How to improve blog security

1 / Create a new user account and get rid of the default settings

When you set up a new WordPress.org blog the default user name will be ‘admin’. If you want to make sure your site is much more secure, make sure you change this generic username and create a secure password as well so that it’s harder for someone to guess when they are trying to hack your site.

To do this – Log into your WordPress admin and click on users. You will then need to click on add new as you cannot change an existing username so you need to create a new one. Create a new account for yourself and give yourself administrator privileges in the drop down so you have full access rights on your site. Log out from your default account and then log back in with your new account details.

IMPORTANT – Go back into the users area and delete the original admin account – make sure you choose the option to attribute all content to: and choose your new username when you are deleting this admin account or you will delete all your posts!

2 / Get cryptic and set up secure passwords

Simple passwords are easier to remember but make it much easier for people to hack so sticking with secure passwords is the way to go. There are a bunch of tools you can use to generate secure passwords and store them on your computer. Your password should include letters, number, special characters and lower and uppercase letters plus be at least 8 characters long. There is no way to remember a ton of passwords this cryptic so check out these tools – Lastpass and IPassword for storing passwords, Password Generator for generating secure passwords and Keychain if you use an Apple Mac.

3 / Keep all your plugins and themes updated

Keeping everything up to date helps your site stay secure as there are often updates released to combat weak areas or bugs that are found in your theme and plugins. Check out this post for a comprehensive look at how to update all your plugins and themes.

4 / Install a security plugin

There are a range of great security plugins you can use to secure and monitor your site against brute force attacks. These are the three I use and recommend:

Wordfence : There are thousands of attacks per minute against WordPress sites, if one WordPress site running Wordfence is attacked, the attacker is then blocked and all other sites also running Wordfence block that attacker.

iThemes Security – iThemes Security shows you a list of things to do to make your site more secure with a simple way to turn options on or off. The steps are simple and provide descriptions of each action so you know exactly what’s happening on your site.

Sucuri Malware Scanner: The Sucuri WordPress Security plugin is a security toolset for security integrity monitoring, malware detection and security hardening. You can easily check and receive emails when your site is being attacked. (I was shocked at how often attacks happen after I was able to view them when I installed this plugin).

5 / Don’t allow guest registrations on your site

Having guest registration enabled on your site is not something you should require unless you run a membership site. To turn off guest registrations, go to your WordPress Admin > Settings > General Settings > make sure that the tick box anyone can register is not ticked.

6 / Get an SSL Certificate for your site

If you have a blog that sells products, is a membership style site or asks visitors to submit sensitive information via forms then it would be a good idea to look further into whether you should get an SSL Certificate. Google is now giving a small rankings boost to sites that use SSL as it provides a higher level of trust as sensitive information is kept safe and more secure. If you just have a blog with nothing except blog posts and basic contact forms then getting an SSL Certificate is not really worth the time and money. Check out this great article that gives you a bit more info about it all.

7 / Don’t allow pingbacks on your site

One last step you can take to make your blog more secure is disabling the pingbacks and trackbacksfeature on your blog. WordPress websites that have this feature enabled can be prone to being used in DDOS attacks against others websites (more on that here if you are interested).

When you set up a WordPress site, this feature will be automatically enabled. To turn is off go to your WordPress Admin > Settings > Discussion > Default Article Settings > clear the ticked box that states – Allow link notifications from other blogs (pingbacks and trackbacks) and save.
Don’t forget –

By following these 7 steps you will make your blog far more secure and have some great systems in place (security plugins) to check when attacks are happening and what areas of your site are vulnerable. Don’t forget that you need to be regularly backing up your blog, this can be scheduled to occur automatically and is a very important piece of the puzzle should your site be compromised in some way, having a backup is a life saver!