WordPress security is certainly not a glamorous topic, and it’s easy to put off and put off…until the day arrives that your site is down and you have no easy way to put it back up.  Then, WordPress security becomes the hottest topic in your world!

Today we’re going to discuss the 4 main parts of WordPress security today: Obscure, protect, detect and recover.

Obscure – hide or change everything you can – especially ‘default’ settings – from prying eyes and those who would do your site harm

Protect – what you can’t hide, you want to lock down tight as a drum

Detect – once your shields are up, you still need to know when the wolves are at the door trying to get in, because they’re crafty, you know, with all their huffing and puffing, and won’t quit until they find a way to blow your house down

Recover – should the worst happen, you want a quick and easy recovery plan that you understand and that works

But before we dive in…

WordPress security

Just to give you all a frame of reference, did you know that 6 out of 10 of all the websites on the Internet WORLD-WIDE that use a content management system of any kind – use WordPress!!

What’s a content management system? The easy definition is any website that you log into and use an interface of some kind to publish content is using a content management system. So other content management systems you may have heard of are Blogger, Weebly, Wix, Joomla, Drupal, and even things like GoDaddy’s Website Tonight product. Pretty much anything that allows you to get content published on your site without having to write code is a content management system.

So…60 percent of all websites built like that are built using WordPress. That’s a LOT of websites!

WordPress security

In fact, that works out to almost 24% of ALL websites on the Internet! 

What does that mean for us?

On the positive side, that means we have a huge community of website owners, website developers, plugin authors, theme designers, and third party services of all kinds available to us.

WordPress is an open source CMS, which is a bit of a double-edged sword.

The upside is: it’s FREE!  Not only is it free to get an account at WordPress.com (the hosted version of WordPress), but it’s free to download the software and install it on your own hosting account and use to build a website (what we call the self-hosted version.)

The downside is that because the code is freely available to anyone – hackers can easily dive into the code, become intimately familiar with how it works and find ways to exploit it to do harm.

If you use WordPress.com, all of the maintenance and security issues are taken care of for you, and the price you pay is limitations on what you can do with your site. Self-hosted WordPress sites have no such limitations, but the price you pay for all that freedom is all of the maintenance and security is your responsibility.

Having said that, let’s get a few important concepts handled before we move on:

WordPress security

WordPress Security

The first and most important thing to understand is that the only way for your website to be 100% secure is for it to not exist online. This is true not just of WordPress sites, but of all websites. If anyone ever tries to guarantee you they can make it 100% secure – RUN!  The only way they can do that is take it down.

Good security is about minimizing risk. The folks on the WordPress core development team take security very seriously and almost every update to WordPress is fixing some kind of security vulnerability they’ve found, in addition to adding new features and capabilities.  The same is true of theme and plugin updates.

You don’t have to look too far on the web to find someone talking smack about WordPress not being secure. Horror stories about hacked websites abound in the WordPress world – shoot, I have my own stories I could share with you! But I bet you dollars to donuts, in 99% of cases – including my own – it boiled down to WordPress not being kept up to date. For me, since I have multiple websites, it was a case of one or more sites being ignored. And that’s all it takes – just one – and your whole hosting account can be affected.

You can tighten up a site so much that you can’t effectively use it, though, so we want to minimize risk, yes, but we also have to pay attention to usability.



Ok, so where do we start? With default settings. The first user account established when you install WordPress is ‘admin’. That’s a default setting, and everyone – hackers included – knows it. So, don’t use it.  Log in with it the first time and create another administrator account with a strong password. Log out and log back in with that new administrator account and DELETE the admin account.

The database is another element of your WordPress site that has default settings. The name of the tables have a prefix of wp_ and every hacker knows that, too. So if you leave it wp_, then they know the name of every table in your database. Using anything other than wp_ will make the job of hacking your database that much harder, so change it during setup, or immediately afterward.

Removing the login error messages is something that you definitely want to do if you’re the only person who logs into your site. If you have multiple users, especially in membership sites, removing the login error messages creates a usability issue. But if you’re the only one, remove them because you don’t need to help the hacker who’s trying to guess your username and password which part of it they got wrong!

Finally, do you really need to be able to log into your website 24 hours a day? If you turn off access to your dashboard altogether after your business hours are done, then no one can access it – not hackers and not even you! It’s like it’s not even there.

WordPress security


Probably the #2 most common way a site gets hacked is weak, easy to guess passwords.  Folks, there are software programs out there that can do 1,000 login attempts with different usernames and passwords per minute – yes – per minute! I know it’s a pain in the rear to type in – much less, remember – a password full of special characters and combinations of letters and numbers that don’t make any sense.

One way around that is to use something like LastPass to remember them for you. Or, you can now use a pass phrase with WordPress. I like that option because I can remember it, and I replace a, e, i and o with special characters and numbers to make it even stronger. 

For example, my computer’s password used to be:
Keep the kids out! = K33p th3 k1ds 0ut!

Through some simple additions to your .htaccess file (in your hosting account) you can deny access to your site – make it invisible, in effect – to known, blacklisted bots and user agents, and you can ban hosts and users with invalid login attempts by IP address.

This is the online equivalent to bars on your windows and steel security doors on your house, except they don’t make your website look like you live in a cage.

WordPress security


No matter how locked up tight your website is, there will always be intruders trying to get in. You can have 7 deadbolts on your doors, but that won’t stop someone from busting out your windows, now will it? Just like at your house, if they want in, they’ll find a way in. So you’ve got to post some guards.

Guards in this context are activities like regular file scans that report changes that were made, malware scans that detect malicious code lurking around just waiting to be executed by some trigger you don’t even know about, and scans that report multiple, unsuccessful attempts to get in. Because as we said, they may be unsuccessful now, but they’ll keep at it until they get in, so better to know about them so you can block them and stop them.

At this point, you may be sitting there thinking, “Oh come on, Suzanne. No one is going to try THAT hard to get into my little ol’ site.”

And my response to that is, “I bet they are right this very minute. You just don’t know about them because you don’t know where to look.”  I show my clients the attempts I find and they are stunned.

As you can see, this business of keeping a site secure is a somewhat iterative process, too.  You can hide things, and protect things, but then something else comes onto your radar and you have to go back to the protect stage and add that, and so on.  Maintenance and security is definitely not a one-and-done thing!

WordPress security


Now that we’ve done all this obscuring, protecting and detecting, you’d think we’d be safe, right?


As I’ve said, no website is 100% secure unless you take it down. We can do all this obscuring, protecting and detecting, but all we’re doing is minimizing, NOT eliminating risk.

You know what I’m going to say next, right?  BACKUP YOUR SITE!! Frequently!

The minimum backup schedule I recommend is a FULL site backup once a month and a database backup every week in between. You also want to make a full backup before you do any major changes to your site…you know…just in case you get a little click happy and blow up your site by accident.  Hey – it happens! It even happens to me, on occasion!

And what good is a backup if you don’t know how to use it to get your site back on the air? Just like a fire drill, it’s an extremely useful exercise to make sure you know how to use that backup to get your site back up when it’s NOT an emergency situation.

wordpress security action steps

Action Steps

The steps I’ve outlined here are the BARE MINIMUM required to keep your site healthy and secure. Everything else I’ve discussed – plus a whole lot more I didn’t even bring up – are part of a comprehensive maintenance plan for your site.

I totally understand if you’re feeling a little overwhelmed right now – that’s a normal reaction to learning about all the threats that exist in life out here on the interwebs. And no one – least of all me – expects you to know how or want to learn how to handle all of these things yourself.

That is exactly why WebsitesInWP offers a Custom Maintenance Plan that you can configure to your needs and we implement and maintain for you. So you can rest assured your home on the web is safe and sound while you do what it is you do best.

Our custom maintenance plans start at just $25/month. In addition to the obscuring, protecting, detecting and recovery activities we’ve discussed today, we also offer access to a full suite of always-up-to-date WordPress training videos, with additional videos on how to use Gravity Forms, WordPress SEO by Yoast, and how to set up and interpret Google Analytics.

We install these videos right there in a new menu item in your Dashboard, but don’t worry – they don’t take up any space on your hosting account, as they’re hosted on AmazonS3. They will help you do more with your site without bogging your site down or causing hosting account space or bandwidth issues.

And for those of you who have small to moderate needs for tweaks or other development or consulting assistance on an on-going basis, we also offer discounted development and consulting time as an add-on to your plan.

Here’s the bottom line: Your WordPress site requires maintenance to become and remain secure.

Use the information provided here to handle it yourself, or let us handle it for you. But handle it.