20+ Basic Tips To Protect Your WordPress Blog

Over the years, WordPress has increasing number of vulnerabilities. Believe me it has quite interesting stats. Below I mentioned 20+ basic tips to protect your WordPress blog. I omitted some tips because I considered them too complicated to apply (for newbies). Sorry!

WP Security Tips1. Upgrade : Golden Tip. The latest version of WordPress always contains patches and bugs fixes for the security holes.  Therefore it is important to keep your blog updated with latest version. It is also recommended to upgrade all the plugins and themes you use.

2. Change Username : It is one of the most elementary security measures for preventing it from being hacked. Change the default WP username admin. If you still use this username, you are indirectly helping the hackers, trust me. Change it into a difficult and memorable username. You can check the below tutorial for changing the username.

TUTORIAL : 3 ways to Change WordPress Default Username

3. Hide Plugins : Create an empty index.html file and upload to wp-content/plugins/. By this you are protecting your WordPress plugins directory. In other words, no one can access your plugins. Hackers can easily hack your blog if they discover an out-of-the-date or vulnerable plugin. You can also create .htaccess file and upload.

Update : New versions of WordPress already contain index.php in different folders like themes, plugins, uploads etc. (Thanks Usman)

MUST READ : Introduction to HTACCESS for Newbies

4. Remove WordPress Version : It is better to remove the WordPress version which is included in most of the themes by default. Even many WordPress developers often display them. Displaying the version info will help the attackers to exploit known vulnerabilities on a particular WordPress version. Check the tutorial to remove them correctly.

TUTORIAL : How to Remove the WordPress Version Number (The Right Way)

5. Registration : Disable registering feature unless you have a revenue sharing blog or a blog with Guest Blogging feature. To Disable it go to General Settings page | turn off  Anyone can register option.

6. Akismet : Automattic Kismet (Akismet for short) is a collaborative effort to make comment and trackback spam a non-issue and restore innocence to blogging, so you never have to worry about spam again. If your blog is not protected by Akismet, download it now.

7. Captcha : CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Human Apart”. A CAPTCHA is a program that can tell whether its user is a human or a computer.  CAPTCHAs are used by many websites to prevent abuse from “bots,” or automated programs usually written to generate spam. You can use reCAPTCHA to stop spam.

8. Stealth Login : Stealth Login allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Even if your password is leaked out, the hacker will have to suffer figuring out the login page.  You can prevent malicious bots from accessing your wp-login.php file. Download Stealth Login plugin.

9. WP API Keys : Using these API keys you can use services and enhancements built on the WordPress.com platform. This allows you to leverage the power of WordPress.com even if you host your blog elsewhere. You should not share your API key, it is like a password. To get one, you have to sign up for a free WP.com account.

EXAMPLE : By installing Akismet, anti-spam service and entering your WP.com API key, your blog will be protected from spam the same way every blog on WP.com is.

10. Remove or Disable : You would have tried lot of themes and plugins for checking the functionality, but you would not have disabled or removed it.  Remove all those craps at once. Hackers can find a way exploit to them, even if you are not using them.

11. Hardening WordPress : You can harden WordPress software too.  You can read this Hardening WordPress document. They cover aspects like securing wp-config and MySQL, setting up file permission and son on.

12. Security Updates : You can subscribe to the WordPress Development blog. When they patch a security hole or release a new version, they’ll usually announce it on their Development Blog. Upgrade and apply them as soon as possible.

13. Use Role Manager and Sabre : Many blogs allow their readers to comment only if they are registered.  You can use Sabre plugin to prevent fake registration by bots.  It adds image verification or math test in registration.  You can also use Role Manager plugin to define the capabilities for the users. You can also control what the  users can do and cannot do in your blog.

14. Protect Your Content : You should protect your blog in terms of content also.  To get a detailed explanation, you can check Prevent Content Theft guide from WordPress.com.

RELATED : How To Copyright Your Literary And Creative Work?

15. Adieu Spammer : You can suspend the IP addresses of the spammer so that they can’t spam/comment further.  You can use Bad Behavior plugin for that.  They check the visitor’s IP to mark it as a spammer or not. You can try WP-Ban to display a custom ban message when someone from  banned IP tries to visit you blog. They also allow you to exclude certain IPs from being banned.

16. From Matt Cutts : Matt Cutts gives you three easy but important ways to protect yourself if you run a WordPress blog. You can read his Three Tips To Protect Your WordPress Installation.

17. Scan The Blog : You can download WP Vulnerability Scanner plugin. Activate it and launch the WP Scanner. Once you are done with test, deactivate it.

18. Secure Source : Yes. Always download the themes and plugins from trusted source. It is recommended to check the identity of the owner and popularity of the theme, plugin, and the site.

19. FTP and Backup : Always keep back up of your blog’s files and database. It is a MUST for every blogger. FTP the blog contents to your system regularly. Taking manual backups are tedious tasks. So I recommend you to use WP Database Backup.  Even if your database is compromised, you can restore it with the help of back up. Use a secure FTP Client.

20. Read More : I just mentioned the current basic tips to protect your blog. Please also read other blogs to find more interesting and easy measures to protect your WordPress Blog.

21. Password : Last but not least. Don’t think it is difficult to break or guess a password. By keeping a hard and difficult password you can protect your blog to the core. You can use Microsoft’s free web-based tool,  Password Checker,  for finding the strength of your password. Check the tips for Creating Secure And Strong Passwords.

Updated Tips

22. Login Using Email: WP-Email Login plugin will be essential for you in this. Use your email address instead of a username to log into your WordPress. You can also set your username to some random name and then just forget it and use your email address instead for better security.


  1. Beware Of Social Engineering Attacks
  2. Beware Of Phishers – A Brief Review

Having any other basic tips to protect WordPress blogs? Please feel free to share it here! 😉

57 thoughts on “20+ Basic Tips To Protect Your WordPress Blog”

  1. I think just schedule backup your database and keep up to date for your wordpress version, themes and plugins.

    • Hi Indu Jain, yes, it is recommended to change your admin password frequently and using Limit Login plugin can help you to notify about people who try to login or in other words, who try to hack. 🙂

  2. Pingback: Security Expert Ankit Fadia's Website Hacked (Yep, Again)
  3. home security should be the first priority of everyone because we should always protect our assets'”‘

  4. Nice Tips. Have you implemented anything to track your logged-in users behavior like, where they click, what page they visit in dashboard, or anything they do after they login your blog.

    At one of the popular blog, I was mailed a list of my actions by the website admin, after publishing a guest post there. Do you have any idea about how to do this.

  5. I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the good work Look forward to reading more from you in the future.

  6. You can also allow only your ip address to login into the admin panel
    This can be done using .htaccess file , i had read it somewhere 🙂
    Sorry couldn find the link just google once and see guys 🙂 🙂

  7. Great tips. thanks for sharing that. You have the ability to make posts private and only viewable to those who are on your list.

  8. You always provide a damn great information. I just knew about all the things you’ve mentioned above. Thanks for the tips and need more time to perform them one by one. Thanks again!

  9. nice compilation, i do a lot of those myself, got a hacking hit on one of my blogs some time back and since then am trying to keep safe. Updating the wordpress version is the very important step, one must do it as soon as a new update comes.

  10. WordPress security is very very important and some basic steps like username change, quick upgrade etc are essential for an wordpress user.. thanks for sharing such useful tips..

  11. This is a nice list and I totally agree with you. WordPress security is very very important and some basic steps like username change, quick upgrade etc are essential for an wordpress user.

  12. A nice collections of tips to secure and protect your blog. Many users don’t realize what can happen and only worry about it once they have been hit.

    There are so many plugins to check and help you secure your site more and one should always be on the lookout for new tips and tricks.

  13. am using captcha and akismet till now to stay away from spam

    and to keep blog secured i keep regular backups and also change password frequently

    other tips i will keep note and will use it once my blog gets old enough to keep it secured

  14. Hi Pradeep. Long time no visit here. This is a good post. We should not let bad guys like hackers win. We should defend ourselves from them 🙂

  15. Good list man… As George said, captcha is an inconvenience rather than a distraction. Many people don’t leave comments when they say more than name/email/comment fields in a comment area. In most cases akismet should be good enough, I guess.

    As for upgrades, it is more of a software engineering psychology. People always preach and customers always blindly believe that a new version of the software is always better than the old. In fact, a platform like WordPress should release minor versions only once in six months and a major version every year or so. It’s really stupid of them to keep coming up with silly enhancements and security updates to make bloggers adopt and upgrade. It works with most of us who are from technical background and for the rest of the blogging world, it’s a pain in the ‘you define’.

  16. very good post… I think there is no need of placing index.html file in plugins folder because new versions of wordpress already contain index.php in different folders like themes, plugins, uploads etc.

  17. Nice collection of tips.. i dont know abt some of them,, will work in them to keep my blog safe and updated..

  18. Hey it is a very nice and interesting blog post the tips to protect the WordPress blog are very good…Please tell us others too which you dint tell…Thanks a lot.

  19. Wonderful, until now my blog is secure. May be I need them in little future.

    P.S: I missed being the first to comment on this. 🙁

  20. Hi Pradeep,

    All tips are useful. I am trying to install Prevent Content Theft, WP-Ban in my blog. I don’t know about reCAPTCHA.Is that useful plugin?

    • Deepika, it tells you whether the commentator is an human or a computer-generated ! 😀

      Well, it will be quite annoying for your readers though.

      If you use Akismet plugin, then you can remove reCAPTCHA from the list! 😉

  21. Pradeep you have a great compilation of WordPress security tips.I agree with all points except #7.reCAPTCHA is a big distraction to commentors.I personally keep a distance from commenting on blogs which activated reCAPTCHA.


Leave a Comment