7 proven steps to protect your wordpress website security


WordPress is the world’s most popular and used blogging platform. However, no matter how good a particular system might be, there is however chances of vulnerability and that is why the security of the blogging platform is important for its users to be conscious of.

A good web host like websynthesis offers all this security features; I highly recommend them for the hosting of your website and blog account

The below points highlight seven guidelines on WordPress website security and also blog security that a publisher should engage with:

  • Install WordPress Security Plugins

For the safety of your WordPress blog and website, the following are recommended plugins you need to install:

  • WordFence Security Plugin

The author of this plugin claims that it is the only website security plugin that can verify and repair your core, theme and plugin files.

Based on its star rating of 4.9 out of 5 and 1,084,718 downloads, it is a highly recommended tool to have.

Features include:

  • Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
  • Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx
  • Offers Two Factor authentication by sign-in using your password and your cellphone to vastly improve login security.

Wordfence security plugin protects your wordpress account

Ready to download and know more, check: http://wordpress.org/plugins/wordfence/

  • Better WP Security Plugin

Going by its 4.8 star ratings out of 5, and a download of about 1,226, 322 statistics; the Better WP security plugin is ranked the most efficient and highly dependable plugin you can use to have better control of your WordPress website.

Among its features are:

  • Rename “admin” account
  • Change the ID on the user with ID 1
  • Change the WordPress database table prefix
  • Change wp-content path
  • Removes login error messages
  • Scan your site to instantly tell where vulnerabilities are and fix them in seconds
  • Scan troublesome bots and other hosts
  •  Turn off file editing from within WordPress admin area
  • Detect bots and other attempts to search for vulnerabilities
  • The plugin can also help you recover lost account, because it helps create and email database backups on a customizable schedule

Better WP Security plugin is a recommended security plugin

Ready, get it: http://wordpress.org/plugins/better-wp-security/

Conclusion: based on your preference, just chose one of the plugins above

  • Have an updated and recent wordpress version

The main essence why Matt Mullenweg (founder of wordpress) and his team are constantly updating and releasing updated wordpress version is essentially because of security. An updated wordpress version contains fixes on reported bugs, upgraded secured shells, advancement of user blogging platform etc..

In a nutshell, make sure you always have the latest updated wordpress version.

Matt Mullenweg-cares about website security

  • Remove redundant and unused plugin

Websynthesis web host always warns to remove deleted, inactivated, unused or simply redundant plugin from the dashboard, as it is a major way for hackers, spams and malware to infiltrate into your system.

It causes vulnerability; out of date wordpress plugin can cause your website to break, causing easy access by hackers to your blog.

If you have a plugin that is not active or using, simply deactivate and delete the plugin.

  • Change default username and password of wordpress login Dashboard

By default, after the installation and configuration of your wordpress website or blog, the username is mostly ‘Admin’ and the password is usually a simple one to know.

Immediately, change the username to a name of your choice and also that of the password (chose a long tail username and password).

As a rule, make sure you change your password once every month. The pictures below show you how to carry out the changes.

how to change your wordpress password

  • Update and change control panel password

The control panel password is the password that grant access to your host provider ( e.g. bluehost, WPEngine, Websynthesis e.t.c.).

Infact, this is most important than that of the wordpress dashboard. Make it a point of duty to change the password once in 2-3 month.

Bluehost Login Page

Anybody using bluehost managed web hosting needs to change their passwords once every 2 months

bluehost login page-change the password once every 2 month

Synthesis Web hosting

My preferred managed web hosting provider. They are focused and only hosts a wordpress powered blog with industry acknowledged security and speed.  Thoug expensive, I recommend hosting your blog or website with them if you are really serious about your business.

synthesis login page-change the password once every two month

  • Avoid the use of free wordpress Themes

Generally, a serious minded blogger should not entertain the use of a free wordpress theme.

It is a well known fact that they contain malicious and encrypted codes, and such themes are hardly updated.

Must Read: Six disadvantages of free WordPress themes-why you should not use them

  • Host your website or blog with a reliable web hosting company

As much as having a website that looks beautiful and fascinating, with lots of original quality content; it is much more important to understand where you are keeping such website/blog and your content on the World Wide Web. Having a reliable, efficient and highly secure webhost company should be the topmost priority of your business.

I believe that Excellence is not cheap, so if you are looking for an efficient partner and company that can help with listed factors above, I will simply recommend the following webhosts:

Websynthesis: This is what I am using, and notable websites that values their business are on it. It is not too much to pay 27USD per month for your website. Highly recommended.

WPEngine: WPEngine works similarly like websynthesis, and their price is almost the same. I am not using their services on my blog, but respected leaders in the blogging and online world recommends their service. Give it a try.


I am glad that you took your time to visit and read these posts. I humbly ask for your opinion and suggestions and I also stand to be corrected. Please, do so through the comment section below. Thank you.

Please read our Disclosure Policy and Privacy Policy

Join 467 People And Get Email Updates

We respect your privacy

  • http://www.donnamerrilltribe.com Donna Merrill

    Hi James,

    I do have a WordPress security plugin on my blog. I was starting to have trouble, but I realized it wasn’t secure. So I installed one.

    As for changing our passwords, Oh Yea….I do it once a month and they are long and never make any sense. I have to write it down and put it in my pen and paper folder!

    I use a paid version of WordPress and have my own theme. And have a good hosting company.

    So I think so far so good!


    • http://bloggingconsult.org/ James

      Hi Donna,

      Thanks for the visit, yes its absolutely important to change the password at least once a month for maximum security.

      The use of a paid blogging platform and a premium theme also helps in the fight against website security.

      Your comment is well appreciated donna, and do have a pleasant day.

  • http://www.NateLeung.com Nate Leung

    Hi James,

    Great breakdown on WP security. I think so many inexperienced bloggers miss the boat on this one. It’s one thing that us bloggers want to use a platform to not only brand ourselves but get our voice across the internet. It’s also a means of meeting cool people as well. Many of them miss the boat on the back-end security of it. I personally like Better WP Security. Thanks for sharing!

    • http://bloggingconsult.org/ James

      Mr Nate,

      WP security plugin is the best security plugin, I just got the news that the plugin has been acquired by ithemes, and they hired a topmost wordpress security expert -chris wiegman to keep up with its update.
      This attest to the fact that the plugin is the best.
      Thanks for the visit, I’m so pleased; I wish you a pleasant day ahead.

  • http://angelamccall.com Angela McCall

    Hi James,

    I heard Synthesis is good.

    I do have Wordfence and I love it. I used to use Limit Login Attempts but I believe Wordfence is better. It actually warns me when someone has malware or virus on their links. Also it alerts me whenever there is another plugin update I have on there.

    Yes, NEVER use a free wordpress. Better invest in a few dollars on a PAID account and have your own domain. You’ve given them GREAT advice!


    Never ever use “admin” for username and DO NOT use passwords you can find in the dictionary but make sure it’s a long password between 12-20 letters with numbers, alphabets, upper case, lower case, characters. Something that doesn’t make sense. Or hard to remember. Use LASTPASS to remember all of your social media passwords. I have over 100 of them. NEVER use the same password over and over again but make sure use DIFFERENT password for each one.

    Anyway, have a great week!!


  • http://bloggingconsult.org/ James

    Hi Angela,

    It’s so gratifying seeing a highly respected blogger making an insightful comment on this post.

    Yes, you are right, WordFence is quite good, just like the WordPress WP security plugin.

    I am a fan of quality and excellence, and as such believes in paying to get the best. For security reasons, its quite good to pay for a good premium theme and an excellent webhost.

    Yes, synthesis is good, I personally prefer it over WPEngine. They are the one actually hosting this blog.

    Do have a nice day ahead Angela.

  • http://www.imjustsharing.com Mitch Mitchell

    You mentioned a couple of things I’d never heard of and a lot that I knew and agree with. But people can go further. For instance, I use a plugin that limits login attempts and allows you to set the time for how long those folks are banned from trying again based on so many attempts, and they how long they’re banned a second time for not getting in. I also run a firewall program that helps to hide the ISP of my blogs. Both of them work well, and I’ve written about them in the past so you can decide to look for them that way if you’re interested or just go to your blog’s plugin addition area and look for them based on what they do.

    The biggie of course is verifying the safety of your themes, whether you use a free one or not. I had that issue back in the summer, not because I use a free theme, which I’ve modified, but because years ago I downloaded some other free themes to look at and never removed them. Luckily, they could only get in so far going that way because of my other protections, but it was ugly for about a day.

    Good stuff, and good sharing.

  • http://bloggingconsult.org/ James

    Hi Mitch,

    Thanks for the visit and the insightful comment.

    Yes, the use of login limit plugin is quite good. the post you wrote, are they on your blog, want to check it straight away.

    And yes, I simply believe in using a premium theme from Genesis and a secure webhost like WPEngine and Synthesis

  • http://www.mayura4ever.com Mayura

    Hi James,

    I do agree with all the security measures you have mentioned :) They are indeed vital to assure the safety of WordPress blog / website. Even some feels like nothing much, we have been reading a lot how some small mistakes could take over a site within few seconds.

    WordFence has always been a favorite plugin of mine eventhough I’m not on WordPress :) It assures safety very strictly but without interfering much. Haven’t used Better WP Security, but I heard a lot of good about it especially from a very close blogging friend.

    Default username and free themes have always been in the debate. As you implied, it’s wise enough to get rid of the default username if someone is serious enough about their site’s security and I hope most of users now aware of that. Anyway, still site’s are being hacked for the same reason, over and over again. I’m glad you mentioned about the hosting partners too :)

    You have a wonderful weekend ahead mate :)


  • http://adriennesmith.net/ Adrienne

    Hey James,

    Well, I have all of this in place myself accept for that type of security plugin. I do use some security plugins but I no longer have to worry about people trying to log into my WordPress blog. I had a friend write me some code so if you go to my admin log-in page you won’t find it. That alone solves a lot of problems for me.

    I don’t use many plugins, under 15 to be exact because I prefer to use code when available. I also have a paid theme and have for a number of years now.

    I also change my passwords monthly for all my major sites and my log-in usernames are so weird it will take them forever to figure those out.

    I changed hosting services back in August so what I like about them is that they are a smaller company and pay much more attention to their customers. Things continue to go rather smoothly for me at the moment.

    Thank you though for sharing this information because it’s really necessary in order to help keep those hackers out.

    Have a great weekend James.


  • Eldrin

    Hi James, you are right with avoiding using free WordPress themes. I was a victim once of using free WordPress themes including “hacked ones”. During the first months of using the said themes, my website is running normally. But later I noticed that it is running slow and some of my visitors were complaining that they keep on receiving phishing or alerts when visiting my website. I found the problem, and that is by using free themes. Hope this serves as a lesson to everyone!