7 Incredibly Simple Ways to Increase WordPress Security

7 Incredibly Simple Ways to Increase WordPress Security

Did you ever imagine what would you do if your WordPress website disappears?

It might sound rough, but this may happen to everyone just like it happened to me once.

WordPress security is something that you should take really seriously, because there are people who use vulnerable websites to their advantage.

Plus, there are disasters that might happen and you can lose your work forever.

But you can avoid this by taking some precaution measures for your WordPress website and increase its security.

This way you will sleep better thinking that your business is safe.

Obviously, there are a lot of things that you can do to lock down your WordPress installation and some ninja tips that I will share with you in a future post.

But in the meantime, let’s start with the basics and learn the easiest fixes you can apply for a more secure WordPress website.

If you find a vulnerability just go and fix it and then come back to continue reading the article.

1. Backup your website

The first and most important task that you need to take care of is backing up your site.

Without a backup you can loose your website and everything you’ve been working on forever.

Most hosting companies will say that they backup your website, but for additional security you should keep an extra backup of your WordPress website on a different location.

I would also recommend you to ask your hosting company where they keep the backups.

If they say that they keep them on the same location, this is an extra reason for your to start backing up your site. And possibly look for a different hosting company.

There are a lot of WordPress plugins and services that can help you backup your WordPress site on a different server.

It doesn’t matter which one you choose, but it’s crucial that you backup your WordPress site.

I’ve heard really good things about:

  • CodeGuard
  • VaultPress
  • BackupBuddy

If you need help, take a look at our WordPress services and we will backup your website for you.

Action tip: Find a backup plugin that does backups every day/week, install it and backup your site on a different location right way.

2. Keep your blog updated

I can’t stress enough the importance of updating your WordPress site, themes and plugins.

With every new release WordPress adds security enhancements that you should have on your blog as soon as possible.

While you may want to wait a couple of days until advanced users test the new versions, you definitely need to apply any updates available within a week since their release.

Additionally, themes and plugins will release security enhancements and you need to keep them up to date, so hackers won’t exploit their vulnerabilities.

If all your scripts are updated you reduce the risk of your site getting hacked, because hackers love outdated software and this is where they will look first.

If you are afraid of breaking something during the update ask (us!) for help or read more about how you can break the fear of technology.

Action tip: After you create a backup of you blog, go ahead and update WordPress and all your themes and plugins.

3. Remove unnecessary themes and plugins

One of the most common security issues is with outdated scripts, especially with themes and plugins that you don’t use.

I actually cleaned a couple of sites which got malware because they used to have about 10 themes installed, which got outdated and hackers exploited some vulnerabilities that existed in those old versions.

The funny thing is that the security threat was fixed soon after it was discovered, but because the theme was not updated, they could reach the website through that gate.

Plus, those themes were not used anymore, so why keep them to make your site more vulnerable?

That is why I would recommend you to audit your themes and plugins and if you don’t use them anymore, just press the delete button.

Action tip: If you have any themes or plugins that you don’t use, now it’s time for you to delete them.

4. Don’t use admin as your username

Before the version 3.0 of WordPress the default administrator username, was “admin” and hackers know this.

Moreover there are plenty of people (know anyone?) who still use this and make their sites vulnerable.

If hackers know your username, they will move at the next step and try to find your password.

But if you have a custom username, they will have to guess that first which will make their job a lot harder.

In WordPress you can’t change your username, but you can create a new user and delete the old one.

Action tip: Create a new user with administrator privileges and setup a strong password for that user. Once created, login with those credentials and delete the old admin account.

5. Use strong passwords

There are plenty of hackers who use brute force to guess passwords and if your password is weak, you’re making their life easy.

Instead use different passwords for every website/email account/social media account you use and store them using a password keeper tool.

I personally use LastPass (free and paid) because it works straight from my browser and the paid version also has an iPhone app.

I use LastPass to generate secure passwords, securely store them in my account and keep other information/notes safe.

Alternatively I’ve heard really good things about 1Password (paid) and KeePass (free), which you can use with your Dropbox account.

I would recommend you to go with passwords that have at least 14 characters, if not multiple words and contain special characters, numbers and capital letters.

Action tip: Signup for a password keeper tool and change all your weak passwords. Use a tool to generate them to something like this: D&L1rlXJVk&l&z.

6. Keep your computer clean

There are times when hackers use viruses to infect your local computer and then scan it for open FTP connections.

Once you connect to your website via FTP, they will use that connection to upload malicious content on your website without you ever knowing.

This is the reason why it’s really important to keep your computer clean and use an antivirus software to scan your computer in real time to avoid getting it infected.

Action tip: If your computer needs an anti-virus download a free one or buy a paid version. Scan your computer and schedule regular scans.

7. Use sFTP to transfer files

The usual FTP connection sends passwords and sensitive data in plain text and if someone uses special programs to scan your connection they can read your data.

You can avoid this by using an sFTP connection, provided by most of the hosting companies, but not really used by users.

The sFTP connection creates a secure tunnel between your computer and the server so no one can access your information.

This way, the username and password sent to the server to login and any other sensitive information you upload, will be protected from those who try to access that data.

Action tip: Send an email to your host and ask them to provide you more details about what you can do to use an sFTP connection.

Back to you

Do you think that your WordPress site is secure? Think again!

Make sure that you implement everything you learned above right away to avoid loosing precious data from your website.

In case you have questions or need help with any of the above leave a comment below.

Or if you have any other tips that you would like to share with us, please use the same comments box.

Get Updates! It's free!

Signup now to get fresh content that will help you build a profitable business online using WordPress. Here's what you will get if you join now:

  • Video series: 7 Quick Ways to Secure your WordPress Blog From Being Hacked
  • Free updates for articles as they publish
  • Exclusive content just for subscribers and access to the Backpack Toolbox

Powered by Elevatr

About Eugen Oprea

I am passionate about technology and I love to help people confused by technology build a remarkable presence online. You can also find me on Twitter, Google+, Facebook, or LinkedIn.

  • http://blogverize.blogspot.com Nimsrules

    These are some really simple yet solid tips to secure your WP site.
    P.S – Love your newsletter :)

    • http://www.wpbackpack.com/ Eugen Oprea

      Thanks! I am really happy to hear this.

  • http://www.imagemaven.com Marlene Hielema

    Eugen, I really like the tip about the sFTP. Going to check that out with my web host. Thanks for all your tips and tutorials.

    • http://www.wpbackpack.com/ Eugen Oprea

      Thanks Marlene!

      Yes, please do so and use sFTP every time from now on.

  • Zimbrul

    Great advice! The mist annoying problem I ve got is WordPress backup. You’ve mentioned Backup Buddy: this is a real headache! Every single attempt to backup WP using this has failed! Some other plugins are also tricky. I think a built in solution for back ups will solve the problem.
    Of course, you can use FTP to simply transfer your files to your hard drive but many owners don t do that on a regular basis.

    • http://www.wpbackpack.com/ Eugen Oprea

      I agree with you. Most of the backup plugins fail, but it’s not necessary their fault.

      This usually happens because the backup process requires a specific amount of memory, which you don’t have on shared hosting. And from here the backup fails.

      From this reasons I moved all my sites, including clients sites in VaultPress and CodeGuard.

      I need to pay a monthly fee, but it’s worth it as it provides me piece of mind.

    • http://www.imagemaven.com Marlene Hielema

      I agree with you too Zimbrul. The time I used Backup Buddy was the only time my site was down because as Eugen said, it completely filled up my server space. Luckily I have a web host who backs up daily, and I didn’t even know it. They had me up and running in 30 minutes.

  • http://stonemonkeymarketing.com David Burch

    I do like WPTwin. It’s the only backup software that hasn’t failed me.

    • http://www.wpbackpack.com/ Eugen Oprea

      Thanks David! I will have a look at that.

    • Zimbrul

      Thanks for the head-ups! I’ll have a look because I got fed up of failed backups with Backup Buddy.

  • http://cathypresland.com Cathy Presland

    Eugen – thanks for the tips. I think I score 7/7 – well maybe 6 1/2 ;)
    This is so important and all too easy to overlook until something bad happens.

    • http://www.wpbackpack.com/ Eugen Oprea

      Cathy, congratulations for your score.

      I agree with you and I am really happy that you have them already implemented.

  • https://twitter.com/HennekeD Henneke

    Thank you for sharing these useful tips, Eugen.

    It’s a hugely important topic – I’ve become more aware of it in recent weeks when seeing big blogs being hacked.

    One question: Is there a difference in terms of security between the various hosting companies?

    • http://www.wpbackpack.com/ Eugen Oprea

      Yes, there is a difference in terms of security between hosting providers.

      As an example, most companies provide shared hosting, which means that on a box they setup hundreds and even thousands of websites.

      If one of them gets malware, there is a good change that it will spread to most of its neighbors, so this is the main difference.

      But others may have strong security and this will never happen.

      On the other hand, there are hosting companies which offer VPS (Virtual Private Servers), which even if they are on the same box, they use virtualization software which isolates each account and data is not transferred between accounts.

      I hope this helps, but let me know if there is anything else unclear.

  • http://futureexpats.com Susanna Perkins

    I usually post new stuff to my site twice a week, so I don’t need to back up every day. But I run a complete backup — database and all WordPress files — at LEAST once a week, and before I update any plugins or WordPress itself.

    • http://www.wpbackpack.com/ Eugen Oprea

      Susanna, I agree that if you don’t post or customize the site every day, you don’t need daily backups and weekly are just fine.

      However, in my case, I backup my clients sites daily, because I want to make sure that everything securely backed up.

      Additionally, if the site needs it, I setup backups to be run in realtime, so every draft, post comment or change is saved after it’s created.

  • Nadzieja

    It’s a good post.

  • Zimbrul

    Reading this article and some other articles regarding WP security I might be able to put up a method to bullet proof my WordPress powered blog.

    • http://www.wpbackpack.com/ Eugen Oprea

      Zimbrul, I am really glad to hear this.

  • Iain Gray

    Great tips, Eugen!

    Something I’ve done with my self-hosted sites is to restrict access to the /wp-admin/ folder and wp-login.php files to certain IP addresses using .htaccess That really cuts down on intrusion attempts.

    I see a lot of people having security problems due to shared hosting, as the segregation between customers is often not what it should be. Really, if you invest significant time and energy into your blog, it’s well worth upgrading and getting it looked after professionally :)

    • http://www.wpbackpack.com/ Eugen Oprea

      Thanks Iain!

      This is a really good strategy and I am going to suggest it in a future article under “ninja tips”. However, it doesn’t work for those who:

      - have a dynamic IP address
      - work on the site from multiple locations
      - run a multi-author blog

      As for shared hosting, I agree with you and I think that as soon as you start to warn a decent income from your website, even if it’s only a couple of hundreds dollars a month, you should start to invest in better hosting, security and speed.

      Only this way you can build a successful business without taking risks.

  • http://www.lovinglifewithdiabetes.com Claire Kerslake

    Some great tips Eugen. I was going through my plugins and I have one called wordpress mobile pack which isn’t activated. I am using a canvas theme. Is this a good plug in and should I be activating it or should I just delete it?
    Many thanks

    • http://www.wpbackpack.com/ Eugen Oprea

      Claire, the plugin will allow you to control how your website looks on mobile devices and if you want to customize that you should activate it.

      Otherwise, if you are looking to maybe use a mobile responsive theme in the future or if you don’t plan to use it, just remove it from your blog.

  • http://www.gemwriting.co.uk Georgina @GemWriting

    Hi Eugen, I tend to leave my techie stuff to someone else but this article has made me much more aware of all the issues that can happen and how best to protect your website. Your opening “what would happen if your WordPress website disappeared” made me shudder! After all, with an attached blog there’s a lot of work that’s gone into those pages making it an invaluable asset to me. Thanks for the nudge and good luck with your new BackPack service. It looks very comprehensive.

    • http://www.wpbackpack.com/ Eugen Oprea

      Thanks Georgina!

      I really appreciate your feedback and I hope that these tips will help you get a more secure blog.

  • http://www.wpsecuritychecklist.com Anders

    Great list…

    I had some security issues on my own site, and ended up doing a fair bit of research in to this too…

    I’ve written up a WordPress Security Checklist, which I think would be a good complement to your list here…

    It can be downloaded free from http://www.wpsecuritychecklist.com

    Maybe it will help some of your readers too :-)

    • http://www.wpbackpack.com/ Eugen Oprea

      Hey Anders, it looks like you have quite a comprehensive site, so thank you for stopping by and sharing it with us!

  • http://www.dennymartindale.com Denny Martindale

    Hey Eugen, thank you so much for this valuable advice! I just have to finish #7 and I hope I am good to go for a while. I am so glad there are folks that understand this stuff!

    • http://www.wpbackpack.com/ Eugen Oprea

      That’s good to hear, Denny! Let me know how it goes.

  • http://www.paulmadden.co.uk Paul Madden

    You totally wasted your time writing this post, those points would NOT secure a WP in the slightest. I suggest you spend more time researching your posts before you hit publish.

    • http://www.wpbackpack.com/ Eugen Oprea

      Hey Paul, thanks for your feedback!

      I would love to hear your opinion of why these tips do no secure your WordPress site and what tips you consider useful for securing a WordPress website.

      Additionally, if you would have read the article, you would have noticed this:

      Obviously, there are a lot of things that you can do to lock down your WordPress installation and some ninja tips that I will share with you in a future post.

      But in the meantime, let’s start with the basics and learn the easiest fixes you can apply for a more secure WordPress website.

  • Pingback: 5 Shortcuts for Increasing Email Conversion Rate in Record Time – Eugen Oprea

  • Bob R

    Somehow off topic: just landed here and I’ve seen you are using Elevatr on this site. I like it sooo much!
    It’s amazing how many bloggers are failing to implement the above very simple ways to make your WordPress more secure.
    One other measure I like to take on some very important websites I look after is two-step verification using Google Authenticator. This is a bit a pain in the … (as you have to have a mobile phone with you) but if you don’t log in very often it’s quite efficient.
    I’ve seen people rely mostly on plugins for their WordPress site security and don’t do basic things like the above to lower the risk to have their site hacked.