As a WordPress site owner, you are responsible for the security of your website. If you’re using managed hosting, you’ll get some help, but if you’re on shared hosting it will be up to you. Fortunately, there are plugins to help with security.

Your first — and easiest — line of defense will always be a strong username and password. You choose those when you install WordPress. After installation, you can change your password at any time, but not your username.
Note that WordPress was not designed to keep your username completely secret, so select a username that’s hard to guess. At the same time, it shouldn’t be so secret that it would be a problem if someone saw it. For example, don’t choose a username that’s the same as a password you use elsewhere.
And do not choose the username “admin.”
WordPress will let you know if the password you choose is weak. While it may be a pain to remember and type in a long password every time, it’s not nearly as painful as cleaning up a hacked site!
Once you’ve installed WordPress and logged in, go to Users > Your Profile. Fill in any missing information and create a nickname, then select what name the public will see. If you don’t do this, WordPress will use your username as the nickname, and display that to the public.
Regular Backups of Your Blog
The first tool in your security plan should be a plugin to help you create regular backups and store them off of the host’s server.
How frequently to back up depends on how often you update the site. If you’re adding new content every day, you should back it up every day. If you only add or update content weekly or monthly, you don’t need to back up as often.
You can store the backup on your own computer hard drive, or on a cloud service like Google Drive, Dropbox, Amazon S3, or OneDrive.
My recommended backup plugin, Updraft Plus, can upload your backups automatically to Dropbox, Amazon S3, Rackspace Cloud Files, Google Drive, Google Cloud Storage, or its own service, Updraft Plus Vault. For a small fee, you can add automatic backup options for Microsoft OneDrive, Microsoft Azure, Google Cloud Storage, Copy.Com, FTP over SSL, SFTP, SCP, and WebDAV. If you wish to upload your backups to another service, simply download them to your computer, then upload them to your service of choice.
Brute Force Attacks
A brute force attack is exactly what it sounds like. A hacker sets up a program to attempt to log into your site using thousands of combinations of usernames and passwords. To succeed, it must get both the username and the password right, at the same time.
That’s why it’s important not to use “admin” as your username. WordPress used to assign it as the default username, so it’s the first one tried in a brute force attack. We all know that a determined thief will get through any lock you have on your door, but you can prevent crimes of opportunity by not leaving the keys in your locked door. A determined hacker may be able to get past your username and password, but there’s no sense in leaving the keys in the lock by choosing the username “admin.”
The Protect module of the Jetpack plugin will protect your site against brute force attacks. Or, you can use a more full-featured security plugin like All in One WP Security & Firewall, which will protect against other security issues in addition to brute force attacks.
The SI Captcha Anti-Spam plugin has an option to add a captcha to your site’s login page. So even if a hacker’s algorithm was able to determine your username and password, he would still have to get past the captcha. It also has a “honeypot” setting, which is a trap for spammers and hackers that legitimate users will never see.
Blog Comment Spam
Comment spam is the scourge of bloggers everywhere. It occurs when automated bots send comments to blog posts. They are usually promoting another business, which might be a porn site. Sometimes they look innocuous, but if once you approve an innocuous message you’ll find your site flooded with junk.




I’ve yet to find a way to eliminate comment spam completely, but there are some tools that can make it manageable.
One of these tools is the captcha. It forces the user to type in a series of random letters and numbers, or in the case of Google’s reCaptcha, select images that the captcha asks for. These are set on a background, and are impossible for many bots to read.
Click the little speaker icon and you’ll hear the sequence, in case you can’t read it or you have a vision impairment. Click the second icon to generate a new sequence.
Some bloggers don’t like to use captcha because it creates another barrier to commenting. Only you can decide whether it’s a worthwhile choice.
If you do decide to use captcha, I recommend the SI Captcha Anti-Spam plugin.
Another plugin to consider is Akismet. Made by the creators of WordPress, there is a small annual fee. Akismet works by checking comments against a large database, and flags the comments it identifies as spam. You can set it up to automatically delete spam, or to set it aside for review.
I happen to use a 3rd-party service for plugins called Disqus. This is mostly due to the fact that I was using Disqus on my previous non-Wordpress blog and was familiar with it. Disqus does a great job of automatically filtering out spam comments!
Plugin and Theme Vulnerabilities
Periodically, WordPress themes or plugins are found to have security vulnerabilities. Plugins involving graphics and images seem particularly prone to them.
When internet security companies like Sucuri find vulnerabilities, a good developer will immediately fix the plugin or theme and release an update. This is why you should keep your theme and plugins up to date — if you don’t, you may be leaving open a gaping security hole for an attacker. (This is yet another reason to choose your theme and plugins carefully, and make sure the developers keep them current.)
Additionally, if you’re on a shared hosting account, someone who’s less careful about updates can allow an exploit that ends up affecting your account.
Auto Updating
Beginning with version 3.7, WordPress is set up to automatically apply minor updates. Generally these are small releases that often include security patches.
By modifying some code, it’s possible to change what automatic updates are allowed, but I recommend leaving the default settings in place.




This way, you’ll have a chance to completely back up the site before applying a major update, while minor updates can happen in the background.
WordPress Basics for Bloggers Series
- What Is WordPress
- How To Get Started With WordPress
- How To Use The WordPress Dashboard
- How To Use WordPress Themes
- How To Use WordPress Plugins
- Understanding WordPress Site Security (you are here)
- WordPress Blogs: It’s All About The Content
- How To Optimize WordPress For Speed
- How To Prepare Your Blog To Build Traffic From Search
- How To Prepare Your Blog To Build Traffic From Social
Next Steps For New Bloggers
- Validate your blogging idea and create a plan using the Blogging Startup Planner.
- Follow the steps outlined in How To Start A Blog: The Ultimate Free Guide.
- Use the Ultimate Blogging Planner to plan your blog content and strategy for the coming year.
- Use the Blog Promotion Checklist to get maximum visibility to your blog posts each and every time.