Is Your WordPress Site Secure?

Security for your Website

How Secure is your WordPress site?

The front door of the beach cottage had a large old horseshoe directly over the door.

We were struck by the size of it. Must have been a huge horse. Curious, we checked with the owner later that day and learned that the horseshoe was put there when the cottage was built, over 100 years ago, for protection and good luck.

I’ve been thinking a lot about protection lately; because several friends have had their WordPress sites hacked recently.

It seems that there’s a brute force attack going on at the moment designed to gain access to WordPress sites by targeting the “admin” account that every WordPress site sets up by default.

Using some 90,000 computers they aim to find the password of these accounts.  Once they break into a site they do such a lot of damage that many have to be completely rebuilt.

One friend’s site was broken into but she discovered them in the act. She contacted her host immediately and they blocked the hackers. The ISP determined that it was a brute force attack by a botnet (a group of computers that are banded together to perform tasks).

She got her site cleaned up and changed all the passwords and user names. Within 24 hours the botnets were back at it, attacking her site again. They didn’t succeed the second time but it was a very scary 48 hours until the attacks stopped.

Since then I’ve been on a mission to get everyone I know to take a look at the security and backup on their WordPress site. In this case an ounce of prevention could be worth a lot to you.

3 ways to protect your WordPress site

  • Very Strong Passwords and unusual user name
  • Plugins that limit logins and boost security
  • Regular backups  of your site

Step 1: Strengthen your passwords and avoid using “admin” as your user name

If you have an “admin” user on your site with administrative privileges now is the time to change it to something less obvious. These brute attacks and previous WordPress attacks targeted those sites where one of the admin users is using the user name “admin.”

If you’re still using “admin” for a user name, here’s how you can change it.

  • Go  into your WordPress account
  • Create an account for an additional administrator using a more complex and unusual user name
  • Log out and then log back in again with your new user name and password – just to check that everything is OK
  • Delete the old “admin” user.

You may have posts assigned to this user that will need to be reassigned but that’s a small problem compared to having to recreate an entire site.

Next strengthen your password.  Even if you’ve already got a good user name, make sure your password is strong enough to sustain an attack and can’t be easily doped out.  Using letters, numbers and symbols in a longer string, 10 characters for example, makes it far more difficult to hack into your account.

Step two: Use WordPress plugins to strengthen your site’s security.

Go to the WordPress Plugin Directory and do a search for Security to get the list of all the security plugins.

Login Lockdown limits the number of times an IP address can log into your account.  This slows any would-be hackers away from your site since with a more complex user name and password they’ll need multiple tries to land on the correct combination.

Two other security plugins we’ve used on client accounts are:

  • Better WP
  • Bulletproof Security

Both of these plugins have good documentation. There are some things you’ll need to do to configure the plugin for your site. A security expert at the Seattle WordPress Meetup told a group of us that the #1 reason that security plugins fail is not because of the plugin, but because they were installed and never configured.

There are overlaps among the programs so read the installation instructions and FAQs to learn which will be the best for your site.

Step 3 Regularly backup your website.

Backup Buddy is the current favorite among the bloggers I talk to regularly.  What everyone likes about it the most is that you not only backup your database but also your WordPress Theme and other Programming Files. This isn’t a free plugin. But it’s a reasonable one-time charge when you consider how much time you would spend recreating your entire site.

Some hosting companies do regular backups of their sites; check with yours to see if that’s the case.

You can also check out all the free plugins at the Plugin Directory and see if one meets your needs.

There are so many happy WordPress users that we’re a natural target for large scale attacks. Even though everyone in the WordPress community does what they can to keep the community safe, there are bound to be future attacks – we’re just too big a target.

Be safe…put a virtual horseshoe over the door to your website.  Since the botnets are looking for easy sites to break into, make yours unattractive to them by:

  • Bolstering your password to something long and complex and at the same time removing that “admin” user name if you have one.
  • Increasing  security with a security plugin
  • Finding a backup program you like and use it at least weekly to back up your data.

How do you handle security and/or backups on your WordPress site?


  1. Marty,
    thanks so much for taking time to share with all of us your findings about safe garding WordPress and our blogs.

    I must say that most of what you wrote is not familiar to me and so need to look into it closely with a friend who know atlo more than I do and hope we get all these security steps taken care.

    At the momnet (two days now) cannot access my wordpress back office… not certain it is the brute force you are talking about or just something my ISP is working on… I placed a support ticket today and hope I get an answer soon or the site is working properly again…

    You are so advanced in these things, I love to come to your site a d learn from time to time./

    Thanks so much in every way.
    nick catricala recently posted…Coming Back to where I like to be….My Profile

  2. Hi Marty,
    thank you for this great, useful information.

    It is amazing how many people have not been aware about using an ‘admin’ login and I will help spreading the awareness by sharing your post.

    I was really pleased to get an email from my hosting company letting me know that they picked up on the attack at the beginning and even stopped all logins for a short while until they had put some stronger security measures in at their end.

    Much appreciated!

    • Hi Yorinda -Some of the hosting companies have been very proactive – which is great. But not all hosts are that way and even when they are – it’s always better to have taking some precautions just in case. Glad you’ve got such a good host – Marty
      Marty Diamond recently posted…Is Your WordPress Site Secure? My Profile

  3. Hi Mary,

    One of the first things I do when I setup a WordPress blog is to properly secure it. I have used a login limit plugin in the past, but this may not stop the botnet brute force attacks that are happening because the attacks are coming from many IP address. Still, I would recommend installing such a plugin.

    I currently have BulletProof Security installed, and while it can be confusing to some who aren’t technical, I find it to be a great plugin.They recently added a login limit component to the plugin so you don’t need a second plugin.

    I also recommend BackupBuddy as well, and use it to backup my entire WordPress blog on a daily basis. The key here is to store the backups offsite from your blog so they don’t become corrupted by an attack.

    One last plugin I recommend is Google Authenticator. This uses a 6 digit numeric value that is generate every minute from the Google Authenticator app on your smartphone. This value is required to login along with your username and password. This plugin essentially enables two-factor authentication on your blog, which makes it much more secure.
    Paul Salmon recently posted…Why Your Wireless Network May Not Be As Secure As You ThinkMy Profile

    • Thanks Paul – the Google Authenticator is a great idea for anyone really concerned about the security of their site – the two step process would make everything much more secure. Good info on BulletProof Security too – I didn’t realize they’d added the login limit component to their package. Marty
      Marty Diamond recently posted…4 Pillars of a Strong Conversion Strategy My Profile

  4. Excellent reminder and suggestions, Marty. I have changed my username a long time ago and hopefully have a strong password. I have been using login lockdown plugin as well. I need to check the BackupBuddy. What I have now is just the database backup. BackupBuddy seems to make more sense if it’s making a backup of the entire site and database. Hopefully it’s affordable. Thanks again!
    Cherrie Bautista recently posted…The Value of Inspiring KidsMy Profile

    • Hi Cherie – If not that one there are some plugins for backing up your WP site – you might check with Kim or Nile to see if they have a favorite – Marty
      Marty Diamond recently posted…Is Your WordPress Site Secure? My Profile

      • Great post Marty!

        I love BackupBuddy and highly recommend it. Best feature is that, using a Full Backup, you literally snapshot the entire WordPress site, so it can be quickly recreated on another server or domain.

        As developers and site owners, we use it not only to cover our rears, but also because it makes migrating sites between servers a snap. Well, not a snap, but dang easy.

        Another really good, paid backup solution is VaultPress, which is developed and maintained by Automattic, a company funding much of WordPress development. Most VaultPress accounts backup everything in real-time, so as you post new content, it’s synced to their cloud backup servers.

        Restores are easy and they can even help you migrate between hosts and provide security scans.

        A security plugin and service that I recommend for WordPress is, which provides malware scanning, change notifications, blacklist notifications, etc. If you’re worried about hacking, a service like this actively scans your site, maintains your rep in search engines, and they’ll fix your site if you get hacked.

        As someone who has fixed a LOT of hacked sites, I can tell you it ain’t cheap. 🙂 At ~$89/year, Sucuri is completely worth it for a business site, in my opinion.
        Eric Amundson recently posted…7 Signs That Your Website is Stuck in the 90′sMy Profile

        • Thanks Eric – I’ll definitely checkout – I know you know what you’re talking about with WP Security – Thanks so much for weighing in and giving everyone some additional options – I’ve noticed that we’ve been getting a lot more lockout notifications on our site recently – fortunately from different IP addresses – but it’s been really steady all of a sudden. so I’m in the market for more security. Marty
          Marty Diamond recently posted…4 Pillars of a Strong Conversion Strategy My Profile

          • Quite welcome, Marty. 🙂

            Interestingly, just yesterday one of our business customers who installed (after being hacked multiple times) got a notice from Sucuri that his site domain was “blacklisted by SiteAdvisor (McAfee).”

            They do the same with several other reputation monitors like Norton Safe Search, Google, etc. This is not info that the average site owner knows until they get a complaint or stumble upon it, but you can bet that being blacklisted would slightly harm your conversion rates. 🙂

            Best thing about Sucuri that I forgot to mention is that it doesn’t matter if your site is already infected when you signup. They’ll clean it anyway.

            Also, there’s a WordPress plugin that connects to your Sucuri account that helps monitor and log changes, active response blocks suspicious IP addresses and attacks, and they’ve got a 1-Click Hardening feature that scans your WP install and provides easy, actionable steps you can take (usually just clicking ‘harden it’ buttons) that increase WP security.
            Eric Amundson recently posted…Sponsoring WordCamp Seattle and WordCamp PortlandMy Profile

  5. Thanks Marty for this post, It has been awhile since I thought of my website security…..Thanks for the reminder…..This is the second time in a row I have come to your blog and discovered I needed to look at something for my Blog…..Thanks Again Marty for your wisdom and knowledge!…..Smokey
    Gregory Bowen recently posted…Sometimes We Have To Slow Down To Speed Up!My Profile

  6. I have been setting up quite a few sites lately and have been a bit flustered with this whole security threat thing going on lately.

    Bulletproof security, do you like it? Is it easy to use?
    Clint Butler recently posted…How To Find Your Tribe Who Will Invest In Your ProductsMy Profile

    • Hi Clint

      One of the developers we work with uses Bulletproof Security and really likes it a lot. I think all of the security plugins could be more intuitive. They’re not horrible but you do have to read the instructions and follow along closely – no skimming through and figuring it out as you go (at least that’s my experience) because (according to my local WP Security Guru they’re “worse than nothing” if they’re not configured. Hope that helps – Marty
      Marty Diamond recently posted…Is Your WordPress Site Secure? My Profile

  7. Marty great advice as security is of such importance (especially after the recent DOS attacks on WordPress), and backing up data is an absolute must. Will be implementing your suggestions ASAP!
    The Food Curator recently posted…Let’s hear it for…the onion!My Profile

  8. Thank you Marty I don’t think I can ever hear enough about protecting my site. The stories can be scary sometimes.
    Lydia Brown recently posted…HOW NOT TO SABOTAGE YOUR BUSINESSMy Profile

  9. Essential stuff, Marty.

    Nobody that’s gone through all the work of building up a wordpress site over a long period of time wants to see it crash, and have all their hard work and built up social proof go down the drain.

    Thanks for the nuts and bolt suggestions. I’m sure that those who heed your advice will thank you when the “day of gloom” comes, as it so very often does.
    David Merrill 101 recently posted…Lead Magnet Creation | InterviewsMy Profile

    • Hi David – I’m always amazed when I look at a site for conversion how many of them are relatively unprotected. I think that there are a lot of site owners out there that may not be aware of the risk they’re taking. Just like people can be pretty casual about backing up their computer data – the same attitude comes through when they’re dealing with their website. Marty
      Marty Diamond recently posted…Is Your WordPress Site Secure? My Profile

  10. Hi Marty, I heard about these attacks from Kim and went and changed my password as well as added security.. Why do people feel the need to do this kind of thing. I am happy your friend found out before damage was done. I use Complete Central Backup Plug in Marty Is this a good choice? Thanks for the great tips.. Chery 🙂
    Chery Schmidt recently posted…Helping People Find Their WayMy Profile

  11. One things is that I backup everyday. That way any issues can be resolved by taking steps in makiong sure plug-ins are updated which is a heck of a problem. Then I go to Kim or Nile when needed.

    The more you nevigate your site and learn the things to do. The better you will become in understanding that one must keep the latest versions of each area that keeps our sites operational.

    Great informaton and I just got through hours of just doing most of the things needed for continued access to my site.

    Thank you for producing quality informaton and useful. You are one of our great coaches in this industry.
    William Amis recently posted…Amazing BeginningsMy Profile

Speak Your Mind


CommentLuv badge