4 Key Tips to Keep Your WordPress Site Secure

A few years ago, I wrote an article on securing your WP blog by deleting the original admin account.  The default “admin” allowed an easier way for hackers to find a way in to your blog and wreak havoc.  During that time, there were also a number of other vulnerabilities in the WP core. 

WP addressed these on the road to 3.0, closing the primary known vulnerabilities and changing the install process from having a default “admin” as the admin user (you now choose your own).  That being said, there is still quite a bit of activity showing that there are users still having issues.


The sheer volume of comments on this post indicates that security among WordPress users remains an important topic. In my experience, the users that leave security holes open are generally the same users that tend not to create regular site backups to roll back to.

If you are running a self-hosted version of WordPress (and there are many good reasons for doing so), you are taking your security into your own hands.  It pays to be informed.

Start with the Basics

It is always a good idea to go to the source for best practices.  If you haven’t read the Hardening WordPress article at the WordPress Codex, you should.  Don’t wait – do it now.

Also a good article on WordPress.org by the man himself (Matt Mullenweg for the uninitiated) is How to Keep WordPress Secure.  It’s slightly dated, but the point still applies – keep up to date with updates.

Security Begins At Installation

If you follow the installation steps in 20 Steps to a Flexible and Secure WordPress Installation, you’ll be getting started on the right foot.  This is an easy to follow, step-by-step article that even a non-technical blogger can follow in order to set up a properly secured install of WordPress.

Do Regular Backups

Keeping backups won’t prevent you from being hacked.  Only following standard security procedures can do that.  But no security measure is foolproof.  If you do get hacked, you will find it easier to recover if you have done regular backups.

Again, the Codex is the original source to begin a thorough study.  And this article at SitePoint covers not only how to backup your site, but also how to recover your site from a backup. (What good is a backup if you don’t know how to recover from being hacked?)

Start Now

Remember, it’s easier to secure your site BEFORE you get hacked.  I am certain that anyone who has had their WordPress installation hacked will testify to the fact that they wished they had followed certain protocols before.  If they had, many would have saved themselves many hours of frustration.


  1. says

    Ola! Chad,
    Neat Post, I’m in the beginnings of a personal web page. I started to report on E3 news. Last night I reported about the new xbox and listed details. I did copy and paste my finding from another website. What I copied and pasted was exactly what every other gaming website blogged posted word for word. I figured since what I copied and pasted are known Specs and dimensions that this would not be plagiarific. So I submitted my article and went to sleep. This morning when I checked my website my post was changed from published to Draft and the title to “ggg” and the content of my blog post deleted… I’m not using wordpress.com to host my site I’m using my own domain. No one knows my user name or password.
    My question is can a company or another website go into my person blog or have wordpress go into my blog and delete my posts / change them? As a safety precaution I changed my password for something very secure to downright nearly impossible for even me to remember
    Great Job!

    • says

      To answer your question, can someone go into your blog and make changes? The answer is yes, if they have hacked your password, so changing your password is a good first step. Since you are hosting your own site rather than relying on WordPress.com, it is on you to make sure that you keep up with WordPress updates. Many times, these involve security updates, so it is very important to make sure that you are always running the most recent version of WordPress.

      Also, you want to make sure that if you have been hacked in the past, that no back doors were created for future attacks. In past vulnerabilities in WP, hackers were able to create hidden admin accounts once they were in. In this way, even if you change your password, they are returning through a back door, so they are no longer accessing with the original account. The best way to determine if you have this issue is to look under the “All Users” menu on the admin panel’s left sidebar menu. On this page it tells you each user type above the table of users and next to each user type it gives a number. This is the number of users there are for that user type. So, if you are the only administrator, this number should be “1″ (if you have additional admins that you know of, then this number should match that). If you only have one admin and this number is greater than 1, then you’ve been hacked and the hacker created an admin account for himself to come back in. If that’s the case, click the “Administrator” selection in the menu to show just admins. Delete the extra admin(s).

      It’s also a good idea to make sure you’re admin account is not username “admin”. That’s so obvious and easily hackable.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>