WordPress Security

WordPress security mindmap

WordPress is the most popular Content Management system with approximately 25% of all websites created using WordPress (MarTec Today November 2015). It is not surprising that malicious people target WordPress sites. The WordPress developers work hard to repair security holes but there are things that you or your web developer can do to make your site more secure.

WordPress has a white paper on security.

Reasons why people hack your site

Some people hack just because they can. They want to show how clever they are. Some hacks are purely malicious and they want to destroy your site. These hacks may come from a competing company. Many hacks divert traffic from your site to their own site to gain more traffic.

Keep up to Date

Make sure that your WordPress version is the latest version and ensure that your plugins are up to date. You can set your version to automatically update and you will receive an email when an update occurs. Check your plugins at least once a week and update the ones that need updating.

Plugins and Themes

Remove any themes and plugins you are not using. It won’t take long to install them again if you need them in the future. When you first install WordPress you should delete the Hello Dolly plugin. I don’t know why it comes pre-installed on every WordPress installation but it is not very useful. It is one of the first plugins developed for WordPress.

Get your plugins and themes from a reputable source. The WordPress repository is a good place to get your plugins. Only use plugins that are well maintained, have plenty of active users and have good ratings. Never use a plugin that includes a link to another site. Remove links to other sites from the footer of your theme.

Remove Unused Files From the Server

Once WordPress is installed there are some files that are no longer required. These files include the readme.html, the wp-config-sample.php file and the install.php file found in the wp-admin folder. You can either do this through an FTP client or go to your CPanel in the File Manager.

Choose Obscure User Name and Passwords

Don’t choose an obvious username like administrator or your own name. Make sure that your passwords are hard to guess and change them regularly. Choose a password that has at least 12 random letters, numbers and symbols.

Once you have set up your account you can choose how you want your name to appear on posts. In the Dashboard choose Users then choose Your Profile from the dropdown list.
The third item on the dropdown list from Users is Your Profile.

In your profile screen, you can type in a nickname and choose to display it on your posts.
Screen shot of your profile where you can add a nick name.

Limit the number of Login Attempts

When you set up your WordPress site you may be given the option to Limit the number of login attempts. If you do not get this option, you can install a Limit Login plugin. I usually limit login attempts to 3. This will stop what is called a “Brute Force” attack where someone uses a program to try thousands of username and password combinations to access your site.

Backup Your Site

There are a number of plugins you can install to backup your site. The one I use is UpDraft Plus. Once it is installed you can set how often you want your site backed up and where you want to store your backups. You will receive an email when a backup has occurred. You can choose where you want your backup stored. This plugin will store your backup in a designated cloud storage site (for example in your Dropbox account). I also store a copy of my pages on my computer.


When you install a new WordPress site make sure that the “Comment must be manually approved” checkbox is checked in the “Before a comment appears”section.

Go to the Discussion page under Settings on the dashboard.

The Discussion tab is in the Settings menu fly-out.

Check both the Email me whenever Anyone posts a comment and Before a comment appears Comment must be manually approved.

Both Comment must be manually approved and email me when Anyone posts a comment are checked

Rules for approving comments:

  1. Only approve comments that appear to be genuine and helpful,
  2. Remove any URLs from the comments,
  3. Only approve comments that include a genuine name,
  4. Only approve comments that have a genuine email address,
  5. If you are receiving a lot of spam comments on one particular post, close comments on that post.

SSL Certificate

An SSL certificate as a small file to that binds a cryptic key to your site. It allows secure connections between your website and the browser. If you handle visitors’ sensitive information you should have an SSL certificate. Your host will provide you with an SSL certificate. Sometimes you will be charged an annual fee for your certificate but other hosts will include it in the hosting cost.

If your site has an SSL certificate, your domain name will start with https and not HTTP. A small padlock will accompany your domain name and on a chrome browser, the word secure will show as shown in the picture below.

The domain name at the top of a web page showing the padlock, secure and the https domain.

Useful Plugins


This plugin is already on your site when you install new WordPress software. It will protect your site against spam comments. Akismet does this by blocking known spam IP addresses. It will not block all spam but will make your spam comments more manageable. You do need to register and get a key to use this plugin but you make a choice on how much you want to pay.

All in one WP Security & Firewall

You only really need Akismet and this plugin. This is a very powerful free plugin. The dashboard gives you a meter of your website security and by using the settings you can watch your rating increase. Backup your site before activating any of the settings and check that your site is operating after the process.

If you don’t want to use the All in One plugin there are several other plugins you can install to make your site more secure.

Block Bad Queries

This plugin will stop malicious URL requests, helping to stop the bad guys from getting access to your site.

Quttera Web Malware Scanner

Quttera Web Malware Scanner will scan your site for threats to your site.

UpdraftPlus WordPress Backup Plugin

Backup your site regularly. With the Updraft Plus WordPress Backup plugin you can schedule regular backups of your database, plugins, and themes. Your backups can be stored on your cloud storage account for easy access if your site goes down.


WordPress sites do get hacked but that does not mean that WordPress is not secure. Hackers are constantly working to find ways to hack your site. There are things you can do to make their job difficult.  These include:

  • Check your site regularly,
  • Notify your web developer if you do get hacked. The quicker you notify your developer, the easier it is to fix the problem.
  • Backup your site so it can easily be restored,
  • Keep your site up to date and remove any unused plugins and themes.
  • Choose usernames and passwords that are difficult to guess and limit the number of login attempts.
  • Always manually approve comments,
  • Activate Akismet and use the All in one WP Security plugin to keep your site safe.

Last updated 6 August 2018.

Redback Web Design 2004 - 2020