This article was originally published on Oct. 15, 2018, and updated on April 8, 2021.
An above-average blog security setup for WordPress can be handled with a couple of plugins — it’s good enough to stop most of hacking attempts, but it’s not an iron-clad approach. Someone who’s really determined might still find their way in.
Better blog security involves taking several steps using things like plugins, complex passwords and a few best practices.
I’ve been called in to clean up a couple blogs, but we were able to undo the damage that had been done — mostly spam links that had been injected into several blog posts for a black-hat SEO attack — but they wouldn’t have happened if the owner had practiced strong blog security to begin with. We could clean out the links by hand, which would have taken hours. Instead, we had to restore the blog from a backup.
Related: WordPress Security Resources
5 ways to improve WordPress blog security
Here are a few ways you can improve blog security on your WordPress site.
Delete your admin account.
Update your plugins.
Use complex passwords.
Use Sucuri Security or other blog security plugins.
Eliminate comment spam.
Let’s dig into each security tactic.
Editor’s note: For a comprehensive website security package — including daily malware scanning — check out GoDaddy Website Security, powered by Sucuri.
1. Delete your admin account
Create a new admin account with your name. As the owner of the blog, you’re presumably going to be the author anyway, so you should use your name, and not something generic anyway.
The most common name hackers will attempt to break into is “admin,” and if you don’t have a login with that name, they’ll never be able to get in. It would be like trying to pick the lock on your front door when there’s no door.
Also, make sure that any other contributors or authors to your blog only have a contributor/author level account, in case someone manages to break into their account instead. This way, the attacker will only have limited permissions to do anything on your website.
Plus you can keep track of what accounts hackers are trying to break into if you use the Limit Login Attempts plugin for blog security (see below).
You can set that to block any login attempts from a particular IP address if there have been a number of unsuccessful consecutive attempts. I set mine to block those IP addresses for 168 hours (1 week) if there are four failed attempts. When that happens, I get an email that tells me which account the attacker is trying to break in — nine times out of 10, it’s still “admin,” which means they’ll never get in.
2. Update your plugins
Outdated plugins can sometimes be exploited by hackers, especially if said plugins have security holes in them. One reason plugin developers make their updates is to plug those holes, but if you’re still using a plugin that hasn’t been updated in two years, you’re at risk.
This is especially true of plugins that have been abandoned by their developer. Hackers have been known to buy the plugin from the developer and then use that as a way to break into the blogs that are still using it.
To get a jump on blog security, check at least once a week and update any old plugins immediately.
While we’re on the subject, limit the number of plugins you have. More plugins not only slows down your blog, it gives you more points of vulnerability. Reduce the number of plugins and improve your blog security. And don’t just disable your unused plugins, delete them as well. If nothing else, that can help improve your blog’s speed.
3. Use complex passwords
I’ve talked before about the importance of using complex passwords. If you’re using a simple password like carrot or even carrot37, you’re going to get hacked sooner rather than later.
But if you can use a complex password like HeddyLamarLovesFastPitchSoftball or even better, three or four unrelated words like manpower-lite-feather-pacific, they’re going to be more a lot harder to break into than carrot37.
You can also use passwords that use different upper and lower case letters, numbers, and special characters like *8)R83CRD[$3cuZGq, but those aren’t actually necessary anymore. The guy who created them, Bill Burr, has apologized for ever creating them in the first place. He said when he created the policy back in 2003, he didn’t know much about passwords.
And as it turns out, a string of random characters is much more likely to be broken than four random words joined together by hyphens, which means the four-word password is likely your better option. (You can read a great xkcd comic on the subject.)
To generate and remember your passwords, I recommend using a password vault like 1Password; LastPass and KeePass are also good alternatives. There’s not much difference between them, and it just comes down to a matter of personal preference. They work on your laptop, tablet, mobile phone, and have browser plugins. With a password vault, you only have to enter the master password, or use your thumb print, and the vault will fill in your blog password and login name for you.
4. Use Sucuri Security or other blog security plugins
Earlier, I mentioned Limit Login Attempts as a blog security plugin. However, knowing someone is attacking your site is not the same thing as stopping them. So if you use LLA, I also recommend you get WP-Ban, which will let you ban specific IP addresses from trying to access your blog.
Whenever I get an email from Limit Login Attempts (see item #1 above), I open the WP-Ban window and ban the offending IP address. Just make sure you don’t accidentally ban yourself.
As far as the other blog security plugins go, there are several different ones to choose from:
Sucuri, WordFence and All In One have free options as well as paid upgrades, but iThemes is a paid plugin only. The free versions do quite a lot, but you can always make it stronger for a few dollars — it’s up to you.
In the end, they all do the same thing: provide blog security. But there are different features and capabilities they have, so you can choose which options you need most:
- Sucuri — Offers SSL certificates (gives you an https web address, instead of http), has blocklist monitoring, file integrated monitoring, security notifications, and security hardening. You also receive instant notifications when something is wrong with your blog.
- Jetpack — Provides real-time backups and restorations, scans for malware, and offers spam protection. Jetpack also offers brute force protection and downtime/uptime monitoring.
- WordFence — It’s simple to use, but has powerful protection tools, including login security, enforcing complex passwords, and security incident recovery tools, as well as a malware scanner that looks at files, themes, and plugins for malicious code (see item #2 above). It also limits login attempts and has a ban feature similar to the combination I just described.
- iThemes — Primarily a paid plugin, but they offer quite a bit of functionality for blog security: two-factor authentication (that’s when you receive a second login code via text), daily malware scanning, password security, online file comparison (to monitor file changes), and Google reCAPTCHA, which helps discourage spam comments.
- All In One — Offers protection for user accounts, blocks forceful login attempts, and enhances user registration security, plus it has database and file security. Best of all, if you’re a beginner, it uses a visual display with graphs and meters so you can more easily understand how well it’s working.
5. Eliminate comment spam
While not necessarily a blog security issue, there are still spammers who like to dump a couple dozen links into a single spam comment. Never mind that Google no longer pays attention to comments for SEO purposes; the spammers don’t seem to have gotten the message. Here are a few ways you can eliminate comment spam:
Turn on Akismet
Akismet is a spam fighter that comes with WordPress (if it doesn’t, download it with the Add New Plugins command). You can get a free account, although I do recommend sending them a few bucks a month. They catch hundreds and thousands of comment spam for me every month on the variety of blogs I manage, so it’s worth it.
Shut off comments for old blog posts
I usually close all my blog posts to comments after two weeks, but you could stretch the time the comments are open if you want more discussion. But if a spammer knows that a certain URL will work, they’ll use automated software to come back and drop several comments. If that happens, close that post’s comments immediately.
Add CAPTCHA verification
If you’ve ever seen that “Click here to prove you’re not a robot” box or asked to type in some letters and numbers you can barely read, you’ve seen a CAPTCHA. They’re written so automated spam comment software can’t see them, which means the spammers who are using software can’t bother you. You can do this with a plugin or a security plugin like iThemes.
Approve all comments
This can be a bit tedious, but if you select this option in your Discussions screen (go to Settings > Discussion in the sidebar), you’ll receive an email every time you get a comment. Then you get to choose whether to publish, trash, or mark-as-spam each comment. WordPress will eventually learn what you consider spam and what you don’t, and will automatically handle a lot of your spam comments for you.
Use the keyword blocklist function
In the Discussion screen, you can make a list of keywords to never allow in your comments. If you keep getting certain kinds of comment spam, find the keywords they use consistently, and drop them here. Their comments won’t even make it to your moderation queue, so you’ll never have to deal with them.
What if I don’t use WordPress?
There are more than 80 different blog platforms available, but WordPress is still No. 1 in the world, which makes it the most enticing for hackers. As a result, WordPress has created stronger blog security than the other platforms. If you have a Blogger, Tumblr or Medium blog, you can make sure you use complex passwords, but you won’t be able to use plugins or any of these other blog security measures.
Your blog and website are very important to your business, and if you’ve invested a few years into it, you could lose a lot of great work, which could be devastating. You need to take every step to practice strong blog security.
Have a strong password, delete your admin account, and keep your plugins up-to-date and limited. Finally, make sure you have a solid security system like Sucuri. If you can do all of this, your blog security will be tough enough to make it nearly impossible for hackers to break in.
Of course, nothing is impossible to break into, so make sure you have a good backup system in place just in case something goes wrong. There are plugins for that, too!