WordPress is the most used CMS system in the world. It is free to use and comes with a lot of plugins and themes that you can download to make the most amazing blog or website you want, without any coding skills at all. This also make WordPress very interesting for hackers and malware developers, because there is a lot of people not thinking about securing their WordPress installation.

How to keep WordPress Secure

To make your WordPress installation secure at all time there is a lot of things you should consider. I will try and guide you through the steps that I find most important. If you have had your WordPress site hacked you are for sure not alone. I think mist owner of a WordPress blog or site have tried that, including me. In fact, this blog was shutdown at one point, of my hosting-provider. The reason for that was that my blog was used to mass-send a bounce of e-mails. That is just one way hackers can take over your blog and use it for whatever you like when you sleep at night. Another approach could be to inject links on your blog with links that redirect your visitors to sites with malware that will infect your users. You don’t want that to happen. 

So, what can we do about it?

6 Tips to Secure your WordPress Blog

1. Make sure to use strong passwords (web, database and FTP)
2. Limit the number of admin accounts to your installation
3. Keep your plugins to a minimum and keep them updated
4. Keep the number of themes to a minimum and keep them updated
5. Use security plugins like Wordfence to keep your blog secure
6. Backup your files and database

1. Use Strong passwords

The most important thing to secure your WordPress installation to do is to use strong passwords. If a hacker has your admin password, he can do whatever he wants to with your blog. He can lock you out and take charge of everything or change your content. He can send mail that looks like you have sent them to your loyal users with malware. He can also choose to stay under the radar and keep a backdoor for your blog he can use at a later time, without you knowing anything about it. That is why it is important to use strong password that can’t be hacked to easily. I good tip is to used different password for web access, FTP and database. You properly don’t enter your database and FTP password very often. Keep those passwords long and complex and save them a secure place where only you can enter them in case you need to use them. If you can’t come up with a good password there is a lot of password generators available online like passwordgenerator.net

2. Limit the number of admin accounts

No need to keep a door open for the hackers, that you don’t use anymore. Make sure that you don’t have admin accounts enabled that you don’t use. Maybe you have had an external consultant helping you at some point and forgot to disable the user again. Maybe that user account has a simple password? Make sure to shut down those account. You can always enable them for access again.

3. Keep your plugins to a minimum and keep them updated

Go through your plugins and check if you have any plugins you don’t use any more. Also check when they have last been updated. You will find that many plugins have not been updated for years. That might be a security issue. Maybe you can find a similar plugin that does the same and still is being maintained on a regular basis.

4. Keep your number of Themes to a minimum

No need for old themes you don’t use anymore. Get rid of them when you don’t use them. Old outdated themes might be a security risk.

5. Use Security plugins

Plugins can be a security risk, but they can also help you make your WordPress installation more secure. I use a security plugin named Wordfence. Wordfence is available as both a free plugin and as a Premium. This plugin is a great way to improve security on your blog. It will scan files and plugins for vulnerability and send you a mail in case of a plugin need to be uploaded or if someone login for a suspicious IP address. It will also protect you against Brute Force attacks. Each week you will get an e-mail with details about, how many blocked login attempt and failed logins.

With Wordfence, you also have the possibility to configure 2-factor login for one or more users. It could e.g. be for your admin accounts. That way it will be required to have both a valid password and an authenticator app like Google Authenticator or FreeOPT to login. This is by far the best way to protect your site from hackers. When it comes to Wordfence, it comes with a big toolbox to improve your blogs security, even in the free version. I am sure there are other good security plugins available, but Wordfence is the one that I can recommend to keep your site secure. It is used by more than 3 million installations.

6. Backup your files and database

It is always a good idea to make regular backup of WordPress (files and database). In case you get attacks and a hacker have any luck changing some of your files or make changes in your database, a backup can be a vital way to get your blog back on track again. I know because my backups have helped me many times. I have often compared files the hacker has modified with files from my backup to get my blog back to normal. The alternative would have been to restore my entire blog maybe one week back in time. Not something I would like to do, because I would lose comments from my users and all modification I might have done to my blog for that period.

Conclusion

WordPress is a great CMS system with a lot of option for both amateurs and professionals. If you follow the above guidelines, you can keep your WordPress installation secure and keep the hackers away. Do not run your security on autopilot, things can change fast and so does WordPress. Plugins and themes are updated all the time and the bad guys find new ways to get around security all the time. If you find a new plugin you like to add on your blog, make sure to check when it have been updated and maybe check out the reviews on the wordpress.org plugin site