5 really simple WordPress security tips

Need WordPress security tips? You’re in the right place my friend. You’re probably aware of the recent issues surrounding the WP GDPR compliance issue which saw a few thousand WordPress sites hacked due to a security flaw. This has made a few bloggers sit up and really think about the security of their website.

I’ll hold my hands up. Securing your WordPress website isn’t glamorous – far from it. But it’s so important, especially if your blog is your business. You wouldn’t leave a shop door unlocked overnight, and you shouldn’t do the same to your website either.

In this post I’m going to go through some really simple, but massively effective WordPress security tips. They’re preventative measures, but I do offer some advice at the end of the post with what to do if you think you’ve been hacked.

Take regular backups of your WordPress site

I know I’m starting to sound like a broken record but honestly, taking regular backups is one of the best WordPress security tips I can give you.

If the worst does happen, having a recent backup is likely to be the quickest and easiest way to undo the damage and minimise your losses.

When you do take backups, make sure they’re stored completely separate to your main site. Keeping your backups in the same place as your website is like keeping your spare key on the same keyring as the main key. If you lose your main key, your spare has gone too.

Change your login URL

All WordPress installations have the same login URL by default. This means that if a hacker wants to get into your website, they know how to get to your login form.

BUT, with the help of a plugin, it’s really easy to change your login URL to something only you know.

You have a couple of options when it comes to plugins that you can use to change your login URL including All in One WordPress Security, which offers a range of security features. But if you’re looking for something a bit more lightweight there’s WPS Hide Login.


Back in the day, all WordPress installs came with an Admin user. I’ve not actually seen any recent WordPress systems come with an Admin user but it’s useful to know to look out for it. The All in One WordPress Security plugin has an inbuilt check that looks for any Admin usernames and recommends that it’s removed if found.

Another one of my top WordPress security tips is to make sure that none of your usernames are the same as screen names. It’s actually a really common thing to do (I’ve made that mistake myself) which, can help hackers get into you system. If they know your login URL and username, it then leaves them just your password to figure out.

Use a secure password

It goes without saying but people still choose memorable passwords over secure ones. This is another one I’ve been guilty of myself until quite recently.

Your passwords should be at least 12 characters long, and should include upper and lowercase letters, numbers and special characters.

If you’re worried about forgetting passwords, LastPass might be a good option to consider. It’s basically a vault of usernames and passwords, that you can use via an add-on to your browser. You then have just one secure password to remember rather than a different one for every account we have online.

Keep plugins and themes up to date

As soon as plugin developers find or are made aware of security issues with their plugins, they’ll get to work on fixing it. Once they’re happy that they’ve fixed it and it’s been tested they’ll release it for users to update. 

Security issues won’t always be made as public as the ones with the WP GDPR Compliance plugin was, so you wont always know to expect a security update to a plugin. But updating your plugins as soon as you see updates available will help minimise any risk.

What to do if you think you’ve been hacked

I’ve had a few people come to me asking for help after they’ve been hacked lately, so I thought I’d add my two cents here. I will dedicate a full post to it in a few weeks but wanted to get some help out there ASAP.

If you can access your WordPress dashboard, install WordFence and get it to run a scan.

Once it’s finished scanning it’ll give you some recommendations based on threats that it’s found. The recommendations might sound a bit complicated but WordFence just gives you buttons to click to confirm that you want to do what it’s suggested and it’ll do it for you.

If you do that and you’re still having problems, get in touch with your host and ask them for advice.

WordPress security tips – verdict

So I’ve talked through 5 main tips to improve the security of your WordPress website or blog.

  1. Backup your site – it’s the easiest way to minimise the damage done by hackers.
  2. Change your login URL – it makes it that bit more difficultfor hackers to work out where to try to log in.
  3. Usernames – make sure you have no ‘Admin’ username and that usernames aren’t the same as any display names.
  4. Use secure passwords – 12 characters long, upper and lowercase letters, numbers and special characters.
  5. Keep themes and plugins updated – make sure you always have the latest security updates.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × 5 =