When you live and work on the WWW, threats like hackers can seem like a big bad scary threat lurking around the corner. But just like in real life there aren’t thieve and robbers out to get you every minute, the same can be said of the hackers. If you stay away from the bad parts of town, and don’t flaunt big wads of website traffic, you usually don’t have anything to worry about.

But it always pays to be safe. Lock your doors, and don’t get into a van with a stranger offering you candy. Take care of your WordPress site and keep it safe and secure. So, here are a few things you can do to improve your websites security.


When you first create your WordPress site you might end up with the default username “admin” and this can present an issue, especially if your password is not very strong because hackers automatically know your username. If  both your username and password are secret, your login information has two lines of defense.

If you do have the username “admin” you can’t change that, but you can create a new admin user and delete the old one. It is really easy. Here are the steps to doing it:

1) Create a new user and give them a username someone will not be able to guess.

2) Fill in the name information under that user and make sure it is different from the username. Then select that name under display name so that your username is not the one displayed to the public.

3) Give this new user admin status. Log out of your old “admin” and relog as the new admin.

4) Select the old “admin” user and click delete. When it asks you who to attribute their content to, choose the newly created admin. Now all the pages and posts you created will show as created by the new admin and your old “admin” will be gone.


Your password should include CAPS, and numbers, and punctuation. You can use combinations that make some kind of sense to you so that you remember them easier. Not like Pa$$word. But S0m3th1ng^H4rd3r. Ha! See if you can read that. I bet if I used it for a password nobody would hack it…unless of course I used it now, for this site….

WordPress has some great tips on selecting a strong password and one of the things they recommend is creating a passphrase because one of the best ways to make a password hard to crack is to make it longer. I am not a fan of their idea to use a password keeper. In my opinion those sites should be pretty ripe targets for hackers, and how many times have we heard of security compromises in databases of sites we thought we invulnerable lately?

One way to add an extra layer of security these days is having a two step verification. On Twitter I get a new number code texted to my cell phone to enter every time I login. For WordPress the consensus seems to be that the plugin called Google Authenticator is the best way to do this.

Another plugin that is recommended is one called Limit Login Attempts which basically stops what is called a brute force attack (a hacker uses a computer to go rapidly cycle through possible passwords, like you see in the movies when a thief is trying to crack the pin number for a security system). If you limit the number of login attempts to 10 and then have a lock out period, you will deter those kinds of attacks. If you sometimes forget your password and go through 10 login attempts yourself you can set it to 30 and still be pretty safe (unless your password is something dumb like password or 1234).

A final measure of safety is to have a unique password for your email. It’s not good to have the same password everywhere, but some people are stubborn and do it anyway. If that is you, the one place you should NOT do that is your email. If someone hacks your Facebook account, you can always retrieve it with your email. But if someone hacks your Facebook account and uses that information to also hack your email, you are in trouble. Email is how you retrieve your passwords, email is how you prove who you are, email is where the messages come that tell you someone is trying to change your password on your Facebook account. Keep your email password sacred if nothing else.

Do your Housekeeping!

Updates go out for a reason. Keep your WordPress, Plugins, and Themes up to date. Sometimes they make an update because someone discovered a backdoor security breach. At the top of your dashboard there are two arrows pointing to each other in a circle. If there is a number beside them, or a red number beside plugins, it is letting you know you have to do your update. So do it. Now.

A few other housekeeping tips: get rid of any themes or plugins that you are not using, clean out unused pictures (tip-don’t upload the same picture over and over each time you want to post it in a blog, that’s what your media library is for), pay attention to your themes and plugins and get new ones if the old ones have’t been updated in a long time or there is a newer and better one (and choose your plugins and themes with a little care–avoid those that are brand new, or have no reviews). WordPress has some great tips and instructions for housekeeping.

A few final tips

Use a reliable web host like my fav host of the last 5 or so years Host Gator (this is an affiliate link, I may get paid if you click and buy, so click and buy to show me some love!). And if you want, they do have added security options for an extra charge monthly. Though, if you do your job of keeping your own site secure this isn’t a necessary expense.

Back up! Back up! Back up! OK, I can’t resist posting this funny YouTube video after I said that. It isn’t useful at all, just funny and a catchy tune 😀 There is a more useful link I can give you though for a plugin that automatically backs up your WordPress site to your drop box: WordPress Backup to Dropbox. Or if you prefer Google Drive: Google Drive for WordPress.

And lastly you can check your website for security breaches and malware using Sucuri Security, a website which allows a full range of tools and options for keeping your website secure. The basic check for malware is free and as simple as entering your website url in a box.