Hackers aren’t necessarily people, but more commonly small programs called bots that scour the internet for vulnerable sites.
These vulnerable sites might not have the latest version of WordPress installed or have an administrator account named ‘admin’, or they might have a particular plugin installed with a known security flaw.
Follow these blog security tips, and you can reduce the chance of your WordPress blog coming under attack.
Disclosure: This article may contain affiliate links. When you click these links, I may get a small commission. It won’t cost you anything, but it helps me to run this site. I only promote products and services that I think are great. I have worked as a WordPress developer for over a decade, and I use my experience to judge whether a product is worthy, so you can be assured that I always have your best interests at heart.
1. Keep everything up to date
The one occasion that my WordPress blog fell prey to a hack was because I hadn’t kept WordPress up to date.
Every time WordPress is updated, any security flaws it fixes are published for all to see. Hackers then use these known flaws to hack sites that are not up to date. The same goes for plugins and themes. Always keep them updated.
2. Don’t use ‘admin’ username
Never use ‘admin’ as a username for the administrator account, or for that matter your website domain name, your name, or anything else related to your site. These are the usernames that a hacker will always attempt to log in with first.
3. Always use a strong password
A strong password is a non-dictionary series of upper and lowercase characters, numbers, and symbols.
WordPress helpfully suggests a strong password for you when you create a new account or change a password.
I recommend that you always use the suggested password. Use a password manager like LastPass, so you don’t have to remember it.
4. Use a nickname
Most themes will display the name of the author within a post. If you set a nickname for the account, that name is displayed instead of the real username. You can do this on the user profile screen.
5. Install a security plugin
My favourite security plugin is Wordfence. It protects your site in a multitude of ways. You can use it to scan your site for any changes in WordPress core files, plugins and themes. It has an inbuilt firewall which will block anyone attacking your site. It will also limit login attempts for anyone (or thing) trying a brute force entry.
6. Use Cloudflare DDoS protection
Cloudflare sits between the internet and your host server, filtering all traffic to your website, and letting only legitimate visitors through. This can protect you against DDoS (distributed denial of service) attacks.
A DDoS attack could potentially bring down your website by flooding it with more requests than it can cope with. You can get Cloudflare’s standard DDoS protection at no cost with their free tier.
To set up Cloudflare you will need access to your domain registrar. My favourite host Kualo integrates Cloudflare for you even in their cheapest plan.
7. Use SSL
Your site URL should start with HTTPS not HTTP. A non-SSL site will send log in details in clear readable form to the server.
Sites that use SSL send all data to and from the host server securely in encrypted form. Many hosting plans provide HTTPS certificates for free.
Using SSL also has a significant advantage for your SEO as Google has now prioritised HTTPS sites in their search results. Find out how to get SSL on your WordPress blog for free. If you already have SSL installed see my handy guide to configuring WordPress for SSL.
8. And finally, keep your site backed up
Taking on board and acting on the previous advice will significantly reduce the chance of an attack. But in the event it does happen, you will need to restore from backup. So, you must keep one!