Essential security tips for WordPress users to avoid being hacked

One thing you have to think about when you go self-hosted with WordPress is security.

It’s better to be safe than sorry and decrease the risk of being hacked, after all the time and resources that goes into building a site. Hacks are typically done at random by bots that scan for non-secure sites.

Here are are couple of quick things you can do to help secure your WordPress site.⠀

1. Change your login details

It may sound shocking but a lot of users don’t change the default “admin” login. This is the first thing a hacker will try. Choose something unique for your account username and password. If you are using “admin” it’s not too late to change. Set up a second user on your WordPress site, change the display name, set the role as Administrator and transfer posts to that user. Then login with the new username and delete the default “admin” account.

Tip: Also avoid using “user”, “temp”, “test”, “user1”, your nickname or your blog/domain name.

2. Change the login URL

By default the login pages are and which is what hackers will try. Change the login page to make it harder for others to access, you can do this by installing a plugin such as Better WP Security or HC Custom WP Admin URL. You could also change your .htaccess files but if you’re not comfortable with code then I’d recommend using a plugin.

3. Install Security Plugins

Use a plugin like Limit Login Attempts to stop a user from trying to login after a certain amount of attempts. I love Better WP Security, it goes through every single area of security for your blog and gives you fairly clear instructions and explanations for each section. It’s colour coded to show you the most important areas to protect. One thing I love about it is that is logs attacks, attempted hackings, file changes and blacklisted IP addresses so you know exactly what’s happening with your site.

I also like Wordfence Security which scans risks and issues with your site and lets you block users who reach a limit of page views or login attempts. There’s hundreds more of security plugins so see what works best for you, don’t forget to check the reviews and compatibility before installing.

Tip: Don’t freak out at how many “people” will actually try to hack your account. Once you follow the tips and secure your blog as best you can, don’t panic about every automated attempt but do keep an eye on them.

4. Keep your site updated

It’s so important to keep WordPress, plugins, themes, etc updated! The updates usually include fixes for bug and security issues. Also, when choosing plugins try to avoid those that haven’t been updated in a while. These probably aren’t monitored anymore so there could be risks involved with using them.

5. Backup Regularly

It’s so important to backup your site regularly incase anything ever happens, imagine losing everything you’ve worked so hard on. Backing up your site also means less hassle if your site gets hacked, it’s just one less thing you’ll have to worry about so make sure you do it on a regular basis. There’s a few different options to choose from, check out this tutorial on how to backup your WordPress and Blogger content to find out how.


To summarise – keep WordPress core, themes and plugins updates, use strong and unique passwords, review user accounts and roles, delete default “admin” account, install an SSL certificate, install a security plugin, limit number of attempts for incorrect logins, change the URL of the login page, delete unused themes and plugins and assign correct permissions to WP files and folders.

There you go, a couple of ways to secure your WordPress site.

Post last updated:

Join over 1,000 creators and small biz owners and be part of The Roundup

Ready to build your website, grow your audience and monetise your platforms? Receive the latest WordPress news, social media updates, SEO tips and industry insights straight to your inbox.

By signing up you’ll receive our fortnightly newsletter and free resources. No spam or unnecessary emails. You can unsubscribe at any time.