How To Secure Your WordPress Blog

Getting a website hacked is occurring more often nowadays. You just have to read the news to know who these high profile hackers are. Hackers like Anonymous and Lulz have dominated the headlines recently hacking high profiled websites such as government websites like the CIA. Then there are those low profile hackers who hack ordinary websites. If you own WordPress sites for quite a while, chances are, you had experienced being hacked. If not then you are one of the lucky ones. Although the only fool-proof way from getting hacked is to disconnect your computer or server from a network, there are other ways in order to make your website more secure than it is now.

Here are 11 ways that you can use to secure your WordPress blog.

1 – Encrypt your login

Your password is sent unencrypted whenever you login. If you are on a public network, hacker can easily ‘sniff’ out your login credential using network sniffers. So it is always good to have your password encrypted as you login. A plugin that does this task is the Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.

2 – Use a strong password

Even though your password is being encrypted as you login, if you use common or easy to guess password then you are not in a better position. Ensure you use a strong password that is difficult for others to guess. A strong password is usually characterize by making use a combination of digits, special characters and upper/lower case to form your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.

3 – Change your login name

The default username is admin is widely known to hackers so it is essential to change the login name. In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.

Go to Users again. This time, check the box besides the admin user and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the drop down bar. This will transfer all the posts to your new user account. Press Confirm Deletion.

4 – Define user privilege

If there is more than one author for your blog, be sure to define what the capabilities or role for each user group will be. This will give you the ability to control what users can and cannot do in the blog. It’s bad practice to assign all of them the administrator role as this gives them a lot of power and control over your website.

5 – Upgrade to the latest version of WordPress and plugins

The WordPress team are continually improving the security of WordPress itself as they also fall victim to hackers. Having the latest version of WordPress always contains bugs fixes for any security vulnerabilities.

6 – Backup your WordPress database

This is perhaps the most important pointer of all. When hackers take your site down, at least you can have the security of restoring its last known working version. Ask you web hosting provider if they backup you site. Otherwise there are plugins that can do the backup for you.

7 – Remove WordPress version info

The more information that you give to hackers the better they can prepare for a hack attack. Some WordPress sites/themes include the WordPress version info in the meta tag. Hackers can easily get hold of this information and plan specific attack targeting the security vulnerability for that version. To remove the WordPress version info, log in to your WordPress dashboard. Go to Design->Theme Editor. On the right, click on the Header file. On the left where you see a lot of codes, look for a line that looks like:

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />

Delete it and press Update File. In WP2.6 and above, WordPress automatically includes the version in the Wp_head section. To fix this, you can simply install the WP-Security Scan plugin.

8 – Protect your wp-admin folder

Your wp-admin folder contains all the important website information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.

9 – Hide your plugins folder

If you go to your, you can see a list of plugins that you are using for your blog. Be sure to hide this page by uploading an empty index.html to the plugin directory. Open your text editor. Save the blank document as index.html. Using a ftp program, upload the index.html to the wp-content/plugins folder.

10 – Perform a regular security scan

Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.

11 – Stop brute force attack

Hackers can easily crack your login password and credential using brute force attack. To prevent that from happening, you can install the login lockdown plugin. This plugin records the IP address and timestamp of every failed WordPress login attempt. Once a certain number of failed attempts are detected, it will disable the login function for all requests from that range.

This article has been prepared by, which is a WordPress website tutorial for all levels. We provide step-by-step tutorials on how you can create and maintain your own website for FREE!

127 thoughts on “How To Secure Your WordPress Blog”

  1. Luu Tran says:

    Thanks for the info John!
    I’ll definitely check out this list and give them a try.

    1. Yea this is great info for ones that are especially ignorant to security issues that may harm our blog services now and days

      1. Chiprang says:

        I’ll give a try with my WP. Great info.


          You started a new website and you want to build links for it, than tell us TOP 5 link building service you will purchase or you will do.

    2. Kevin Kimes says:

      It’s a guest post.

      But, very useful anyways. However, the CHAP plugin seems marginal, it might not even be doing anything.

      Another option to consider for anyone running a real business over the internet, is a VPN. If you first connect through a secure VPN, everything you do during the VPN session is secured and encrypted.

      If your entire income is in your online business, then I’d also suggest a VPN service which provides security token double authentication. Basically, when logging in, you press a button on a key fob which gives you a string of numbers to enter into a secondary login. These systems are as close to hack-proof as you can get.

      1. Erwin Miradi says:

        Nice information Kevin. That’s new for me so I’ll check that out soon.

      2. Many good things to consider if you have a blog to protect you from hackers

      3. Now that one is quite useful guude from a person who is from tech background.

        Kevin … How much do you think a VPN will cost per month.

    3. Abhik says:

      It’s not John, buddy.

  2. Taylor says:

    Thanks, John.

    I was actually wondering how I could protect my site. I will be going through these steps later today. 🙂

  3. Bryan says:

    Great tips John! I use most of these already, but a few are new and are worth looking into.

    1. Abhik says:

      There is always a room to improve 🙂

    2. Its a guest post my friend …. Not by John.

      Do not know when John is going to add guest blogger photo option. That will be great for every guest blogger to get more recognition.

  4. Fauna Pryca says:

    Excellent. Thank you very much for your help, hints and tips.


  5. Dave Doolin says:

    Secure logins and password salts are the Next Big Thing in WP security. Thanks for mentioning those, John.

    1. I do not understand one thing when these secure service knows how to protect wordpress than why not wordpress itself add these kind of services to their amendments …

  6. Erik says:

    This is great information John as I have just recently started my own WordPress blog. Keep those great blog advice coming. 🙂


  7. Health Blog says:

    Thanks again John for your great post. It help bloggers a lot.

  8. Gizmodigit says:

    As always John came out with one more quality content and some of above tips/plugins already known by us but some are really good! Wp-security scan is excellent plugin ever I used as it always give us chance to scan logs I also advice to use WP CleanFix which also help to reduce your database too!

  9. Samir says:

    While the other security measures are fairly common, I’m really glad to know about the password encryption plugin. I hadn’t really thought about encryption of wordpress passwords.

    1. What do you think about point no 9?

      1. Point No 9 is quite to easy to implement and sounding very effective.

  10. edward says:

    I was hacked before and I lost my earning. It was a shame because the hacker is from London and I am from a third world country. Lol

    1. What so shame about it … do you think that in London only Royal people or Queen’s relative lives ?

      No my dear … culprit is everywhere …

  11. Blog SEO says:

    Nice one JC. Added a few of those to my site 🙂


    1. Its a guest post my friend …

      Guest blogger have not provided their names but yes they have provided their website which you can visit here –

  12. Steve says:

    I like the plugin Secure WordPress from which does many of the items you mention here and I also just started using CloudFlare as a free CDN/Security DNS provider, works great.

  13. Timo says:

    Very interesting post.
    It is very important to encrypt your login details, everywhere. And I really mean everywhere. Many people do the mistake to use the same login details on every account they have and once it leaks they going to be in big trouble.

  14. Travis says:

    I would also suggest installing something like WordPress File Monitor Plus which e-mails you when files are added/deleted/changed. I would also lock down your wp-config file to CHMOD 400 since this is a very important file for WP and suggest loading Secure WordPress which is authored by the same company that does WP-Security Scan.

    I have also used ultimate security checker which will check some additional server settings for you.

    1. You are adding many locks … Boy this one will make your blog super duper safe.

  15. Damir says:

    Hi John,

    very useful article, definitely going in my “important bookmarks” folder. Thank you very much!

    1. Abhik says:

      Me too bookmarked it for a later read.!!

      1. For Bookmark, Do you guys use Digg or similar website or simply bookmark in your browser …

        I would recommend to use Digg … this will provide some value to John as well.

  16. Logan Wenger says:

    I had no idea about Chap Secure Login. In the past, I have used SSL certificates, but that can get costly when only needing security for login protection. Definitely going to add these eight features to my websites and client sites as well. Thanks for another great post John!

  17. Christine says:

    This is not a subject that is spoken about on blogs but I feel it is very important. Until I read this blog post I was unaware how you could change a user name, so many thanks John. I will be looking at the plug ins you suggested.


  18. John says:

    Hi John,

    Great article. You nailed them all — the only one I didn’t have covered is #9:

    So thanks for that, it’s always great to learn something new.

  19. There is no other way to describe this technical article than saying it is awesome. Keep it coming John. You are an Internet enigma

  20. John says:

    Hi John,

    Great article. You nailed them all — the only one I didn’t have covered is this one:

    #9. Hide your plugins folder.

    So thanks for that, it’s always great to learn something new.

  21. Ivin says:

    Hello John. This tutorial is especially valuable for those that have intellectual property and affiliate links deep within the archive. I heard hackers go in and change the link to theirs.

  22. Thanks a ton for your advice… my site got hacked twice the last month and i had to restore all the settings which i did initially. I later on changed my theme and it seemed to get finished after that.

    Is there any relation of wordpress themes to this?

  23. Great tips, online security is one of those subjects that most people take into account when it is aleady too late… I would also suggest to delete the install script (wp-install.php, I think it is…) as soon as you are done installing your blog. Leaving it there is an open door to a lot of trouble in the future… Cheers!

  24. Emo says:

    I was actually hacked not long back, but lckily i had backed up the site so easily fixed. Hopefully it wont happen again if i implement these steps

  25. My blog was hack recently and luckily a team of freelance I hired help me out and now I’m using cloudflare to run my blog not sure if it’s good for my site security but there have been quite a few reviews about them that said cloudflare is a good security cdn so I was wondering if this blog had any cdn running?

  26. Adam James says:

    Cheers for posting this John, great stuff.

    wp security scan is great, and i’d recommend anyone who uses it to sign up to the websitedefender website, it will periodically scan your website for vulnerabilities it works in a similar way to wordpress file monitor by letting you find which files have been deleted, changed etc, but also lists these in order of severity and also checks for other vulnerabilities.

  27. rick says:

    Thank’s for the security tips John. Most bloggers probably think that hackers would not waste time with their small blogs, but you should still take precautions.

  28. Thanks Jhon for sharing this. We all know that wordpress is an open source that is why there are some people who really new about wordpress template. All thing that you have listed can really help.

  29. zik says:

    thank for the tips.. looking need to install several plug in as protection..

  30. Love these ideas, thanks John!! Will certainly implement these on my blog!

  31. I have a problem, after i’ve installed AskApache Password Protect, i set up the username and password and i activated some of the features, i cannot access anymore, how can i change it back?

    Thanks for the share! 🙂

  32. fas says:

    Excellent tips. Hoping for a follow up on each and how to do them step by step 🙂

  33. Treb says:

    Great tips and thanks for sharing a list… I will definitely try this and see where it would take me… Thanks for sharing….

  34. Raymond says:

    Come on John. You can do better. Tell me something I didn’t already do or know 😉

    1. But this is quite beneficial for those people who have started their blogs recently.

      For them these tips are life saving.

  35. Caleb says:

    Never heard of no7 and no9 and wondering inparticular how a blank index file in plugins folder helps:?:

    1. Travis says:

      Because there is no index file when you navigate to the plugin folder you can see the directory structure which tells a hacker what plugins you have installed. They can then exploit known vulnerabilities a lot easier. Adding a blank index file means the server sends them a blank page instead of the directory listing.

      1. Yes this one is quite useful and heard it 1st time to be very honest.

        Thanks to you.

  36. Alan says:

    Great info. Thanks for putting this together and keep up the good work!

  37. I tried deleting the account but it’s saying that I can’t delete that main account that I have on there. Is their another way of doing it or?

  38. Jason B. says:

    These are such great tips, and it’s the sort of thing most people don’t think about until they get hacked. I’ve got to get moving on this list, starting with #1!

    1. Erwin Miradi says:

      Yeah I’ve been there. I had my site defaced few years ago by some low profile hackers only for the sake of some hacking competition. So I guess securing your website right now is a good decision.

    2. Yes we search these tips and tricks once we got hacked ….

  39. Tom Durkin says:

    Good tips, luckily I’ve got most of these bases covered! 🙂

    1. So would you like to add any further tips with this list … ?

  40. Some great tips here john thanks alot .

    I think the bruteforce plugin should be included on basic wordpress anyway.. makes sense.

  41. Caleb says:

    I came across something else concerning number7 just as I was about to delete wordpress version in my header file it says right besides it “to leave it for stats”. So if I delete this will I no longer get accurate stats and I also ran into the same issue as commenter Justice Wordlaw ❓

    Looks like there needs to be a REVAMPING to the instructions in this post 🙄

  42. Rachel says:

    Thanks John! This is really important info. I’ve been hearing lately of people site’s getting hacked; thanks for giving detailed -but clear!- steps to take in order to prevent that from happening.

  43. Judy says:

    Great info,Just what I needed. I need to get back to my blog and get it up and running properly.
    Now all we need to know is how to keep those darn spammers away.

  44. thanks very much John Chow for this tips. Getting my blog hacked is one of the most scary prospects.

  45. Matt says:

    John, this is a great post. In regards to point #2 about choosing a user role, a lot of people don’t’ realize that you can choose a username like: KMWe4GvKt9n9Ww7JzeKRFb28fVB which will make it even harder for hackers to hack your site (as it will take that much longer to “crack”), if you can remember your password, it can be that more easily hacked. Using a password management tool such as roboform or lastpassword is crucial to online security (as is using different usernames and passwords for each site) I go over this an a lot more in my new WordPress Security Course – “WordPress Security Lockdown” which users can check out here:

  46. Thank you for this awesome information.

    Will do all of these and see..

  47. Nick says:

    Great post. Very helpful info. As I’m using WordPress now for my wenger backpack website. So this post helps me a lot. Thanks for sharing.

  48. Ruziha Osman says:

    Thank you for the heads up, John. Appreciate it very much!

  49. Bob says:

    Thanks a lot John for sharing this. I did not realize this before. Cool tips and it helps a lot.
    I will try this soon.

  50. Josue says:

    Thanks for all the valuable tips, very important. Most important part is to do it NOW, not tomorrow.

    1. PPC Ian says:

      Very true. Any action you can take today (even if it’s just one or two of the tips) is much better than waiting until later. Time to secure our blogs now!

  51. Atreya says:

    Hey John
    Thanks for the great piece of info.. A few are already known.. BTW.. could you please tell me about how useful the STEALTH plugin is..??

  52. afandi says:

    Great post! Thanks a lot! I will added that to my blog!

  53. We should always secure our blog with some security else there will be possible of virus affect and some other issues

  54. Shipping says:

    It is quit interesting to know about to secure our wordpress blog. Thanks John

  55. says:

    great info John
    thank u

  56. Hostpany says:

    What if a person like you get hacked? You’re like the top 5 blogger, are they able to really damage you even though you have your wordpress back up and all? Can they really do any damage beside wasting one or two days?

    I guess you would lose some income within that time frame.

    Anyway, thanks for the tips John.

  57. My site was hacked due a poor password set. Later i have to undergo lot of problems in rebuilding the site again.
    It is always good to have password which has special signs and lengthy password.

    1. PPC Ian says:

      That is a very great point. The more security the better. Make your passwords VERY hard for humans to guess.

  58. Shanling says:

    Thank you for the info. It’s very helpful

  59. Erwin Miradi says:

    Thanks a lot for sharing this. I agree that security is one most important thing as you could lose everything overnight without it.

  60. John,

    I jumped when my password didn’t work for my blog, so I implemented most of your tips right away.
    Thanks for the heads up!

  61. Thank you! I’m going to implement these tips right away.

  62. Ken says:

    Great security tips. I have just updated login information for my blogs.



  63. PPC Ian says:

    One of the best guest posts I’ve read here on John Chow dot Com.Thanks for the great WordPress security tips.

  64. The worst thing about passwords is that they are so easy, here is a list of the 10 most common set of passwords. It is scary that people are using them.
    1. password
    2. 123456
    3. qwerty
    4. abc123
    5. letmein
    6. monkey
    7. myspace 1
    8. password 1
    9. blink182
    10. (your company)

  65. fazal mayar says:

    thanks for the info, i also had a blogpost on this topic because more and more blogs get hacked.

  66. Brandon says:

    Other things I’ve added to my own install: in .htaccess add the directive: ‘options -indexes’ (drop the quotes) and that will keep any directory that doesn’t have an index page from having it’s contents listed. I’ve also got my .htaccess permissions set to 444 (I’ve seen a lot of .htaccess files that have stuff injected into them, this should help prevent that). And call me paranoid but I have a custom php.ini file setup and have it set as the default in my .htaccess. Inside the php.ini I have a very long disable_functions list, system, eval, exec, shell_exec, system are probably the most important.

  67. Ari Laksemi says:

    Nice tips, Thanks, I think this is very useful, will try on my blogs.

  68. James says:

    Nice tips,John.Another way I know that you can add “login user checker coding” to the theme functions.php file. If anyone want to check out how it’s effect,you can go to my website and try to go to the login page. Finally,a message appear “Sorry, you do not have the right to access this blog”. I thing it’s very helpful.

    1. Abhik says:

      I can easily access your login page.. :p

      1. James says:

        Are you serious?How?

      2. He is saying he can access login page but never said he can login …. Lollzz

  69. Abhik says:

    Thanks for the tip..
    It’s really necessary to secure your wordpress installation to extreme.

  70. muse74 says:

    thank you john share this very useful info.

  71. wparena says:

    This is very informative piece of writing about WordPress security, Although the WorPress 3.0 release would be more secure and your valuable guide will help new blogger to secure their wordpress site

  72. Alvaro says:

    reading this post reminds me some hacking I suffered on one of my blogs, with no backup…. Very useful info

    1. Nightmare … If that was your earning blog ….

    2. MykeTech says:

      Ah.. I don’t want this to happen to me!! Time to secure as much as I can. I think WP should come with more protection if blogs are being hacked..

  73. Mohit says:

    My friend’s blog got hacked recently. This article is certainly gonna save a lot of bloggers! Thanks for the info

    1. So according to you on which option he have not worked properly.

  74. craig says:

    thanks! for a young blog this is invaluable.

  75. Marcelo says:

    Hi John, this post is exactly what I was looking for to protect my blogs. I am fear of having problems with hackers. I will implement these tips as soon as possible. Thanks.

  76. BajuKurung says:

    great tips for a newbie like me…thanks for sharing…

  77. Point No 9 is very less known to many webmasters, glad that you added here ….

  78. MykeTech says:

    I’ve done everything including #9 thanks for the tip and great blog post!

  79. Eddie says:

    More articles like these please. I think a lot of people are into WordPress these days.

  80. Once again, I can’t thank you enough for the great info that you share with the blogging community. Due to your posts, I am always learning something new and beneficial.

    Much gratitude and respect!

    Erik von Werlhof

  81. Tony Payne says:

    Great advice, thanks. There are several things I hadn’t thought about here, and several plugins I hadn’t seen mentioned before that sound like they ought to be invaluable.

  82. Dress Making says:

    wordpress its an easy accessible cms everyone love to have it

  83. Hezy says:

    Great advice! I’ve been looking for something like this for a while now. Thanks!

  84. mercuryjtb says:

    GOoD day, John!

    This is absolutely informative!

  85. Stocksicity says:

    Surprised I haven’t come across the security scan plugin yet. Have so many more, about to get that installed now.

  86. This is the most detailed one about wp security I’ve seen. Thanks John and thanks the writer.

  87. Gift Ideas says:

    Yes, the most important tip to secure the blog is using always quality content.

  88. Mark says:

    Just a note about Login Lockdown – it’s Ok. But, :Login Lock is better – way better. Check it out in the WordPress repository and compare it Login Lockdown, the differences are gigantic.


  89. Xprezi says:

    Very Good Sharing John….I want to thank you so much

  90. Matt says:

    You could also add to the list, “use second factor authentication” instead of standard passwords.

    There is a new website authentication method where you buy cheap access cards and then add the widget to your login page. You then place your card onto the screen to see the dynamic login numbers instead of a static password. It is unique in also being able to encode transaction digits for mutual authentication which stops attackers man in the middle tactics, even one with access into your laptop or mobile.

  91. Gopal says:

    Thanks a lot…i was unaware of all these……came for the first time on this site….i am haappy that i did. 🙂

  92. Mochamad says:

    Thank John. This is very useful posting for me. I hope the hackers will give up and run away after reading this post and they will not disturb the world again.

  93. Gift Ideas says:

    I think any one can not hack W-blog.

  94. says:

    great info, worth implementing it

  95. Cheolsu says:

    Its always keep the wordpress version up-to-date. I just installed Login LockDown plugin after reading this post.

Comments are closed.