Here’s what I would recommend: If you still use ‘admin’ as a username on your blog, change it, use a strong password.

Implementing these WordPress security tips will help secure your site and save you the stress of having to repair a hacked website.

Invest 15 minutes now going through this list and implement as many of them as you can and rest easy knowing your site is hardened against the most common forms of WordPress attacks.

• Setup scheduled backups

This might not sound like a security tip but it’s actually the most important one. If anything goes wrong with your site, even if it’s not a security issue, you’ll be able to revert back to your backups.

• Get the right web hosting

Having professional web hosting makes a huge difference, not only to how vulnerable your site is but in how it recovers if it is hacked. A quality hosting company will have good security as a first line of defense and a strong response when something does go wrong.  See my page on recommended hosting companies.

• Strong passwords

Weak passwords are one of the key ways that hackers gain access to your website.

I use a secure text document for all my websites, where I type a crazy password first and then paste it into the login screen, allowing Firefox to save it into the browser where I can retrieve it instantly later with the Secure Login addon.

This means I can use incredibly difficult passwords without having to remember them. Google Chrome does the same thing without any addons.

You can change your WordPress login password by visiting Users >> Your Profile and scrolling down to the About Yourself section.

• Install the “Limit Login Attempts” plugin

The Limit Login Attempts plugin provides an extra layer of security on your now strong passwords system by blocking anyone from trying to guess them.

After a number of attempts the plugin will block their IP address (every computer network has this unique signature) and prevent them from accessing your website for a set time.

These settings can be changed from Settings >> Limit Login Attempts. You can return here to review any blocked attempts.

• Change your login username ‘admin’

If when you login your username is ‘admin’ then any hacking attempts only have to guess your password.  My suggestion is to delete this user and create a new one for yourself as administrator.  However, do not delete the user ADMIN until you create your new username and password.  Remember to mix up your passwords with combinations of letters, numbers and symbols.

Enter a new username and click the Change button. You will have to login again straight away with your new username and password.  After you login again, you will be able to delete the ADMIN user profile.

• Keep WordPress updated

The single best piece of advice I can give to prevent website hacking is “keep your web server software up-to-date and fully patched.” That prevention is much better than the hassle of cleaning up a hack. WordPress is updated for a reason – to fix any bugs, provide you with new functions and security measures.

Whenever you login to your self-hosted WordPress site, you can check for available updates by going to Dashboard >> Updates. Keeping the core WordPress software, theme and plugins updated is an important security measure.

If you’re using a plugin or theme that hasn’t been updated in a while you may want to search for one that is better supported.

Update Warning!

If your theme files have been directly edited by yourself or a developer, then updating will wipe over those changes. 

• Install a Malware Scanner plugin

There are several choices out there.  I use Anti-Malware for my site.  This will check your WordPress site for malware, spam, and other issues.

• Scan your theme for malicious code

If you’re using a theme from the official WordPress directory, or one from a reputable provider you can skip this step. Many free themes though, are copied and can have malicious code embedded in them.  Sometimes you can spot this in the footer of the site with a form of advertising.

If you have any doubts, the Theme Authenticity Checker (TAC) plugin will scan your theme files to make sure there is nothing threatening your sites integrity. After activation visit Appearance >> TAC and the plugin will automatically scan your currently active theme.

If there are any issues, I would recommend using a different theme.

• Remove inactive plugins and themes

Inactive plugins and themes present potential entry points for hacking attempts. Deleting all of them removes these holes as well as avoiding unnecessary updates.

Go to Appearance >> Themes or Plugins >> Installed Plugins to review and delete them.

• Install the WP Security Scan plugin

The WP Security Scan plugin checks your site for various security vulnerabilities and suggests ways to fix them.  Start a scan by visiting WSD security >> Scanner. The plugin will alert you to any changes that need to be made. This plugin scans WordPress installation for file/directory permissions vulnerabilites

Keep this plugin activated for ongoing protection.

If you have any questions regarding your WordPress website, are interested in a maintenance plan or a redesign, please feel free to contact me!  As always, continued success in all your endeavors!