin for this job is Login Lockdown.

But if you really want to use a bigger plugin like WordFence Security or iThemes Security, then those certainly won’t do any harm. The important thing is that you have SOMETHING blocking people who try to guess passwords over and over again.

Add some kind of second protection

What’s better than one password?

Two passwords.

You can set up some kind of two factor authentication for your login page. Examples include:

Always update WordPress

You should always update WordPress as soon as you can. It’s true that some themes or plugins may break with upgrades or become incompatible. But which do you care about more: how your blog looks, or your blog’s security? WordPress updates almost always include bug fixes and security fixes. That means if you don’t update WordPress, your blog is more vulnerable and easier to attack/hack.

How to Keep Your Blog & Online Accounts Safe

Photo of Ashley
I'm a 28 year old California girl living in England (I fell in love with a Brit!). My three great passions are: books, coding, and fitness. more »

Don't miss my next post!

Sign up to get my blog posts sent directly to your inbox (plus exclusive store discounts!).

You might like these

4 comments

  1. Yes! This is something that worries me a great deal. Since March this year I get infrequent emails letting me know that yet another asshat has tried to hack my websites. Most of the time they try the username admin, but luckily my web host automatically assigns new accounts other usernames.

    What I’m wondering now is how to prevent certain usernames from being tried at all? I use the plugin Limit Login Attempts you mentioned.

    Also, I hear the login page URL is best edited, but then again I just read your article on double-login in the case of iThemes (I have Genesis, but you don’t seem to be using a framework so it must be something else). What would you recommend for this situation?

    As concluded in another comment, I have very limited CSS knowledge still. (Is your course suitable for Genesis users btw? I’m expecting some gift money soon and was thinking I’d sign up.)

    1. I’m not sure what you mean by preventing usernames from being tried? The username and password are entered together so there’d be no way of knowing that the username they’re using is on the “banned” list until after they’ve tried the username and password.

      But if they’re trying a username that doesn’t exist then there’s no harm in it.

      You can certainly use a plugin to change your login page URL if you wish.

      Which of my courses are you asking about? 🙂 I have a few! If it’s about Master Customizer then it certainly can work with Genesis. That’s not what we use in the course but the concepts are meant to be applied to any theme/framework.

Recent Posts

    Random Posts