How to Increase Security for Your WordPress Site

If you’re building a WordPress site, then it’s absolutely crucial to consider your security. Your blog might not be about anything top secret and you might not even think of it as something that anyone would want to try and break into…

But that doesn’t mean you’re safe. And it doesn’t mean that a hacker or malicious user can’t do a lot of serious damage if they are so inclined. Read on then and we’ll look at why security really matters even for casual bloggers and at what you can do to defend yourself.


An Introduction to Website Security

As stated, you might now be wondering what all this has to do with you. If you’re blogging about your favorite types of cheese and you only get 20 readers a day, then you’re hardly at risk… right?

Wrong! Unfortunately, hacking can happen to anyone and that’s because it’s generally not something that is handled by individuals. Rather, a lot of hacking is carried out by ‘bots’ which run on people’s computers (the so-called bot-net) and then operate whenever they go online. These bots then search for websites in just the same way that Google does and when they find one, they’ll attempt to break in and make repeated goes at it until they’re successful.


If they manage, they’ll then do their bad work, or they’ll alert the hacker and provide them with your details.

In the case of a WordPress site, this then means that they’ll be looking for your WP-Admin page and then trying as hard as they might to break in. The method they use is something called ‘brute force’, which means that they’ll use thousands or millions of password and username combinations in conjunction until they eventually find a combination that works. This turns your security into a game of numbers and a game of odds and if you’re unlucky, they’ll make it in.

These robots don’t care that your site is about cheese. They don’t even know what your site is about. Their job is simply to break into any and all sites they can find!

So what do these hackers do once they’ve broken in? That depends on the nature of the hack but there are a number of things they might do and a number of reasons that they might be interested in hacking into your site in the first place.


For starters, they might be trying to post links on your site. Once in, they can then post a link on your site to their website – which will often be the kind of link you really don’t want that sells Viagra, gambling or dating sites. This is their way to build links and get customers and essentially boils down to spam.

Another option is that they’ll look for any personal details they can use. If you use your debit card to buy themes and plugins through WordPress, they might be able to get your account details! Worst of all, if you have an ecommerce store, then hacks might actually steal the details of your customers which they can then use for spam – or to steal their money.

Alternatively, they might try to recruit the server as part of their botnet. Other hacks? They’re just plain malicious and will attack your site for the sheer heck of it.

Other Types of Hack and Attack

There are other types of hack to be aware of too though. For starters, if your website is much bigger with a lot more traffic, then you might find that people try to hack into your site manually.

In some cases, a hack will be to do with a weakness in the code that underlies WordPress or a particular plugin. Once this is found, those hackers can break into any website that uses that code, which is a massive vulnerability!

Otherwise, an attack might involve uploading a file. If you have a form that lets people upload files onto your server, then someone might upload a PHP file that they carries out changes to your files.

And then there are the other attacks that aren’t quite hacks. You have spammers who want to fill your comments section with nonsense and you have people performing ‘negative SEO’ in order to try and damage your position in Google (this is often the work of competitors). So no matter who you are, you really do need to remain vigilant!

The Best Strategies for Improving WordPress Security

With that said, it’s important to start thinking about ways to keep your WordPress up-to-date and secure. Let’s take a look at some of the most important strategies that will help keep you, your customers and your data safe!

Keeping Up to Date

The first thing to do to keep your WordPress safer is to make sure that you keep everything up-to-date. That means WordPress itself and you can find information on how to update WordPress here. Each new update will fix old vulnerabilities and ensure that your site is taking advantage of the most recent security features.

What’s also important though is that you keep the individual plugins up-to-date. There have been a number of recent and high profile examples of plugins having serious vulnerabilities and putting their users at risk, including a problem with WordPress SEO by Yoast. You need to make sure that you head to your Plugins > Installed Plugins page regularly and look out for any that have a message telling you they need an update. Once you find them, just click ‘update now’.


Practicing Restraint

What you can also do is to practice a little restraint by making sure you don’t install every new plugin under the sun. While a couple of plugins can be very useful, having lots of old plugins that you don’t need anymore – or just installing too many – creates more opportunities for your site to be hacked. In other words, the more plugins are on your server, the more likely it is that one of them will have some kind of vulnerability that hasn’t yet been discovered.

Having too many plugins also creates a number of potential performance issues and can delay loading and speed optimization… so just make sure that this isn’t something you’re guilty of and have a think before you install that 700th plugin!


Consider Your Login

As we discussed earlier, the login page is the main potential entry point still for the vast majority of users. If your admin name is currently ‘Admin’ and your password is ‘Password’, then chances are that you’ll be hacked very quickly. This is made worse if your WP-admin panel is kept in the usual place (/wp-admin) and you have no form of Turing test.

So firstly, make sure that you change your username from Admin to something a little less obvious. We made a post on how to change your admin username so go and check that out if you’re not sure how to do it. The short version? You’re making a new username and then deleting the old one.

Next up, change your password. Do this by going to Users > Your Profile. Here, you can change basic details about yourself and that includes the option to generate a new password. Another handy feature on this page is the ability to log out of your account elsewhere which will enable you to fix any errors you made if you – for instance – forgot to log out of a library computer.


When you create your password, make sure that it is lengthy and includes a combination of cases and symbols. This is important because after a brute force attack has gone through common combinations (Admin, User, Password, Guest) then it will start going through every combination of words and letters – starting with ‘aaaaa’ and ‘aaaab’. Until quantum computing comes onto the scene, a 20 character password with different symbols and cases should keep us relatively safe.

Securing WP-Admin

Another tip is to move your WP-Admin panel to another location, so that it can no longer be found at While this won’t make a huge difference to bots, if someone is trying to actively log into your site and they can’t find where to enter your details, it could slow them down. This is known as ‘security via obscurity’.

This is also a very simple job to do, thanks to a number of plugins that exist and can handle the process nicely for you!

While you’re at it, you should look into installing a CAPTCHA. This is a brief test that ensures you’re human and not a ‘bot’ and will only allow you to enter your password and username combination once you’ve successfully passed. Typical CAPTCHA tests include copying out obscure text, answering questions or doing other things that would be difficult for a computer without some very hardcore programming. This is a ‘Turing test’ because that’s the name for any test that attempts to find out if something is human or not. There are ways around it – using advanced computer vision technology for instance or using ‘mechanical turks’ – but for the most part, this is a very good extra layer of security.

I use a system that asks a basic maths question:


Again, you’ll find there are plenty of plugins that will handle this for you and that give you different options.

If you want to make sure your comments section is free of spam, then you should add CAPTCHA here as well. Likewise, using systems such as Disqus can also help this problem.

By default, most WordPress sites let any users sign up to your site, which creates an inherent and unnecessary risk. Remove that feature!

Think About Your Wetware and Hardware

What is wetware? Simple – it’s you!

Sometimes threats to security don’t come from the web but rather they come from the real world and are dictated by the way you interact with your site and the way you work.

For example, if you are continuously logging on to your WordPress site in coffee shops, then this creates opportunities for people to listen in on your unsecure networks and to get your login details that way. Leaving yourself logged in on public computers is a mistake and so too is leaving your password lying around somewhere.


Another tip is to make sure you keep your security software up-to-date at all times. This means installing anti-virus and anti-malware software that can prevent spyware from installing itself and once again listening to your keystrokes to try and steal your password. If you’re feeling really paranoid, you can even use the mouse cursor to write your password in the wrong order, rendering such strategies inert. That’s a lot of effort though!

Understanding Negative SEO

Finally, one other thing you need to watch out for is negative SEO. This is not a security threat but rather another malicious attack that someone can conduct on your site.

Basically, this involves posting thousands of links to your site on low quality sites around the web. When Google sees this, it thinks you are trying to spam its search results and get yourself to the top. As a result, it will penalize your site and send it to the bottom of the heap. That’s ‘negative SEO’ and it’s something that a competitor might try and use in order to damage your visibility and therefore help there’s.

Your best defense is Google’s ‘Link Disavow Tool’ which is basically a technique you can use to tell Google you didn’t post the link yourself.


You can also try emailing the site owners yourself and asking them to remove the links!


This might seem like a lot of work but as long as you are sensible with your username and password, you should find you don’t need to worry in the majority of situations. Just be smart and vigilant and you shouldn’t have anything to worry about – your site should remain safe and secure leaving you to blog in peace!