This post contains affiliate links. Which means I will make a commission at no extra cost to you should you click through and make a purchase. Read the full disclosure here.
WordPress security might not be your top priority when you start a blog.
But it should be.
You know that security is important and that websites can get hacked.
But you probably think or just hope it won’t ever happen to you.
Or believe you have zero chance of it happening to you yet. Since you only recently started your WordPress blog.
You think you are safe for now, but are you?
Whilst security can seem complicated and intimidating. It doesn’t have to be that way.
It also doesn’t have to be expensive.
And to prove it, I’ve put together a list of 7 WordPress security tips to boost your blog’s security.
That are free, simple and quick to put in place.
I bet you can get them done in just a short amount of time today. If you want to!
But first, you might be wondering this:
Does WordPress Have Security Issues? Can WordPress Be Hacked?
WordPress is a platform for building websites. It is a very popular one and powers roughly 26% of websites.
Because of its popularity, it is a popular target for hackers. This means it is important to consider security.
Not because WordPress specifically has security issues.
All platforms and websites have some security issues, some more than others.
Most of them you won’t even know about unless it gets exploited.
Nothing is 100% unhackable.
WordPress has excellent security. Because it is worked on by many contributors all the
And believe it or not. The majority of WordPress blogs that do get hacked. Are actually due to missing updates! Now that’s food for thought.
How Do I Increase WordPress Site Security?
By following the below WordPress security tips. You’ll make your blog more resistant to hacks. Brute force attacks, vulnerabilities and malware.
All these will increase your WordPress site security. For free with quick and simple tools you can implement in just a couple of hours.
Some may require regular scans, others will work in the background for you.
It is worth noting though, that whilst more security layers will make it harder to exploit your blog.
As I mentioned before. There is no such thing as 100% security.
New hacks and exploits are discovered all the time. Which is why it is important to always try to keep WordPress, plugins and themes up to date when possible.
Okay, so now that we’ve covered the basics. Let’s take a look at those WordPress security tips below.
1 | Ensuring The Default WordPress Admin Login Is Changed
One of the first WordPress security tips you should action to boost your security.
Is to make sure you are not using the default admin username that comes with WordPress.
This default admin user makes it easier for hackers to get in by making their job 50% easier. And is 1 of 53 mistakes bloggers make when they start a WordPress blog.
Now, who wants to make it easier for hackers to get into their website?
No one does, right?
Which is why you need to change this a soon as possible. By leaving it as the default admin, someone only has to guess your password!
So let’s make it more difficult for them. It is super straightforward to change! I promise.
How To Change The Default WordPress Admin Login
Okay, so first, you’ll need to be logged into WordPress.
Go to your Users button on the left sidebar menu.
Check to see if you are using the admin username for your account.
If you are then you need to create a new user.
Click Add New at the top.
Pick a username for the new admin login you want to create.
Try to avoid picking something obvious. Like the issue with the admin username, we want to make it tricky for anyone to guess it.
So, avoid using any information publicly displayed on your blog. Like your name, surname, or age as your username.
You also need to set your email address. This will often be used to send notifications for password resets and new comments on the blog.
So make sure this is set as something you have access to. This also should be secure!
Now the important step is the make sure you change the Role to Administrator. As you want all the access rights your old admin account has.
2 | Making Sure Your WordPress Login Password Is Strong & Secure
If you click on Show Password you can also change the default password.
Change this to something strong. Ideally using a password generator like the password manager LastPass. Which can generate strong passwords that are difficult to remember.
The harder a password is to remember the less likely that someone will be able to guess it!
And in case you have trouble remembering these types of password. Consider also using LastPass to remember these for you as well!
Strong passwords consist of a mixture of numbers, letters, special symbols like ? % ^ % and more. You should also use both small case and uppercase letters.
Next, untick Send User Notification, unless you want an email sending.
Make sure to note the password either mentally or with LastPass.
Once done click Add New User.
And the new account should now be set up.
Log out of the current admin username and log into the new account you just set up.
Check the new account and make sure that is has everything you expect it to have.
Once you are happy with this new account and you’re sure you won’t forget the password.
You can return to the Users screen. Tick the box next to the admin account.
Then click the drop-down button next to Bulk Actions and select Delete.
And that’s it! All gone and your account for logging into WordPress. Is now significantly more secure with this WordPress security tip!
3 | Change The Admin Login URL
The next of these WordPress security tips I want to cover is the Admin Login URL.
By default this is www.your-domain.com/wp-admin.php.
Every WordPress website has this URL as it’s default login screen.
And you know what?
Everyone else including all the bad bots on the internet, knows it too.
And because of this they will go and find this URL and try to exploit it.
By either brute forcing your login by mass guessing usernames and passwords. Or by looking for security flaws to exploit and bypass the login screen that way.
One quick and simple way to fix this is to change the URL to something others can’t easily guess. If they can’t guess it, then they can’t find it to exploit.
That’s right, like the username and password WordPress security tip earlier. You’ll improve your blog security if you make the URL unique and hard to guess.
By now, you might be thinking that it sounds complicated and in general. Doing it yourself is difficult.
But you don’t have to worry about that because awesome programmers have come up with a plugin to do it for you. And yep, it’s completely free too.
How awesome is that?
So, what am I talking about? Well, the plugin is WPS Hide Login.
You can find it by searching for new plugins from within the WordPress dashboard. And searching for WPS hide.
Now it’s important to not install too many plugins as they will slow your blog.
But this plugin is super lightweight to add to your blog and it’s extremely tricky to add this feature any other way. The security boost far outweighs any load it adds.
And it is just as easy to revert any changes you make, simply by uninstalling the plugin.
The WPS Hide Login plugin is currently up to date even with the WordPress Gutenberg updates, security and bug fixes (5.0.2). With 300,000+ installs and almost all 5-star ratings!
Simply Install and Activate.
Once installed go to Settings > WPS Hide Login.
Change the Login URL to something unique that is not easy to guess. The default setting is /login so make sure you change it!
After all, that’s pretty easy to guess, right?
Make sure to click Save Changes once done.
And that’s it. Wasn’t this one super easy WordPress security tip? Feels so much safer right?
4 | Hide The Login URL From Your Cache Plugin
So now we’ve hidden the login URL. What about any caching plugin you are using?
Doesn’t that store a copy of all pages users browse to?
Well, yes it does.
Which is why it is also important to add the new URL you set up as an exception in any caching plugin you have.
Most caching plugins have an easy to find exclude button.
Here you can click Add New Rule and pop in the URL you added in the WPS Hide Login plugin.
Save the rule and clear your cache out and hey presto done!
5 | Use Jetpack To Block Brute Force Attacks
Here’s another one of the amazing WordPress security tips you should try.
By default, most new WordPress installs come with the Jetpack plugin installed.
If you haven’t got it installed, its a powerful versatile plugin I use here on the blog.
Some people feel it slows down their blog. But the features I’ve used haven’t had any noticeable impact on my webpage load speeds.
Anyways, this plugin has a useful security feature you can add to your blog.
It is free, simple and quick to install. Just like the rest of the WordPress security tips in this post.
Especially if you have Jetpack installed already.
If you don’t, for some reason. Head on over to this WordPress Jetpack plugin install tutorial.
Which will talk you through the best way to install Jetpack. Whilst only getting the features you need so it doesn’t add extra bloat.
Because while it works well for me, I’ve spent a lot of time customizing my install. And if you decide to install Jetpack I want you to get the best install for your setup.
Right, so once you’ve got Jetpack installed. If you used my guide, you should have the Brute Force login protection activated already.
If you skipped the tutorial, all you need to do is this.
Go to Jetpack > Settings from the WordPress dashboard left sidebar menu.
At the top of the screen click Security.
Scroll down until you get to Brute force attack protection.
And toggle on the Block suspicious-looking sign in activity.
Click Save Settings once done.
And there you have another layer of security protecting your login screen. And your blog as a whole too!
6 | WordPress Security Tips For Adding Cloudflare To Your Blog
So, next let’s look at Cloudflare.
What is it?
It is much like a firewall sitting between your blog’s web server and a web browser such as Firefox.
It can add an extra layer of security to your blog. By reducing the amount of access bad bots, brute force attacks and even comment spam
By separating good traffic from the bad.
For example, in Bluehost go to hosting > cpanel.
Scroll down the page to find a section called domains and within this box, Cloudflare was the last option.
Click this and follow the instructions on the page. To create a free Cloudflare account to help protect your blog.
You should also be able to find similar options to install Cloudflare in the Siteground cpanel.
7 | WordFence Security Plugin
Lastly, one of the last WordPress security tips I’m going to cover is using Wordfence.
This plugin is free to use and works straight out of the box when installed on your WordPress blog.
I recommend using either Cloudflare or Wordfence, rather than both. As the setup of both can cause issues and can be technical.
The aim of this blog post is to give you quick and simple actionable points. Which combining Cloudflare with Wordfence generally isn’t.
Either way, they both do similar job of filtering out nasties. Firewalling your blog and scanning your blog for malware.
So, pick one or the other for now.
What Is A Security Plugin? What is Wordfence Security?
Okay, so what is a security plugin anyways?
Well, they are WordPress plugins that focus primarily on boosting your blog’s security.
Usually by using firewalls, filtering spam, blocking DDoS attacks. And more depending on the plugin.
The Wordfence Security plugin does many of these things and more depending on whether you use the free or the premium version.
We’ll just be sticking with the free version for now though.
What Is The Best Security Plugin For WordPress?
Telling what plugin is the best for WordPress security. Is a headache in itself.
Like Antivirus software each one has different detection rates because they use different rules, filters and databases.
Sadly, there is no such thing as a WordPress security plugin that is 100% effective.
Simply put, they are preventative measures to help improve security.
As such, Wordfence is a highly popular security plugin for WordPress. With over 3,000 5-star ratings it is definitely amongst some of the best WordPress security plugins.
Especially since you can get it for free! Which is a lifesaver if you are just starting out with your WordPress blog on a tight budget.
How Do I Set Up Wordfence?
Wordfence is as simple as any other plugin to setup. Simply search for Wordfence when in the Plugins > Add New screen.
Install and Activate it.
Then once installed, double check the settings to make sure you are happy with them.
How To Use Wordfence?
So, when installed onto your WordPress blog. The Wordfence Security plugin will work in the background for you. Filtering out bad traffic from reaching your blog.
One of the ways you can use Wordfence, is by running scans.
And actioning any changes the results suggest. Or if they are too technical, you can always ask Wordfence themselves to look at them for you.
You’ll ideally want to run and scan your blog when Wordfence is first installed. To check everything is okay to start with.
The free version of the plugin does automatically schedule 1 scan each day.
These WordPress Security Tips Will Help Secure Your Blog
There you have it! All the free and simple tips for WordPress security.
Now you might be thinking some of these aren’t needed.
Well, it’s true. They are not needed and are totally optional.
So pick what you want to do and apply it to your WordPress blog. If you want to skip one or all that is ok.
But by applying all these WordPress security tips to your blog. This will make your blog so much more secure.
And doesn’t that give you peace of mind that your blog is significantly more secure?
That it’s extremely damn hard to for someone else to damage the hard work you’ve put into it?
No one wants to get hacked.
And getting hacked can have serious consciences on your blog branding. Google ranking and even GDPR if you handle personal data.
Which by the way is pretty difficult to avoid on any website. So you want to take security seriously to avoid getting into trouble.
All these WordPress security tips are super, easy, free and quick to do. So there’s really no excuse not to use them.
Every little bit of extra security helps keep you and your readers safe.
If that isn’t worth the time and effort, then what is?
So will you be using any of these WordPress security tips for your blog? Do you have any that you already use prior to reading this post?
If you found this blog post useful then please consider taking a few seconds to share it to your favorite social media platform!