How to Protect your WordPress Website

From Malicious Theme’s, Plugins & Hackers

Unfortunately, the Internet is crawling with people who want to do damage to websites and computers with malicious software and viruses, just for kicks. WordPress is no exception… Hackers have laced plugins and themes with malicious software and they have also learned how to hack unsafe WordPress websites. I’ve been working in and with WordPress websites and blogs for quite a while now, and I learn a new tip to protect the sites each time. In this article I’ll share just a few of the things I’ve learnt from friends, guides and tips around the Internet.

Delete the Default ‘Admin’ Profile

WordPress Menu - Users > Authors & UsersThe first thing you must do when setting up a new WordPress site is setup a new admin profile inside your WordPress admin dashboard. Create a new username and password unrelated to you and your website. Too often, I see people using parts of their website name in the username and password. Say in my case I used ‘creative’ for the username and ‘addict’ for the password… Many servers and programs will set this up automatically as well. This is very obvious and one of the first things a hacker will try, after the default admin username ‘admin’. Making a safe password is not enough.

After you have created a new administration profile, log into it and delete the default admin profile.

Configure the ‘Authentication Unique Keys’ in ‘wp-config.php’

The second thing I suggest you do to protect your WordPress blog, is update the ‘Authentication Unique Keys’ inside your wp-config.php file. I didn’t even know it was there until someone showed me. Download your wp-config.php file, which is in the root folder where your WordPress is located and open it in an HTML editor, or even WordPad. Look for this bit of info as displayed below:


Follow the instructions in orange: paste the given link into your browser. This will generate four lines of code. You would then replace the above lines in red and blue with your new generated code.

Scanning Your Plugins and Themes

Installing themes and plugins is always risky. Make sure you either trust the source, or check every single plugin and theme you install. Some themes can harm your website without even being activated so check it immediately after uploading it. I check my themes using a plugin called “TAC (Theme Authenticity Checker)“. Click here to visit the plugins’ website for instructions and info, or simply search, download and activate it in your plugins manager. You can then run checks on all your installed themes. I cannot stress enough how important this is… My fiance installed a malicious theme and it almost got his website banned by Google as it was pinging websites constantly. I am sure there are far worse things out there.

Then there is a second plugin I use to scan my entire blog for anything suspicious. It is called ‘WordPress Exploit Scanner‘. Click here to visit the plugins’ website for more info.

* Disclaimer: Never put all your faith into any plugins that ensure to protect your blog. Hackers may still find ways around these protective measures and you may not pick up all malicious activity. These are additional tips but you can do research on themes and plugins before installing them. Please report any dodgy themes and plugins to WordPress themselves.

Ensure your WordPress Version & Plugins are Always Up-to-Date

This is probably the most important tip… Always make sure you update your WordPress website to the latest version. When you log in, a notification at the top of your blog will appear if there’s a new version. Luckily, WordPress can update it automatically (without you downloading and reinstalling), however it is always recommended to backup your files and database. Same goes for your plugins – make sure they are always updated. Often, the updates will include patches to any exploits.

Backup Your WordPress Website and Database

No matter what you do to protect your WordPress website, there’s always a small chance it may still get hacked and you loose everything… Be prepared! After initial set up of your blog and plugins, download your entire website and keep a copy on your local computer. You must also backup your database regularly, as this contains important files, such as your posts. I use a plugin called ‘WP-DBManager‘. Click here for more info on this plugin. I set it up to backup my database weekly. It emails a small file to you, so you don’t need to keep remembering to do this nor do you need any knowledge of how to download this manually. Very handy!

Other Tips

There are probably a hundred more things you can do to your WordPress website to protect it. I’ve only mentioned a handfull. Below are some external links to some additional tips:

If you have any additional tips you’d like to share, please leave a comment or contact me. I will try keep adding to this post as I find useful tips.

  • Mary Flaherty

    Thanks for sharing this very helpful info. Do you have a host you recommend for WordPress sites?

  • Lisa

    Hi Mary, thank you and no problem! I use a local service provider but they’re really excellent. Not only is their cPanel always up-to-date, you can install multiple databases (most only give one).

  • Keith Davis

    Hi Lisa
    Wordpress security is a big headache.
    When I first started with WordPress, I had to stop writing posts and spend a few weeks looking at security.
    I didn’t even appreciate the basics such as the “admin” username.
    Good that you are taking the time to warn people about the problem.

  • Doug

    I found one of your comments from 2012 at

    You mentioned three plugin for securing WordPress:

    WordPress Firewall
    Block Bad Queries

    Any updates to that recommendation?

Previous post:

Next post: