Image of a shield with a lock over dataNothing online or offline is ever 100% secure, but there are many things you can do to help make WordPress more secure. Every day websites across the world are hacked or compromised with malware. Many of these are caused by website owners who don’t take basic precautions.

Follow the steps below, and you’ll have a much better chance of avoiding having your site compromised.

Two of these recommendations, a proper backup and installing a security plugin, are a bit more detailed in their execution. To help, I have provided video instructions.

 1. Backup Your Site

The first step in making WordPress more secure, or any other website secure is to have a quality backup. Many times restoring a backup will return your site to a state before it was hacked. This then gives you time to analyze what may have allowed the site to be hacked and stop the vulnerability. For some infections this only requires a database restoration, but if the underlying files were actually compromised, it might require a complete restoration.
Having great site backups is important for reasons other than hacking. If you accidentally delete something, restoring a backup can make the site whole again. And, at times when an upgrade doesn’t work properly the ability to restore a backup allows you to get your working site back up and running while researching the issues caused by the updates.

Introduction and How to Configure the Updraft Plus Backup Plugin

Notes on Installing the Backup Plugin

  1. Install the plugin, Updraft Plus. Select Plugins > Add New. Search for Updraft Plus. Install it and Activate.
  2. From the Updraft Plus Dashboard (you can get here from Plugins > Updraft Plus Settings) or from the WordPress Dashboard > Settings > Updraft Plus.
  3. Select the Settings Tab.Screen grab of the Updraft Plus WordPress Backup plugin dashboard
  4. Scroll down and select the dropdown button by Copy to Remote Storage.
  5. Select Dropbox. Follow the instructions to connect Dropbox to Updraft Plus.
  6. Once you return to the Updraft Plus settings screen, scroll down and Save your changes.
  7. Return to the area under Remote Storage and Validate your connection to Dropbox.
  8. Once this is complete, you are  ready for your first backup.
  9. Return to the main Updraft Plus Dashboard and click the Backup Now button.
  10. Once the Backup shows completed, return to the Settings tab.
  11. Automate your backups to fit your site update frequency, then scroll down and Save the settings. You should now have automated backups.
In the sidebar, signup for our Health Checklist to help make sure you keep your backups working and your website healthy.

2. Install a Security Plugin

A security plugin can help monitor and stop potential hacks. It can also alert you to hacking attempts on the site which helps you block potential threats. In this post, we’ll configure the basic settings for the iThemes Security plugin to help you get started monitoring and protecting your site.

Install and Configure the Security Plugin

 Notes on Installing and Configuring the Security Plugin

  1. Install the plugin, iThemes Security. From the WordPress Dashboard, select Plugins > Add New. Search for iThemes Security. Click on Install and once installed Activate the plugin.
  2. Click on the iThemes settings to launch the Dashboard and complete the First Steps.
  3. Click on the button to Make a Backup. This backs up the Database.
  4. Click on the button to Allow File Updates which allows iThemes security to edit the files wp-config.php and .htaccess.Configuration Dashboard for iThemes Security Plugin's first steps
  5. Click on the One Click Secure button to automatically set the basic security options for your plugin.
  6. Optionally, select the Yes, I’d Like to Help Button. This sends information to the plugin developers on how the plugin is used in order to improve functionality. No personal data of yours is collected.
Basic Settings – these are demonstrated in the video
Once done, go through the Basic Settings from our training. Note that a more in-depth webinar will cover other options. These settings get you the basic coverage needed.
  1. Temporarily Whitelist your IP address by clicking the Temporary Whitelist IP button.
  2. From the Dashboard, click on the Settings tab.
  3. Under Global Settings, select Add my current IP to the whitelist. This will help you keep from locking yourself out of the site.
  4. Under 404 Detection, select Enable 404 Detection. Leave the rest of the default settings. This will lock people out of the site if they are finding too many 404 errors. Hacking software frequently tries multiple possible page names to see if it can find something to access.
  5. Leave Away Mode alone.
  6. Under Banned Users, select Enable blacklist and Enable Ban Users. This allows you to ban know hackers as well as those you catch trying to access the site.
  7. Leave the defaults for Brute Force Protection
  8. Under Database, alternately select to have a database backup made. This can be a “backup to your backup” since you’ve already set a database backup in Updraft Plus.
  9. For now, leave File Change Detection
  10. If you can remember the URL change, Enable the Hide Backend feature and set the URL to something other than wplogin. Make sure you remember this, so that you can still access your site. Instead of or wplogin, you will now access your login screen at
  11. For now, ignore Malware Scanning and SSL.
  12. Keep Secure Passwords for Administrators
  13. Under System Tweaks, select:
  14. Protect System Files
  15. Disable Directory Browsing
  16. Disable PHP in Uploads
  17. Leave all WordPress Tweaks as the default for now.
Save all of your changes and you are on the way to a more secure site. More details and settings will be covered in a future webinar. To make sure you are on the list for webinar alerts and to receive a Health Checklist, sign up in the sidebar.

3. Keep Your Site Up-to-Date

This actually could be switched with either step 1 or 2, but since you should have a good backup before updating, I decided to leave it here.
WordPress core updates, plugin and theme updates are often created in order to patch security issues. Recently, WordPress 4.2.1 was released specifically as a Security Update. There were also several vulnerabilities found for plugins that required updates, recently. See WordPress SEO Security Alert from March 12, 2015.
Keeping your software updated is one of the best things you can do to keep your site secure and is one of the areas where I see the biggest neglect of sites. People frequently spend money and time to get a site built and then forget about it. It’s sort of like forgetting to put gas in your car. If you don’t maintain and keep your site up to date, you are risking it stopping for a variety of reasons including being compromised by malware or a hacker.

4. Respect Passwords and Login Information

Compromised passwords and login information frequently lead to site hacking. It is important to treat this information as delicate and keep it secure. Also, think beyond just your WordPress login. FTP and control panels can also be compromised. Don’t make all of your passwords the same and consider investing in a password manager like LastPass to help encrypt the information.

Force Strong Passwords

Force the use of strong passwords particularly for Administrators. It isn’t necessarily a single person trying to login time and time again manually. Hackers can run a full dictionary of words across your site in a matter of minutes. Configuring your security plugin as shown in Step 2 can help stop this as can picking passwords that are not likely to be found in hacker dictionaries.

Create Separate Accounts for Users

If you have someone who will be helping you with your website, give them their own username and password. When the work is complete, delete this.

Change Your Passwords Often

Don’t keep the same password for more than three months. Change your hosting control panel and FTP passwords, too. Your WordPress website is not the only part of your website that can be hacked. In fact, unauthorized FTP or cPanel access can have even more disastrous effects that a compromised WordPress site.

5. Delete Unused Plugins and Themes

Plugins and themes are only as secure on the code used to write them. Why worry about possible security vulnerabilities in items you aren’t using. Delete them. Note that if you want to keep one default WordPress theme in case you need to activate it for troubleshooting, keep the latest one and make sure you keep it updated with the rest of your site. Even if you aren’t actively using it, a vulnerability in the code could compromise your site.

6. Delete the Admin User

Fortunately, many of the One Click Installers have removed this issue. The original default administrator user for WordPress was named admin. If left as the default, you just provided a hacker one half of what is needed to login – the username. At one point, almost everyone I saw who used a One Click Install had this user as an administrator and many were actually using that account to blog.
If you do have an administrative user named admin, safely remove it by following these instructions.
As always, backup your database first.

 To Delete the Admin User When You are Using the Admin Account

  1. Login to the account as admin.
  2. From the Dashboard menu, select Users > Add New.
  3. Enter the desired username of your new user.
  4. Enter the email address. (Note that you will need a different email address than you have listed in the admin account.)
  5. Enter the name and password.
  6. Set the Role to Administrator. This is very important.
  7. Click the Add New User button to Save the user.
  8. Logout of WordPress, then log back in using the new user account information.
  9. From the menu, select Users > All users. This opens a list of all users for your WordPress installation.
  10. Hover your mouse over the username admin, then select Delete.
  11. delete_wordpress-userThis opens the Delete User screen.
  12. If you have posted using the admin account, you can select to have all posts attributed to the new account name, or you can delete all of the posts, which is not recommended.
  13. Click on the Confirm Deletion button to delete the account.

Delete the Admin User When Not in Use

If your account has an admin user, but it is not being used, login to the account with your username and follow the instructions above for deleting the Admin user (Steps 9-13). There is no need to create a new account in this situation.

7. Implement Sucuri

For maximum security, consider implementing the Sucuri Website Firewall plus security monitoring service. For $199.00 per year ($299.00 for SSL support and PCI compliance), your site is protected and monitored and, while doubtful, should any compromise occur the site is cleaned.

Sucuri Security

 Bonus – Sign up for the Health Checklist (in the sidebar) for tips of checking your website health each month. This can help you keep your site secure and functioning at its best. It will also place you on the mailing list for alerts on the upcoming security webinar series.

Have questions? Please leave them in the comments.

More Security Tips will be provided in an upcoming webinar series. Sign up for the Health Checklist to be on the alert list for the webinars.