How To Secure Your WordPress Site – 7 Basic Tips

How To Secure Your WordPress Site

Many authors use a self-hosted WordPress site because of the promotional benefits it offers. But do you know how to secure your WordPress site?

WordPress is, without a doubt, the most popular blogging platform.

It offers so many features, free plugins, and functions. When it comes to serious blogging and book promotion, there is no better platform to use.

You can integrate social media sharing, add monetizing options, and, most importantly, gain far more organic traffic from Google and Bing. It makes a small investment in managed WordPress hosting fees, money well spent.

Check your WordPress security

However, due to its popularity, poorly secured WordPress sites are easy targets for hackers and scammers.

Their aim is not necessarily to steal your information.

More likely, they want to gain access to your site to try to add or inject malware, adware, or possibly viruses into your site.

Preventing this from happening is not difficult.

But it does mean taking a few simple precautions to improve your website security.

You should always make sure that your WordPress installation is operating with the latest version of WordPress.

Also that your site uses an SSL certificate.

These are essential base elements to protect your site.

To enjoy all the benefits WordPress offers, it is imperative to take a few simple precautions to ensure that your site is safe from attack.

The following seven simple security tips will save you a lot of heartache.


1. Never use admin as your username

On a new installation, WordPress sets the default administrator username as ‘admin.’

You always need to change the default username setting and never use it under any circumstances.

It’s the very first step you need to take to secure your WordPress site.

The way to change this is easy.

In your WordPress admin area, add a new administrator user, and select a new username and password.

Select a username that is difficult to guess, and make sure your password is long and very strong.

Once you do it, delete the user with the username ‘admin.’

Other usernames to avoid using are your name and your site’s name, as they are too easy to guess.


2. Set a strong password

Your password is the number one defense against attack and to limit login attempts by hackers. Make it as strong as you can.

Ideally, it should be longer than eight characters and include two non-alphabetic characters, numbers, and an uppercase letter.

You should never use sequences such as 1234 or abcd.

It’s also a good idea to change your password from time to time.

Yes, I know it’s a pain, but changing your password now and then is by far the best security measure you can take.


3. Remove the meta box widget

WordPress has a default meta widget that gives site visitors links to log in and subscribe.

Never use this widget on your site because it’s an open-door invitation for hackers.


4. Don’t allow subscribers

You can collect subscribers via your WordPress site.

But it is far safer to collect subscribers via an external email application such as Mailchimp, Aweber, or whichever service you choose.


5. Never share your login details

This goes without saying, of course.

But if you need technical help with a plugin or theme, sometimes a developer may ask you for your login details.

Be careful, and only do this if absolutely necessary.

However, if the occasion arises, it is worth changing your password after resolving the problem.

A better alternative to sharing your login details is to use a plugin to grant a developer temporary access.

Temporary Login Without Password is a free plugin that works very well and is a much more secure way of allowing access for developers.


6. Add monitoring and protection

Wordfence is a popular WordPress security plugin that monitors and blocks unwanted intruders.

It is free and is installed on millions of sites.

There is a premium version available.

But for most site owners, the free version offers more than sufficient protection.

It includes web application firewalls, IP blocking, security scanning, two-factor authentication, and much more.


7. Back up your site files and database

Many plugins offer backups, and any of them is better than nothing.

The most important aspect to consider when looking at ways to back up your site is that your backup files are not stored on your web hosting server.

Many free plugins work like this and are not offering you much protection.

If you have a problem or are hacked, your server will be where the problem occurs.

Having your backups there is pointless, as you may not be able to access them.

I use Updraftplus as it has the facility to store backup files on external sites such as Google Drive, Dropbox, and Amazon S3, as well as many others.

The free version offers basic file and database backups.

Again, there is a premium version that offers more functionality, and it is what I use as I have several sites to protect.

If a problem occurs and you need to do a restore, it is quick and easy.



As long as you have a good hosting plan, you don’t need to spend a cent to keep your WordPress site safe and secure.

But the few minutes you take to check or implement the seven points I have listed here will be time very well invested in making sure that your site is as secure as possible.


Related Reading: The Best Cloudflare WordPress Page Rules For Admin Pages

Derek Haines

A Cambridge CELTA English teacher and author with a passion for writing and all forms of publishing. My days are spent writing and blogging, as well as testing and taming new technology. More about Derek

Avatar for Derek Haines

2 thoughts on “How To Secure Your WordPress Site – 7 Basic Tips

  • Avatar for JB
    June 3, 2018 at 9:35 am

    Thank you for this and your other helpful content.

    In WordPress, I am trying to delete ADMIN account and ADD NEW ACCOUNT.

    However, I am receiving message that ACCOUNT will Not be deleted.

    ID #1: The current user will not be deleted.

    Any advice ?

    Thank you
    Thank you

    • Avatar for Derek Haines
      June 3, 2018 at 9:38 am

      Hi JB. You must always have one admin account. If you want to add a new one, add it first, and then you can delete the original account.

Comments are closed.