Over the years, I have built, advised and worked on so many WordPress websites, I’ve lost count. Whether they’re my own, a client’s or a friend’s, there’s always one thing I do when I log in…


In fact, it’s become somewhat of an obsession, with very good reason. When I first started using WordPress, my blog was just a baby. It was hacked and infected so badly, I pretty much had to start again. How did they get in? Through out-of-date Plugins and an old, unpatched version of WordPress. BOO.

It may seem like only a week or two since you were last updating WordPress to the latest version. Sometimes, updates are released even quicker, even daily, and it can seem like a chore to keep checking and waiting for new versions to install. But that’s a GREAT thing. It means that the development team of this amazing, free CMS framework are constantly working to fix bugs, patch up security holes and keep your website secure against hackers. (Pesky blighters, who are also constantly working on ways to to get in). And the teams behind our lovely (again, usually free) Plugins and Themes are doing the same…to keep your site safe. And it works. The system is fantastic and keeps you protected – but only if you actually remember to update 😉

The latest update, (4.7.2 as I type), fixed some recent security issues which saw vulnerabilities behind the scenes, resulting in “hacked by” posts cropping up. WP actually do all the hard work before the issues are announced, meaning that IF YOU UPDATE you’ll be fine. But, thousands of Admins who didn’t hit that little button could have been affected, through no fault of WP’s. And believe me, sorting out a hacking issue is a lot more painful than taking 2 minutes out of your days, I promise.

So. What easy steps can you take to help secure your WordPress site?

  • Install a security Plugin. The best ones in my opinion are Sucuri and Wordfence, both of which have free versions and are incredibly easy to install. They’ll notify you when there are any problems on your site, and tell you when you need to update. Don’t ignore those emails, get straight in and update ASAP!
  • Make your passwords hard to guess and change them regularly. Either use WP’s crazy, random generated password, or choose something with a mixture of upper and lower case letters, numbers and symbols. And change them regularly.
  • Add yourself as a new user (withyour own name, or business name), with a new password, and then delete the “admin” User completely. Remember to make sure you select “Administrator” rather than “Subscriber” in the drop down when adding the new user so you can access all WP’s dashboard functions. It’s much easier to hack a system using automatic scanning programmes when the User name is still Admin by default.
  • Back up regularly – both your content and database. There are some free plugins for this which are fine – but if you have valuable info on your site, this is an area where paying for a plugin is a good investment.
  • Make sure you’re with a good host, who is set up for using WordPress and in a position to help you if you need them. I have been with TSO Host for years and their customer service is fantastic (plus they know not everyone speaks “tech” and keep things nice and simple when you need them too.) Siteground is another good option. Have a chat to your current host and make sure that they are optimised for WordPress and are doing everything they can to protect you, too.


So that’s it! There are many other, more technical ways to really protect your WordPress site (this is a great recent article from CodeinWP on that), but if you’re not confident with getting a little bit deeper into WordPress, the 5 simple security steps above really are a great place to start and should protect you from any issues.

If you have any questions about any of the above, please do feel free to email me.

But for now? Go. UPDATE! 


PSST: If you ever want to know if you need to update, just login and WP will tell you, like this: