WordPress Security: How to Protect Your Site from Hackers

WordPress Tutorial #9

Block 4 is WordPress security

In Tutorial #5 you learned how to protect your WordPress website from spammers. In this article, we’ll talk about how to protect WordPress from hackers — they’re the real bad guys.

WordPress is the most popular platform for website building. Unfortunately, its popularity also makes it a target. That’s why you need hacker protection.

Hackers look for back doors into WordPress sites. Once inside, they can pretty much do anything they want.

Sometimes they add malicious code that will take your readers to places they don’t want to go, or install code onto readers’ computers. Sometimes they change what’s on your site. Sometimes they demolish the site completely. And everything in between.

Just as you can’t protect your home from every possible form of danger, you can’t protect your website 100% either. But that doesn’t mean you have to leave the doors and windows open and invite the bad guys in. . .

Hacker Protection Strategy #1: A Good Defense

Securing your site begins when you’re first setting up WordPress.

These strategies will help secure your site against “opportunity” hackers. Just like “opportunity” thieves, they’re the ones who will break in where they find an unlocked door, but they won’t take the trouble to pick the lock. Here’s the first line of defense in protecting WordPress against the hackers.

  • Choose a host with a good reputation for hosting WordPress sites. I recommend Siteground.
  • Don’t use “admin” as your WordPress username.
  • Choose a complex password that includes upper and lower case letters, numbers and special symbols. Don’t use the same password on all your sites. Really. Would you use the same key for your car, your front door, and your safety deposit box? Read more about creating strong passwords.
  • I know it’s a pain, but change your passwords regularly.

Strategy #2: Stop them Before they Get Inside

Lots of hackers and spammers use bots to get into your website. (Think of a bot as a little internet-based robot.)

When you stop the bot, you stop the attempted hack. There’s a plugin I use which identifies bots and simply won’t load your site for them. It’s called All in One WP Security and Firewall.

You install it like any other plugin. Since you already know its name, from the Add New Plugins area of your WordPress dashboard, it should be the first listed when you search for it by name.

It also protects your site from malicious URL requests. I won’t go into detail about what that means — if you’re curious, you can read more about it here.

Strategy #3: Live Monitoring

If you’re really serious about your site’s security, sign up with an organization like Website Defender or Sucuri to monitor your site.

They’ll scan your website on a regular basis and let you know if there’s a problem.

Both have free versions that let you scan for problems and fix them yourself. Or you can pay a fee and they will proactively monitor, alert you to problems, and even clean up problems for you.

Strategy #4: Have a Backup Plan

Despite our precautions and best intentions, sometimes sites get hacked anyway. Your best defense in this case is to have a complete, up-to-date backup.

Don’t assume your host will always have the back up you need.

There are two parts to backing up your WordPress site: the database and the files.

Database Backup

Install a database backup plugin. I like WP-DBManager. It’s free, and you can install it from your Add Plugins area.

Once it’s installed, set it up to back up your full database regularly. If you plan to update your website every day, set it to run a daily backup. If you plan to update less frequently, set it up for twice weekly or weekly backups.

File Backup

For this you’ll need to use FTP (file transfer protocol). You can access FTP through your web host, or you can get a separate program that runs directly from your computer. I use Filezilla, which is a free download.

I’ll be uploading a separate tutorial on using Filezilla soon.

Strategy #5: Keep it Up to Date

Periodically WordPress will release an update. So will your theme designer. Plugins will be updated from time to time as well.

Staying on top of these updates helps with your WordPress site security. That’s because a lot of updates fix security holes. If you’re running an older version it’s like an open invitation to hackers.

Fortunately, you’ll see notices when you log into WordPress.

When an update is available you’ll see a little refresh symbol at the top of your Dashboard window. It looks like this.

update needed

When you click on it, you’ll go to a page that shows you exactly what needs updating.

update WordPress

You’ll also see circles with numbers inside them next to certain menu items. The number represents the number of items you need to update. Once your updates are complete, they disappear.

If staying on top of updates seems like a lot of work, let me do it for you.

Interested in more information about WordPress Security? Check out these articles:

More Tips and Tricks

Want more WordPress tips and tutorials in your inbox? We'll start with a 7-part autoresponder series, then biweekly emails.