WordPress Security: The Only Guide You Need to Stay Safe

What If your WordPress blog or website was target of a rookie hacker, honing his skills to make it to the big leagues? All of the hard work you put, hundreds of hours on building your BLOG, growing traffic and readership would be lost forever.

The security of your blog should be your primary concern, especially If you’re running a WordPress powered blog.

So what should you do to reduce the risk of getting your WordPress blog or website hacked?

Before I share my tips and the plugins I use to keep my WordPress blog secure, I want to state that why I choose and recommend WordPress as a blogging platform.

If you’ve been here for any amount of time, you’ll know that I love WordPress CMS. I use it on all my blogs, such as this one, and I’m certainly not alone. Millions of websites and blogs are powered by WordPress today.

Some days ago when I published the ultimate guide to starting a blog, many readers asked me for some WordPress security tips and plugins to reduce the risk of getting a WordPress website hacked.

So, I though I would put a list of basic WordPress security tips along with some WordPress plugins in this post that you can use and implement to make your WordPress blog or website 10 times more secure.

Note: To keep with the title and being the only guide you need to stay safe; If there’s anything I’ve missed in the post,  a plugin or WP security tip. Let me know in the comments and I’ll add in the post.

Wordpress security

If you want to run a serious blog than you must however take the security of your blog very seriously.

Useful WordPress Security Tips

Here are some basic and useful WordPress security tips that you can work on and apply to keep your WordPress blog or website safe and secure.

1. Keep WordPress Up to Date:

If there’s a new version of WordPress or a new update of a plugin, update it as soon as possible.

WordPress identifies the issues and updates their codes quickly and one of the good thing about WordPress is that it automatically notifies you in your admin dashboard when new version is released and you had to update it.

So, make sure you keep your WordPress up to date to make sure your blog is secure.

2. Keep your plugins up to date:

Another things which you can do to keep your blog secure is to keep the plugins which you are using in your WordPress blog up to date. WordPress will also automatically notify you in your dashboard when there are new updates for your installed plugins.

3. Be careful of plugins you install:

Before sometime I installed a plugin on my blog without checking it’s ratings and supports and that caused my blog hacked from someone, thankfully I had a backup file of my blog and recovered it quickly.

Be careful of the plugins you install on your blog and always install plugins from WP plugin directory that has a lot of good ratings and supports. This is the best way to reduce the chances of vulnerability.

4. Remove the default admin account:

The default administrator account has the username of “admin” and every noob hacker would know that, so using “admin” as your username is like having a backdoor to your house that every thief knows about, which makes thief’s life 50% easier.

If you are still using the default admin account on your WordPress blog than create a new one and delete the old one for better security and make sure to attribute all posts and pages to new one.

5. Backup! Backup! Backup!

No matter how hard work you do to keep your blog secure from hackers, there’s still a chances of being hacked.

If a hacker is determined to break in, he will be able to. If you have backup file of your blog, you can get back your blog after being hacked.

I’ll share a FREE WordPress plugin below that can help you backup your WordPress database on daily basis.

6. Choose a strong password:

How strong your password is? Try to choose as strong password for your WordPress blog as you possibly can to make sure It’s more than just something MEMORABLE with numbers.

Your password should consist of more than 14 characters with the combination of numbers and alphabets in lower and upper-cases.

Also make sure you have different passwords for your Wordpres admin dashboard and your Cpanel.

There are a lot of password generator tools online where you can find strong password, and even check how strong your password is.

7. Scan your theme and check It’s authenticity:

Many free WordPress themes has some kind of evil code which you won’t be able to remove, and may threaten your blog’s integrity.

If you’re using a premium theme from a reputable provider, you’re free to skip this step.

Use the Theme Authenticity Plugin to scan your theme files and make sure there’s nothing threatening your blog’s theme.

If there is, you’re inviting the hackers in your home for a dinner.

Further reading: How to choose a perfect WordPress theme

8. Get a good hosting:

One of the first thing that you should consider before choosing a hosting for your website is to check how good the security is as It’s the first line of defense, and how strong the response is when something goes wrong. Plus how fast it recovers when your website is hacked.

This is the reason why I recommend Bluehost for WordPress bloggers. Read more about Bluehost hosting and It’s features in my ultimate Bluehost review.

Bluehost also offers services like auto-backup, so when something unexpected happened with your WordPress website, you can get your website back in a single click.

Some Plugins For Better WordPress Security

Here are some security WordPress plugins you might want to know about to reduce the chances of getting your blog hacked.

Let me first state that the plugins I’m recommending here are very obvious and totally fine. I’ve used all of them myself and they work like a charm. They’re all light weight plugins so they won’t slow down the speed of your blog either.

As with WordPress plugins, people have their disagreements with which one works and which doesn’t. The plugins I’m recommending here are the ones that worked for myself, so feel free to use them on your blog and ask me in the comments If you have any question related to any of the plugins.

1. Secure WordPress:

Secure WordPress is a great plugin which keeps your WordPress installation secure by removing error information on login pages, hides your PLUGINS and it also hides the WordPress version which is must to reduce the risk getting your blog stolen by a rookie thief.

2. Login Lockdown:

This plugin is a personal favorite of mine.

Login Lockdown is another security plugin which adds extra security to your WordPress blog by limiting the login attempts and by restricting the failed login attempts from a given IP range.

This is very effective way of stopping brute force attacks.

This is one of the best security WordPress plugin that I’ve been using from long time on my blog.

3. WP Security scan:

WP security scan is a plugin that checks your WordPress blog for security vulnerabilities and it suggests correct action which you have to take to make some changes for better security.

I’m using this plugin from day one of my blogging journey, which is REALLY a great security WordPress plugin.

4. AntiVirus:

Antivirus is most useful WordPress plugin that will scan your WordPress themes, plugins, comments, posts and pages etc from malicious everyday. It is very easy tool which can protect your blog again malware and spam injection.

5. WP DB Backup:

I cannot stress how important this plugin is.

As I said before, backing up your blog is hugely important and the best security tip anyone can give you.

WP DB Backup is a FREE WordPress plugin which allows you to easily backup your core WordPress database.

6. WordPress file monitor plus:

This plugin is like having some security cameras in your WordPress dashboard which let’s you see exactly what happened when something goes wrong.

The plugin will notify you through email when any files are added, removed or changed in your WordPress blog. It tracks all the changes in your to your file system.

Your Turn:

What are you doing to keep your WordPress blog secure and what security plugins do you use? Let us know by leaving a comment below.

I’d bet you also have a lot of approaches to WordPress security, maybe more effective than what I described above. Post a comment below and let me know what you have to say.

Although It’s highly recommended to read the hundreds of comments below to get to know about more useful WordPress security tips and plugins.

This blog runs on Theme Junkie. My blog looks good that is because we run on Theme Junkie which is the best premium themes provider. They're the best way to upgrade to a premium theme and is also good creating beautiful designs. Theme Junkie will give your blog the distinct look. Discover the features your blog is missing and make it look like Social Triggers, NYTimes, Seth Godin's blog and the one you're currently looking at ;). Browse Themes Junkie now.

162 Awesome Responses to “WordPress Security: The Only Guide You Need to Stay Safe”

  1. July 5, 2013 at 1:52 am #

    Hey Ehsan,

    I know this is an old post, but since I recently migrated to WordPress, so thought of commenting, as this post really helped me to find some useful plugins for security.
    For the backup, I an using the Updraft plugin, which backs up to my dropbox, and can also restore it. Since hte plugin is not so popular, so I was a bit hesitant at first, but the reviews were all great, so I went forward with it.
    So security purposes, I am using Word Fence. This has functions like security checks, restrict multiple login attempts and also monitoring for threats.
    Thanks for the theme checker plugin as I am usign a free theme at the moment, but the plugin said it is OK.

    • Ehsan Ullah
      July 6, 2013 at 6:18 pm #

      Hey Sourav, Good to see ya here.

      There are different WP plugins for backup solution, but WPDB is the FREE one that is simple yet effective, and which most bloggers are using.

      Thanks for letting me know about the Word Fence plugin, I’m gonna try that one out – And glad your theme is free of fluff.

      Thanks for your comment.

  2. June 7, 2013 at 10:47 am #

    Nice post ehsan
    I recently started a WordPress website and i didn’t know about the security WordPress plugin. Wow I’ve installed and using this plugin.
    Thank for sharing your post it will be very help full for me.

    • Ehsan Ullah
      June 7, 2013 at 5:42 pm #

      Thanks Hiren,
      That’s a great plugin. Keep using that, and let me know how it works for you.

  3. June 6, 2013 at 9:10 am #

    As I got my previous journal hacked by somebody. Then i made a decision to use it. afterward I haven’t long-faced such hacking issue.

    • Ehsan Ullah
      June 7, 2013 at 4:53 pm #

      Hey Lavindra? What did you use?

  4. May 13, 2013 at 11:37 am #

    HI Ehsan,
    Awesome tips on WordPress blog security.Most of the bloggers are using woedpress blogs so this post helps to all.This is shocking to me “Be careful of plugins you install”.I usually install wordpress plugins but now i am take care about if.

    • Ehsan Ullah
      May 13, 2013 at 6:16 pm #

      Hey Steav, welcome to blogging.

      Hope the article made sense to you, and nice to know you learned to secure your WP blog now :)

      Hope to see ya back!

  5. April 24, 2013 at 11:37 am #

    Awesome tips,

    We should consider wordpress security seriously as recently their was a huge brute force attack on wordpress blogs.

    So here we can say “prevention is better tan cure”..


    • Ehsan Ullah
      April 24, 2013 at 4:16 pm #

      Thanks for the nice comment Sarvesh.

      Out of those tips above, which do you think works better for recent brute force attacks on WP blogS?

  6. April 11, 2013 at 10:49 am #

    Very good points regarding security. Didnt realise there was plugins to help with security. Like everything we use today which requires passwords. You have to make the password as strong as possible and not store it anywhere on your computer

    • Ehsan Ullah
      April 11, 2013 at 4:19 pm #

      Good to see ya here Richard, and nice point about strong passwords.

  7. April 10, 2013 at 5:31 am #

    Great post, u have given an amazing post, it is helpful and it is very useful to beginners of blogging. Thanks for sharing a great post.

    • Ehsan Ullah
      April 11, 2013 at 4:40 pm #

      Glad I made a learning fun, Gajendran :)

  8. Sai Kalyan
    April 6, 2013 at 11:27 am #

    Remove the default admin account ::: I Think Its Not Good For Word Press Why Because If We Remove Default Admin Account THen We DOnt Know Who Are Posting THe posts !!!

    Any Ways Its Nice Article about wordpress security thanx for sharing it is very useful for my site

    • Ehsan Ullah
      April 6, 2013 at 3:57 pm #

      Create a new account with strong username and password after deleting the old one Sai.

      Also make sure you attribute all posts and pages to new one.

      Sai, why don’t you consider using a Gravatar in your comments?

  9. April 6, 2013 at 1:46 am #

    My first wp blog got hacked because I didnt applied any of security option.
    Now I dont want to repeat histroy, i will now take your words in making my blog secure.

    • Ehsan Ullah
      April 6, 2013 at 7:25 am #

      Hey sdhungel, glad it helped you.

      Keep on commenting.

  10. April 5, 2013 at 5:56 pm #

    HI Ehsan,
    Great post on WordPress blog security. The all point you have shared in the above post is really very helpful for not to get your WordPress Blog hacked.

    • Ehsan Ullah
      April 5, 2013 at 8:46 pm #

      Good to see ya here, Chranjeev.

      Glad it made sense to you.

      Keep on commenting, and stay around :)

  11. April 2, 2013 at 5:56 am #

    Hi Ehsan ,

    Thanks for this little guide to WordPress security . I’ve taken all of these measures and I hope to be safe from all kind of attacks on my blog .

    I recently realized that if we made a few tweaks in our blog , it would be safe from attacks . But one thing is sure that if you don’t have bullet proof security even a rookie can hack your blog . :)

    I recently realized that my blog was critical to any attack so I safeguarded it using your guide .


    • Ehsan Ullah
      April 2, 2013 at 6:18 am #

      Glad my guide helped you to safeguard your blog, Navneet. That is why all the effort in blogging is worth it :)

      Stay safe and secure,


  12. March 30, 2013 at 3:07 am #

    hi ehsan,
    i am going to hack your blog.. ! sorry, joking, i couldn’t help myself.. :) thanks for this amazing post man, hacking is surely a big problem nowadays, the long hours we spend on building a blog is lost in a few seconds if hacked. and nothing can be after then.. And when there are a lot of hackers in the globe our blog is not secure.. Nice tips you gave above that will help to secure our blog from being hacked.. will apply them immediately.
    keep up the good work.


    • Ehsan Ullah
      March 31, 2013 at 3:12 pm #

      Haha, do it Amit.


      Thanks for the nice comment and heads up.

      Glad you liked the tips.


  13. March 24, 2013 at 10:39 am #

    Hello eshaan,

    Well first of all thanks a lot for the awesome post which is very useful for all bloggers. Next, there was a time when my friend was suffering from the situation of hacking. i mean his blog was hacked as he was careless about the security,

    So its very important to follow the precautions before being hacked.

    • Ehsan Ullah
      March 24, 2013 at 3:43 pm #

      Nice to see ya here, Mark.

      Forward this post to your friend than :)

  14. March 19, 2013 at 5:28 am #

    I don’t think most of us ever think our sites could get hacked, Ehsan, until it actually happens and it’s too late…

    I am off to back up my blog!

    • Ehsan Ullah
      March 19, 2013 at 6:29 pm #

      That is the reason I wrote this post, Ana. I made the mistake and I don’t want my readers to think of the security issues after getting hacked.

      Glad to have ya here :) What’s new with TGC these days?

  15. March 16, 2013 at 7:45 am #

    The above tips are important but most importantly you need to shutdown your directory listing. With the help of directory listing anyone can enter into your cPanel.

    With all do respect – have a look at your website http://www .guideandnews .com/wp-content/uploads/

    • Ehsan Ullah
      March 16, 2013 at 6:30 pm #

      Great to see ya here, Abdullah.

      I didn’t know about the directory listings, thanks for letting me know.

      How to shut it down?

      • March 16, 2013 at 6:44 pm #


        All you need to do is add “Options -Indexes” (without quotes) in your .htaccess file at the end of the text.

        Good luck :)

        • Ehsan Ullah
          March 16, 2013 at 7:12 pm #

          Thanks Abdullah, It’s appreciated.

          What’s new with your writing?

          • March 19, 2013 at 8:47 am #

            I didn’t get you. What do you mean by that ?

          • Ehsan Ullah
            March 19, 2013 at 5:45 pm #

            Haha, I mean what’s new with your blog? Hows going your blog? And what happened with Spatme? I guess you started another one.

          • March 20, 2013 at 6:46 am #

            Not getting proper time to schedule the posts.. :(

          • Ehsan Ullah
            March 20, 2013 at 3:40 pm #

            That might be because you’re working on more than one blog at a time, you’re not getting time and you’re not feeling productive.

            Focus on one!

          • March 21, 2013 at 9:57 am #

            Thanks for your advice.

  16. March 15, 2013 at 9:27 am #

    Hi Ehsan,
    I sincerely do agree with you. Having a stronger password is one surest way of securing one’s site.

    • Ehsan Ullah
      March 15, 2013 at 3:31 pm #

      Nice to see ya here, Kabie.

      Your password?

      haha kidding.

  17. March 12, 2013 at 2:09 pm #

    This is an interesting issue. Every blogger or webmaster does not want his site to be hacked so often he must back up his site using data base backup plugin. There are many free data base back up plugins we can use for our WordPreass blog installations. I myself use wp-db-backup plugin and it is quite good and reliable.

    • Ehsan Ullah
      July 9, 2013 at 9:18 pm #

      You seem to be a good guy to have around, Heru.

  18. March 12, 2013 at 1:29 pm #

    Thanks a lot Ehsan. I do follow the points you said here except the antivirus. Will give a try though! Keep rocking!

    • Ehsan Ullah
      March 12, 2013 at 2:41 pm #

      Welcome Karthik, glad you liked it :)

  19. March 12, 2013 at 10:12 am #

    Thanks a lot for the advice. I’ve been hacked before and it’s not a nice experience so I will be following a few of these steps to ensure it doesn’t happen again.

    • Ehsan Ullah
      March 12, 2013 at 12:00 pm #

      Nice to see ya here, Chris.

      Glad it helped!

  20. March 12, 2013 at 8:12 am #

    Great advice..I can say it because i’ve faced the harsh effects of hacking…I got my personal blog hacked and i was not much aware of the security measures at the time..Now i’ve learned the lesson.I would recommend everyone to keep WordPress updated for the sake of security..

    • Ehsan Ullah
      March 12, 2013 at 1:06 pm #

      Glad you learned something new today, Joe.

      Hope you’ll keep your WordPress blog more secure now.

      What’s new with Dental Implants blog?

  21. March 12, 2013 at 6:10 am #

    WordPress is largest blogging platform and naturally a target of hackers. Thanks for the tips on securing WordPress. Also, one can secure admin panel by restricting access to it using htaccess. Simply add admin’s IP to htaccess and others won’t be getting access to admin panel.
    Thanks for the great post.

    • Ehsan Ullah
      March 15, 2013 at 5:14 pm #

      Thanks for the suggestion, Rajesh.

      Securing admin panel is also very useful to secure a blog from being hacked.

      Thanks for dropping in.


  22. March 10, 2013 at 7:47 pm #

    A total pack of primary security measures , which one must take for his blog if he loves it. I’ll also recommend Exploit Scanner for WordPress file scanning and VIP- Scanner for theme security review.

    • Ehsan Ullah
      March 11, 2013 at 2:39 pm #

      Thrilled Anup, Thanks for your comment man.

      Thanks for your recommendations.

  23. March 10, 2013 at 1:34 am #

    This is really good published article. I will apply it to my self to improve my blogging. Such a great yet interesting post. Thank you very much for sharing this useful stuff.

    • Ehsan Ullah
      March 10, 2013 at 3:45 pm #

      Thanks Jessica, must check my reply to your comment on the post “Why do you write”, I’ve suggested you something.

  24. March 9, 2013 at 11:25 pm #

    That is great post ever, Thanks for sharing . i am still reading to get plugins as you mentioned above. thank you again

    • Ehsan Ullah
      March 10, 2013 at 3:47 pm #

      Nice to see ya here Saheem :)

  25. March 9, 2013 at 8:02 pm #

    Thanks for the info. Had a guy take down a site belonging to one of my clients. Want to do everything I can to protect his new site.

    • Ehsan Ullah
      March 9, 2013 at 8:39 pm #

      Sorry for hear that, let me know If you need help ok?

  26. March 9, 2013 at 2:14 pm #

    Gorgeous post. It is amazing tips of wordpress security. I got a lot of information. Thanks for share.

  27. March 9, 2013 at 8:30 am #

    Getting hacked is one of the worst thing any site owner could experience. We should be attentive anyone once sign of hacking is noticed.

    • Ehsan Ullah
      March 9, 2013 at 3:35 pm #

      Nice see ya here Mike. Have you experienced suck issue?

  28. March 6, 2013 at 12:09 pm #

    Hey Ehsan!

    Very nice tips here.

    More than anything, having a good host is very important. Cheap hosts are like hacker’s bestfriends. They can easily hack into our site. Good hosts prevents such cases. And, keeping everything up-to-date is also keen. Else, the chances of getting hacked increases.

    Thanks for sharing the article.

    PS. I love the headline (How Not To….)


    • Ehsan Ullah
      March 6, 2013 at 3:45 pm #

      Hey Kaundeenya,

      Glad It helped. Yup, a good hosting plays a big role. Firstly If you use a good hosting, your blog will be more secure, secondly good hosts has some kind of security packages also where you can subscribe to make your blog more secure, and thirdly your WordPress blog will be recovered fast If you use a good hosting.

      Ohh, spent hours for crafting that headline ;)

  29. March 6, 2013 at 10:59 am #

    You forget to state that how to protect your htaccess file .Sometimes hacker plant a script in it and get the juicy information. :)

    • Ehsan Ullah
      March 6, 2013 at 3:39 pm #

      Thanks for the reminder, guess I forgot that. Might have to add that point too, you mind?

  30. Emilia
    March 6, 2013 at 10:20 am #

    Hackers are really a threat nowadays. Thanks for sharing this highly informative article. This will surely help us tighten security in our WordPress blogs.

    • Ehsan Ullah
      March 6, 2013 at 3:38 pm #

      Tighten your security today Amilia. :)

  31. March 6, 2013 at 6:51 am #

    Security for our blogs is something that we must take into account. So security is the first thing we must consider while we build our blogs. There are always people who want to hack our blogs. Please be careful.

    • Ehsan Ullah
      March 6, 2013 at 3:31 pm #

      Thanks for the heads up Heru.

  32. March 5, 2013 at 2:50 pm #

    Awesome post Ehsan,
    I have been neglecting this aspect from a very long time.
    I don’t even have installed any security plugins on my blog, except Limit Login Attempts.

    This is a great post that will help me get started. Also I never took any backup of my blog and only recently I understood what taking regular backups mean. That was one of the worst experience.

    But now I am back on track and I hope that now I take all the precautions.
    Thanks for the post mate :)

    • Ehsan Ullah
      March 5, 2013 at 3:21 pm #

      Nice to see ya back with Tiny Blogger, I was actually shocked when I visited it few days back and It was down.

      Glad to know the post means a lot to you and you learned something here today.

      Backing your blog up is most important for every blogger, there are many ways to backup. Read my reply to Rahul Kashyap’s or Amal Rafeeq’s comment above.

      Thanks for your comment Arbaz.

  33. March 5, 2013 at 7:36 am #

    Your thinking is appreciable. I think, you thought a better idea about blogging.Greetings

  34. Calra
    March 5, 2013 at 6:37 am #

    I don’t sually come across bloggers who would share cecrets oon how to avoid being hacked, so I appreciate what you wrote. Thank you very much. I’m working really hard to keep my WP site up to date but I never realized that there are so many safety measures that I still need to execute.

    • Ehsan Ullah
      March 5, 2013 at 3:14 pm #

      Thanks Calra, glad you enjoyed reading it.

      Hope you got to learn something new today.

  35. March 4, 2013 at 8:08 pm #

    If you can believe this Ehsan, I have absolutely nothing to add.

    I learned all of this that you shared here early last year and it’s been a lifesaver for me. I use the Limited Login Attempts plug-in but it sounds like it does the same thing as the Login Lockdown plug-in does. I take it a step further and actually go to my hosting service and ban then from my blog for good.

    All I know is that I’ve been saved many times so all these steps are necessary.

    Thank you for sharing these with us.


    • Ehsan Ullah
      March 5, 2013 at 3:10 pm #

      Always great to have you hear, Adrienne.

      Glad you liked all the tips, yup ya know it! ;) I actually rescheduled this post.

      What hosting are you with by the way?

      Thanks for dropping by.

      • March 5, 2013 at 4:12 pm #

        I’m with Bluehost!

        • Ehsan Ullah
          March 5, 2013 at 7:17 pm #

          Great to know that, I also love Bluehost hosting.

          Nice to see ReplyMe plugin brought you back here. :)

  36. March 4, 2013 at 4:11 pm #

    This is an awesome post pal.

    I have seen some blogs go down because of hackers and I wouldn’t like to see this happening to my blog, your blog, or any other blog out there.

    The security plugin that is use is Better WP Security and I love it like crazy!

    That plugin I used to change my default ‘admin’ login name and it adds tons of other security features to the WP blog.

    I also back up 2 times per day (every 12 hours) and also keep updated to everything.

    Thanks for the timely reminders, Ehsan.

    • Ehsan Ullah
      March 4, 2013 at 7:13 pm #

      Hey Kharim, thanks mate.

      Thanks for letting me know about the Better WP Security plugin, will check that out. Maybe I’ll remove some of my security plugins after using Better WP Security because I think It’s all in one, isn’t it?

      By the way Kharim, have you read the welcome post already?

  37. March 4, 2013 at 2:52 pm #

    Nice n needful post for the bloggers Ehsan!

    Am new to WordPress and I hope this post would help me to improve my blog.

    Thanks for sharing the security tips n plugins for WordPress, will check it out now.

    • Ehsan Ullah
      March 4, 2013 at 7:14 pm #

      Thanks for sharing on Google+ Nirmala, I appreciate it.

      Glad you found it to be a useful one that has give you some new ideas and tips to secure your blog.

  38. March 4, 2013 at 12:12 pm #

    Hi Ehsan,

    Great information shared!

    The points which you have mentioned are imperative for our blog to remain in blogosphere.As a programmer I believe that no matter how hard we try or use best of the best plugins the blog or the website will still remain open to hackers on many fronts, the reason being there are very less NATIVE wordpress plugins we are living with. But by using these plugins surely we will remain less sceptical to hacking. Hackers have to try hard to break the vault.

    For WordPress and other plugins updation, I wait for few days before updating the plugins as I had a bad experience once for one of the plugins which I immediately updated as and when there was a new release.My blog stopped working properly after updating.It took a while before I could restore my blog back to the normal state.

    I’m not using any plugin for backup but plan to use it now. I’m manually taking the backup on regular basis. Since the plugin you are referring here is also free, I will surely try this one for regular backup.

    Thanks once again for sharing this.


    • Ehsan Ullah
      March 4, 2013 at 7:33 pm #

      Hey Sapna, always great to have you here.

      I must thank you for sharing your experience and suggesting us to wait for few days before updating the plugins when It asks to. You’re right, there’s always an open door to your blog for hackers, so having your blog’s backup with yourself all the time is most important.

      The plugins I’m referring here is free, but only takes the database backups. For full backup, you need to buy a premium plugin called BackupBududy or subscribe a paid backup service.

      Which plugin were you using to backup your blog before reading this post?

      • March 5, 2013 at 1:01 am #

        Hi Ehsan,

        I’m not using any plugin for backup, it’s all manual.



        • Ehsan Ullah
          March 5, 2013 at 3:11 pm #

          Ohh, There are a lot of plugins that can help you make your WordPress blog 100 times more secure.

          Thanks for your comment by the way.

  39. Deepak Mehra
    March 4, 2013 at 10:31 am #

    Hi Ehsan,

    WordPress security is very essential for a blogger. I think it very important for me.
    Thanks for share with me. I like your post.

    • Ehsan Ullah
      March 4, 2013 at 7:50 pm #

      Welcome Deepak, hope you learned to secure your blog now.

  40. March 4, 2013 at 9:43 am #

    Awesome post Ehsan!

    I liked all the information you shared and this would surely help everyone make their blog secure – if they do it the right way. :)

    Luckily, nothing has really ‘happened’ to my blog, but one doesn’t have to wait for something to occur before you open your eyes and take precaution – prevention is always better than cure – isn’t it?

    I agree with all your security tips and follow all of them, though I do fear updating the wordpress and plugins immediately because sometimes they affect the previous setting or make things go a little haywire. People say that you should generally wait for sometime before you update them or wait for someone to write about it and then go ahead. But yes, you need to take your chances and see how things go. It’s happened to me once so I’m a little careful with this one. :)

    Yes indeed, one should always see the rating of the plugin before you install them, and read the reviews too – these do matter a great deal. More so, it makes sense to only install those plugins you really need and not everything or anything people say. While I do backup my blog, I’ve not heard of scanning the theme as yet, so would surely be checking that out as well.

    Regarding the security part, I honestly don’t have much idea, because my husband the main tech person and normally takes care of all these things. But I would be sure to forward him this email so that he can see what he is doing and what still needs to be done. I guess being a writer – I just write. :)

    Thanks so much for sharing all of this with us Ehsan :)

    • Ehsan Ullah
      July 9, 2013 at 9:21 pm #

      Ohh can’t forgive myself. How did I miss this comment of yours Harleena?

      A late reply, sorry!

      I’m sure Aha-Now is more secure than Guide and News.

  41. Veronica
    March 4, 2013 at 5:30 am #

    Thank you for this Ehsan. I think hackers don’t have the right to create even a little ruckus to one’s blog or website because of course, we worked hard for it. But since trolling hackers are unavoidable, we bloggers and webmasters simply have to take safety measures to keep them locked out. Your helpful post is bookmarked! This serves as an eye opener especially to novice bloggers.

    • Ehsan Ullah
      March 4, 2013 at 6:35 pm #

      Thanks for the heads up Veronica, thanks for bookmarking.

      I appreciate you forwarding it to your dear bloggers to help them secure their blog.

  42. March 4, 2013 at 4:45 am #

    Thanks Ehsan for sharing your thought and this informative post on guideandnews. but I want to ask about wordpress blog backup. could you say me “How to create a full backup (With Images, Posts, Database). I don’t know about it. can you say me.

    Note: i want to backup my blog without plugin. i don’t have to need any plugin. please say me. i will waiting your reply.

    Rahul Kashyap

    • Ehsan Ullah
      March 4, 2013 at 6:32 pm #

      The ways to get full backup of your blog without using plugins are:

      1. Cpanel: Use your Cpanel to backup your blog, be it a part of it or full.
      2. Paid backup service: Subscribe to a paid backup service that will automatically backup your blog on daily basis.
      3. Subscribe to your hosting’s security service: Most of the good hosting services like Bluehost offers security services, and helps you restore your blog when It’s hacked.

      Hope that helps.

      • March 5, 2013 at 3:09 am #

        thanks @Ehsan for reply. I will try :)

        • Ehsan Ullah
          March 5, 2013 at 3:11 pm #

          Welcome Rahul, good luck.

  43. March 4, 2013 at 2:13 am #

    Hey Bro, you know that I’m just a starter to WP. Thanks a lot for sharing them.
    And in here or on private chat. Can you help me with backing up please? Because I’m little confused about it.
    Thanks a lot in advance bro :)
    And look at all those comments you got all in a sudden :D ! Congrats!

    • Ehsan Ullah
      March 4, 2013 at 6:25 pm #

      There are a lot of ways to backup your blog, get a backup and restore when It’s hacked or something goes wrong.

      1. Use plugins to backup your blog
      2. Use your Cpanel to backup your blog
      3. Use online paid services that automatically takes full backup of your blog on monthly/weekly/daily basis (Read my conversation with Sue Neal in above comments where we talked about it)

      I’ve mentioned a WP DB Backup plugin in the post, read Vipin pandey’s reply to your comment above to know how the plugin works.

      Let me know If you still need help.

      Thanks :)

  44. Joy
    March 4, 2013 at 1:35 am #

    Thanks Ehsan for those very useful tips. I just started a blog in wordpress and I honestly, I haven’t begun in considering the threat of hackers. Thanks for pointing it out and I’ll be sure to use your tips once I fix up my blog.

    • Ehsan Ullah
      March 4, 2013 at 6:18 pm #

      Welcome joy, hope that made sense to you.

      Hope to see ya around.

  45. March 4, 2013 at 12:50 am #

    Has anyone tried the WordFence plugin? I’ve been playing around with that lately and have found it to be pretty powerful. It does a scan but also let’s you view and block bots in a live traffic viewer.

    • Ehsan Ullah
      March 4, 2013 at 6:15 pm #

      Welcome to the blog Emory, Never heard of Wordfense plugins.

      Seems you’ve a good experience with that plugin. What else you have to say regarding that plugin?

      • March 5, 2013 at 4:58 am #

        Thanks! Lotsa features. I am thinking of doing a review of WordFence. Stay tuned :)

        • Ehsan Ullah
          March 5, 2013 at 3:12 pm #

          Ohh looking forward to your review.

          Is it a premium plugin? Or a free one?

  46. Jonny Axner
    March 3, 2013 at 11:38 pm #

    The post is on a topic I believe will get more and more important. I run 2 websites and I been hacked several times. So I agree with the Back-up Back-up Back-up and also tighten your htacess file. I have better WP installed and it´s doing a pretty good job.

    Also buy your themes to avoid hidden code and similar. THX for a good post.

    • Ehsan Ullah
      March 4, 2013 at 6:13 pm #

      Welcome Jonny, I think It’s your first time here, isn’t it? Why not read the welcome message?

      Glad you enjoyed the post, and bud get a gravatar today! ;)

  47. March 3, 2013 at 10:14 pm #

    It is a very interesting issue. It is very important for me to read this article. I also use WordPress platform with my blog. Thank you very much for sharing. This is quite useful.

    • Ehsan Ullah
      March 4, 2013 at 5:57 pm #

      Glad you found it useful Heru, hope you learned something new today.

  48. Rehmat
    March 3, 2013 at 5:54 pm #

    Good one Ehsan, but I’d like to add a small information, evil code is added mostly to the premium themes and plugins by hackers and they put them on the web for free. When someone uses these themes, their blogs are exposed to the hacking risk. When you will analyze the searches regarding themes, above 70% searches are carried out as “download premium themes for free” :P

    • Ehsan Ullah
      March 3, 2013 at 6:59 pm #

      Thanks for sharing the information, Rehmat.

      Using a plugin that has some kind of strange code which you can’t remove is like opening the doors of your WordPress blog for hackers. Choosing a good theme is important step and most beginners make mistake by using free themes that has those codes in it.

      That is why getting a premium theme from a reputable provider is must, and that’s why I recommend Theme Junkie.

      I appreciate you sharing your views here, hope to see ya around.

  49. March 3, 2013 at 11:59 am #

    i read the above post very carefully each point mention above is very true and effective specially i like the point to delete the default admin account because its use username as admin and its common every one knows its very useful post for all the bloggers

    • Ehsan Ullah
      July 9, 2013 at 9:23 pm #

      It takes a minute to type your name, too hard.

      Thanks for your comment BTW.

  50. March 3, 2013 at 4:36 am #

    Hi Ehsan,

    Good Post as always. I use limit login attempts instead of login lockdown as both do the same thing.

    And I don’t use this WP Backup because The backup the i have made doesn’t restored my site when I accidentally deleted everything. Instead I use Cpanel to create back ups.

    Thanks for the post.

    • Ehsan Ullah
      March 3, 2013 at 3:01 pm #

      Thanks for droppin’ in, Anurag.

      I’ve been using Login Lockdown from long time on my blog, and have good experience regarding it.
      How long have you been using the Limit Login Attempts?

      The plugin automatically takes the database backups of your blog, while creating backups from Cpanel takes time.

  51. March 2, 2013 at 9:01 pm #

    Much useful and informative post! Well, indeed it’s essential to keep WordPress dashboard updated so as to keep our blog secure. And yes, one must change default admin account username, to be on the safe side and also a strong password is always better. Well, all the WP security plugins you listed are very useful and I’m already using some of them, but it’s good to know more of them. Thanks for sharing and tweeted :)

    • Ehsan Ullah
      March 3, 2013 at 3:13 pm #

      Thanks for the heads up Nizam, you always leave quality comments here.

      How strong your WP password is? (I’m not asking for your password tough :D) Just want to know that is it a strong password with combination of numbers and alphabets?

      • March 3, 2013 at 9:57 pm #

        Well Ehsan! I use combination of letters (uppercase & lowercase), numbers and symbols in passwords :)

        • Ehsan Ullah
          March 4, 2013 at 5:55 pm #

          Good for you. Seems a very strong password…

          … No problem, I’ll still find it out :D

  52. March 2, 2013 at 7:40 pm #

    I use Better WP Security. It has a lot of security options including database backup. That’s quite impressive.

    Security is a tough issue that should not be neglected

    • Ehsan Ullah
      March 2, 2013 at 7:56 pm #

      Better WP Security seems quite impressive, I’ll check that out – thanks for the reminder, Enstine.

      What else do you do to secure your WordPress blog?

  53. March 2, 2013 at 7:20 pm #

    Hi Ehsan,
    you have covered almost all fectors. but removing default admin account and backup day by day are i think most important of them.

    • Ehsan Ullah
      March 2, 2013 at 7:58 pm #

      Thanks for dropping in Devil Blogger! ;)

      • March 3, 2013 at 5:35 am #

        Thanks for replying to get reply back ;) That’s the reason your readers stick with you ;) :)

        • Ehsan Ullah
          March 3, 2013 at 3:18 pm #

          haha, It’s my strategy. Do you use a plugin to send reply notification to your commentators?

  54. March 2, 2013 at 6:46 pm #

    Hi Ehsan,

    I follow all your main security tips and back my site up to the hilt – with the free WPDB backup plugin, regular manual backups and I subscribe to a paid back-up service, blogvault. I also keep copies of all my posts on my hard drive, which is backed up with Carbonite.

    I’ve also just started subscribing to hostgator’s security service, Sitelock.

    I use the limit login attempts plugin, but haven’t tried the other security plugins you recommend. I’m concerned about having too many plugins on my site – I think I’ve got too many already! Do any of the ones you recommend slow your site down?


    • Ehsan Ullah
      March 2, 2013 at 8:02 pm #

      Hey Sue, thanks for sharing your views.

      Nice to know you take too much care of your blog and you take security of it very seriously. How much does the paid backup service Blogvault cast to you?

      All of the plugins in the list are light weight ones which won’t affect blog’s load speed or anything else.


      • March 3, 2013 at 6:25 pm #

        Hi Ehsan,

        It costs me $19 a month – that’s for up to 3 sites. It costs $9 a month for a single site,

        Thanks for answering my query about the plugins


        • Ehsan Ullah
          March 3, 2013 at 6:50 pm #

          Isn’t it too expensive?

          I’ll check that out.

          • March 3, 2013 at 6:57 pm #

            What price peace of mind?!


          • Ehsan Ullah
            March 3, 2013 at 7:03 pm #

            I mean giving $19 a month to a service just to get back-ups of your blog is expensive for some bloggers, while most hosting services automatically takes backups of your blog for free.

  55. March 2, 2013 at 1:15 pm #

    Hi Ehsan,
    When it comes to the security of a blog, I’m always very careful at that because I’ve been a victim of hacking. Top Blogging Coach is not my first domain name when i started, i registered my first domain about 2 years ago, but hackers won’t let me rest.

    They hacked that blog about 4 consecutive times which lead to my abandoning the domain because i didn’t know what else i should do, i think the issue came from my hosting provider then. I now have to switch to another web host and then register another domain.

    I’m doing and using most of the plugins you recommended here already.

    I’m sure this post will help lots of other bloggers.

    Thanks my man and happy new month.

    • Ehsan Ullah
      March 3, 2013 at 2:47 pm #

      Always great to have you here Theodore,

      Nice to know you already use most of the plugins from the list and follow the tips. Where the top blogging coach is hosted on at the moment?

      Thanks for your comment, may the March be yours?

      • March 3, 2013 at 4:29 pm #

        Hi Ehsan,
        TOP is currently hosted on cluewebhost.com


        • Ehsan Ullah
          March 3, 2013 at 4:36 pm #

          Never heard of Cluewebhost, why don’t you try a reputable one like Bluehost or HG?

  56. March 2, 2013 at 11:03 am #

    hey ehsaan
    these are some nice tips. every blogger should know the importance of securing your blog. there are many plugins which makes your work more easy. and about the third point, i would say that dont install the plugins from anywhere outside WordPress. they might contains harmful things

    • Ehsan Ullah
      March 2, 2013 at 9:09 pm #

      Where outside WordPress prabhat? Even in WordPress plugins directory only install plugins that has a lot of good ratings and supports.

      Glad you liked the post, thanks for your comment.

  57. March 2, 2013 at 10:55 am #

    Hey Ehsan, Thanks for sharing this useful information. I think these tips are very useful to me as well as also helps many others. After reading this post, I got some more tips to secure our wordpress blog from being hacked.

    • Ehsan Ullah
      March 2, 2013 at 5:25 pm #

      Thanks for the appreciation Sudipto.

  58. March 2, 2013 at 10:47 am #

    WordPress security is very essential for a blogger. As I have encountered with a hacking in my previous blog. There are few plugins for that purpose like bullet proof security.

    • Ehsan Ullah
      March 2, 2013 at 5:09 pm #

      Thanks for the heads up Prakash, It’s essential and above are some essential tips that everyone can follow to make their WordPress blog 100% secure.

      Bullet proof security? Never heard of it, what’s your experience regarding that plugin?

      • March 3, 2013 at 9:30 am #

        As I got my previous blog hacked by someone. Then I decided to use it. After that I haven’t faced such hacking issue.

        • March 4, 2013 at 3:52 pm #

          Will take a look on that plugin.


  59. March 2, 2013 at 5:33 am #

    Ehsan, Initially when i started blog ignored few of this and experienced problems, It was when i started to use some of this plugins, by the way what is your suggestion about Better WP Security Plugin?

    • Ehsan Ullah
      March 2, 2013 at 5:00 pm #

      Never heard of that plugin lokesh, where’s the source?

      Just use all of the plugins in my list and your blog will be 110% secure :)

      • March 2, 2013 at 5:35 pm #

        Ehsan, Will surely try out the listed plugins :) and you can find the plugin in the below link and 4.8 rating for this plugin seems to be good.


        • Ehsan Ullah
          March 2, 2013 at 6:18 pm #

          Thanks for dropping in back lokesh, will check that plugin out and If I find it useful, will add that in the list.

  60. March 2, 2013 at 4:35 am #

    Hi Ehsan, I never use wordpress because I only use blogspot.
    If I have been using wordpress, I would wear tips from you for my wordpress security.

    Thanks For Sharing Brother…

    • Ehsan Ullah
      March 2, 2013 at 4:57 pm #

      THREE suggestions to you Darmawan:

      1. Move to WordPress today
      2. Get a good hosting, I recommend Bluehost
      3. Kick ass blogging from scratch and do it with business idea in mind.

      • March 7, 2013 at 10:29 am #

        thanks Ehsan..

  61. March 2, 2013 at 4:31 am #

    Hey Ehsan,

    I’m glad you included backing up as one of the points. I can’t imagine how bad it’d be if someone’s blog went down and they didn’t have a back up.

    I didn’t know that certain themes have code that can hurt you. Which is scary to say the least.

    Awesome post as always :)

    – Mark T.

    • Ehsan Ullah
      March 2, 2013 at 4:47 pm #

      Nice to see ya here Mark,

      Back up the best line of defense, isn’t it? ;)

      Yes most of the free themes has some kind of evil themes in it, have you face a similar situation? What theme do you use?

      • March 2, 2013 at 5:48 pm #

        Hey Ehsan,

        Hahha agreed.

        Well, I took some random theme, used it as the backbone and messed with the CSS and HTML to build my theme, but now I’m going to have to go back and check everything and maybe even build it from scratch :(

        But thanks for pointing this out, better to be prepared than be sorry later.

        – Mark T.

        • Ehsan Ullah
          March 2, 2013 at 6:17 pm #

          Good to see ya back :)

          Get a premium theme from reputable providers If you’re serious with your blog. Having a professional and good looking theme is enough to send signals that you mean business.

          Thanks for dropping in Mark, you really have a nice blog – like what I see so far at Zenspill :)

    • March 9, 2013 at 10:03 am #

      I agree with Mark here. Really awesome post! However, I want to add that if one is to rename the admin account he/she could also rename the wp-admin folder to something else. Having a fixed and known login location also counts as a security vulnerability.

      • Ehsan Ullah
        March 9, 2013 at 3:37 pm #

        Thanks for dropping in Julius,

        I don’t think there’s a way to rename the wp admin folder, but one can password protect that folder.

  62. March 2, 2013 at 3:24 am #

    WP DB plugin is old. It was updated 2 years ago. But still I use it on my blogs like thousands of others.

    So now I know that what it means by saying OLD IS GOLD :D

    • Ehsan Ullah
      March 2, 2013 at 4:44 pm #

      WP DB is a good option for starters to get their hand on a backup of their blog, nice to know you still use it.

      What’s your experience so far regarding this plugin, Shahzad?

      And what hosting do you use? how is the security features of that hosting is, and will they recover your blog If It is hacked?

      • March 4, 2013 at 2:14 am #

        Can I easily Backup my blog with that plugin? I’m little confused!

        • March 4, 2013 at 3:44 am #

          Yes Amal, you can backup your database with WordPress Database plugin. You can schedule backup hourly, daily, weekly or monthly basis. This plugin will send your backup to your email id. I am using it, I have scheduled daily backup and it is working perfectly. Remember it will only backup mysql database.

          Hey Ehsan, nice share man. WordPress Security Scan is cool plugin. It scan all security breaches and notify you to fix them. I am glad to know that you have included most plugins which I am using in my blog.


          • Ehsan Ullah
            March 4, 2013 at 3:50 pm #

            Nice to see ya here Vipin,

            Thanks for that Vipin, hope it makes sense to Amal.

            Thanks for sharing your experience regarding WordPress Security Scan, have you heard of WordPress file monitor plus?

            Thanks for stopping by.

      • March 19, 2013 at 10:13 am #

        I also install WP DB in my blog. Once I back up mysql but I don’t know how to restore my backup if something wrong happens to my blog or someone hacks it.
        Please let me know..It is very important for me to know the steps of restore it back.
        Thank you for discussing this useful info.

        • Ehsan Ullah
          March 19, 2013 at 5:46 pm #

          If you got the Database backup of your blog from the plugin, than you can restore it using Filezilla software ones It’s hacked.

    • April 18, 2013 at 7:02 am #

      Hey ehsan
      Awesome post and i also install WP DB in my accnt.
      but i dnt know much about this.
      pls help me