In this article we are going to cover all those points through which you would be able to safeguard your WordPress blog and minimize the chances of WordPress being hacked.

If your WordPress has been infected, read here

WordPress Security Guide

Top thing to do in foremost is scheduling daily backup

If you have a backup copy of that time when your WP was not hacked, you can easily restore it and get rid of the situation easily. Backup is a thing that is more than essential either your computer or your website data is concerned.

So use a reliable backup plugin and schedule daily automatic backup of your WordPress.


How to use best backup WordPress plugins

Delete default WordPress admin user

Even if many script installers like Softaculous, now, offer custom username facility while you install WordPress, yet there are many who generate default admin account username “admin”. This default username makes login stealing easier. Anyone can try to break your admin login putting “admin” in username section and guessing different passwords. So, you need to delete default admin user.

How to delete default admin user

  • First login to your administrator account with username “admin”
  • Then go to users > Add new
  • Create a new user with custom username and give it administrator privileges
  • Now logout your default admin account and then login to newly created admin account with custom username
  • Again go to users and select default admin and click delete
  • WordPress will ask you what to do with the content written (posts, pages or any other custom post type) by default admin. You will have to attribute all content to new admin user ( in doing so be careful because if you don’t attribute content to new user, the content will be deleted)

Keep your WordPress core up to date releases minor and major updates from time to time and you must take care of them all. Never ignore even a minor update and update your WordPress immediately. You can easily update your WordPress via your admin dashboard using a few clicks.

Cautions before updating WordPress

  • You should disable all plugins before update
  • Take a complete database using a good backup plugin

Read our best backup plugins guide

Keep your WordPress plugins and theme updated

Vulnerable themes and plugins offer the biggest subway through which hackers get access to WordPress. There are several thousands WordPress developers out there, who work hard to maintain their  themes and plugins. They release compatibility and security updates to their stuff in addition to new features. You should check for new version of your installed theme and plugins on daily basis and apply any available update immediately. If you find that an update has not been launched for one of your installed plugin or theme for a long time (over 7-8 months), consider giving it up and using any alternative.

Don’t use low reputation WordPress plugins in WordPress repository is currently hosting over 38k plugins from thousands of developers. Anyone can submit a plugin in repository and it will be available for download. You use these plugins solely at your own risk. But there are some security parameters, if followed,  which will let you choose only good of all these plugins.

  • Checkout the star rating of the plugin – If plugin rating is bad or it is unrated, we advise not to use that.
  • Avoid using a plugin that has not been updated from several years. If you have no alternative to such kind of plugin, use it, do you work with it and then remove it.

Don’t use free WordPress plugin outside WordPress repository without review

In addition to plugins indexed in WordPress repository, there are many others who are being offered free on 3rd party websites. Before coming to a head, you should check the plugin reputation. Search around the web for some reviews for that plugin. If you don’t find satisfactory data regarding that plugin, you should stop thinking about it.

Delete extra themes installed

It is a common bad habit of WordPress users that they care only for activated theme and they don’t give a damn about updating other installed themes. But the true fact is that these un-updated inactive themes may be a big culprit behind giving access to malwares. Either you should remove them or keep them updated regularly.

Limit login attempts

Sometime your site may be under Brute-Force attack. Brute-Force is an automatic password guessing technique that try all possible password combinations to break the system login. This hacking attempt is much dangerous for those websites who don’t use a strong and lengthy password as it is easy to guess a short and weak password. To avoid this kind of attacks, use Login Lockdown plugin that locks your site login after a few failed login attempts for a while.

Use Two Factor authentication

WordPress also offers two step authentication option with the help of a plugin, considering it is demand of hour and every sensible person prefers to use two step authentication to access its important logins. If someone stole your login, you won’t need to worry as it can’t access your WordPress without knowing the one time password sent to your email.

Download Two factor Auth Plugin

Use Sucuri Security Scan

Sucuri Security Scan is one of the most powerful security plugin for WordPress that is easy to use for beginners. This plugin offers comprehensive security features even in its free version too.

Salient features of Sucuri Scan

  • Every time someone try to log in, you will get notified via email
  • Every time a post is updated, you will get notified via email
  • Comprehensive access log is available via plugin panel
  • Malware scanner
  • Firewall (premium feature)
  • Restrict php access in “uploads” “wp-content” and “wp-includes”
  • Bulk password reset for all or select users
  • + many other advanced features

Don’t access your WordPress on an insecure Open WiFi netowrk

Open WiFi networks are generally infected and if you login your WordPress on such a network, probably your login may get stolen. So avoid using Open WiFi networks or use a good VPN service if you have not other way than using a public WiFi.

Don’t login your WordPress from public computers

Public computers such as in cyber cafe are generally infected and not secured so it would be better not to use this kind of computers to login your WordPress.

Use a good internet security suite for your PC

Don’t do any comprise when it comes to internet security software and use of the best suites. We highly recommend to use Norton Internet Security or Avast Internet Security. We have been using Norton Internet Security for over 3 years and our experience is awesome with this amazing software. We have found no other security software as powerful as it is. Additionally it offers highly secured remote password vault where you can save all your logins and auto fill desired login with the help of its Chrome, Firefox and IE extension. Oops! We are getting off topic. So let’s back to the main stream. So, better is the protection of your PC, safer is the login of your WordPress.

Bonus tip – Use A2 Hosting, that comes with Patchman, a powerful real-time malware scanner for WordPress, Joomla and other PHP softwares. Patchman, not only detects but also fixes vulnerabilities on demand for free. Additionally, you will be notified via email whenever a vulnerability or infection is detected in your website.

Having issues with this guide?. Feel free to consider this post as a support thread and ask questions in comments section below. We will happily assist you replying your questions.

About Shams

Shams, a professional blogger, has expertise in WordPress and Web Hosting. He is used to playing around with WordPress plugins, themes, web hosting services and some other innovative stuff regarding web design. He sifts out good stuff for web designers and reviews it to help them choose what they really need.

Being an energetic tech enthusiast, he regularly pens down breaking news and tutorials related to technology particularly Smartphones and other gadgets. Sometimes writes tech tips too. It was the dawn of Internet age when he started dabbling in it and has since been delving into the realm of the internet. He occupies a permanent burrow in virtual world.

He can be reached at.- here