WordPress Security: How to Lock Down Your WordPress Site

March 27, 2012 , 39 Comments

At the time of writing, the number one suggestion in the Votebox is about online security. How can you keep your site from getting hacked and taken down, or worse, being “injected” with malicious code that might even affect your visitors in a negative way?

If you own many websites, chances are that you’ve had one or several of them compromised at some point and that’s never a pleasant experience.

In this post, we’ll take a look at the exact steps you can take to secure your WordPress websites, as quickly and easily as possible.


If you’ve been lucky enough to never have had any security issues with your website, you might be wondering: “how likely is it that I’ll get hacked?”

Especially if you have smaller sites, it may seem like they wouldn’t make interesting enough targets for hackers, so you  don’t really have anything to worry about, right? Wrong, unfortunately. My first ever site that got hacked was on a simple little blog that hadn’t been around for more than a few months and that barely got 40 visitors a day. Not a prominent target by any means.

The first thing you need to understand is that there doesn’t have to be any reason for an attack. You don’t have to have made enemies in hacker-circles, you don’t have to have a big, popular or controversial website. An attack can happen out of the blue, for the simple reason that your site is easy to hack. And that’s the number one rule: the easier it is to hack your site, the more likely it is to happen.

In this post, we’ll look at the two most important factors for securing your WordPress site:

  1. Backing it up, so that it can easily be restored, in case it does compromised.
  2. Adding security measures to make it more difficult to hack and therefore less likely to be attacked.

WordPress Backup Solutions

A WordPress site consists of two main components: the database, which stores all your written content and settings and the files on your server, containing all of your images, plugins, themes etc.

Database Backup

Install the WP-DBmanager plugin, which you can set to automatically create backups of your database at specific intervals and email them to you or store them on your server. In addition, you can also use this plugin to restore your database from a backup file.

Here’s a video showing how to use the installation, setup and restoration features in WP-DBmanger:

Files Backup

The easiest backup solutions are those that come with your hosting provider, but depending on your provider they might not offer all the features you'd want. Our recommended hosting provider for getting started is Hostgator. Hostgator provide a weekly automatic backup on all their shared hosting accounts, as long as you have fewer than 100,000 files stored on the server and less than 20GB of space used. If you install multiple WordPress websites on one account, it's likely that you'll exceed the file limit at some point. You'll see something like the following in the sidebar of your cPanel dashboard, when this happens: Hostgator Failed Backup When you are below the thresholds for files and disk-usage, you'll always have a backup available, but it can be up to a week old and there's only ever one backup stored. It's a good solution, but it's not perfect. You can manually create backups by going to the backup wizard in your cPanel. This will create a file for you to download, in a few easy steps. You can also use this same wizard to restore your files from an existing backup file. Hostgator Backup Wizard Our recommended high-end hosting provider, StormOnDemand, comes with it's own, fully customizable backup solution. Here, you can have daily backups created and you can store them for up to 90 days. The service is pay-by-use and the rates are very low. If you are using a different service or you want to extend the limited backup functionality of a shared hosting account, the SiteAutoBackup service is worth taking a look at. For any cPanel hosting account, you can create automatic, daily backups very easily and you can store them for up to 31 days. The pricing starts at $2/month, so you don't have to break your bank for this added bit of security.   WordPress Security Measures With the above, we've made sure that even if you get a WordPress site compromised, you'll never be more than a few clicks away from restoring all your files and data. The next step is to do what we can to ensure that restoring a backup will never even be necessary.


Download UpdatesSince you're familiar with the Internet, I'm sure you are aware that there are sites and forums/communities on pretty much every topic imaginable. And so there are also sites and communities that are all about documenting and discussing online security flaws and how to exploit them. Someone might read up on such an exploit and then do a quick search to find a site to try it out on. If your site meets the criteria and happens to show up in the search results, that's all it takes for it to become a victim of a hacker attack. The most commonly exploitable issues with WordPress as well as WP plugins are usually addressed with updates and luckily, WordPress makes updating very easy, via dashboard notifications and one-click-updates. Always update to the latest WordPress version and always keep your plugins up to date. If you're running an older version, it will still contain all the bugs that have been fixed in the newer version and some of those bugs might be potential security loopholes. If you run many different WordPress websites, it can be difficult to manage, as you'd need to log in to each dashboard separately, to perform the updates. If you want to make this process easier, take a look at manageWP (hosted service) or WP Mass Updater (Windows desktop software). When installing new plugins for your site, check to see when they've last been updated and whether they've had multiple versions in the past. As a general rule, a plugin that is updated regularly is less likely to be a potential security risk than one that had only one release, years ago and was never updated since.


Secure PasswordsAny and all security measures are futile if someone can simply log in to your site as an administrator or log into your hosting account, with malicious intent. Because of this, it's very important to use real passwords for all of your accounts. If you use passwords like 123456, password, letmeinqwerty, your birth date or anything similar, you're simply asking for trouble. You might think that that goes without saying, but I know that some people are reading this and thinking "how did he know my password?" (here's how). I recommend using LastPass, a free and awesome password management app. Create one truly secure master password for your LastPass account and then have it auto-generate secure passwords for you, for every account you use. The downside to this is that with any password manager, you'll have a single point of failure: if someone gets access to your password manager, they have access to everything. This is still a far smaller risk than using non-secure passwords on your accounts or writing down your passwords to remember them, though. The only alternative I'd recommend would be to use memorizable, secure passwords by stringing together random words and remembering them as visual representations. You'll still need some discipline and a good memory to do this, if you're going to use different passwords for all your critical accounts (as you should). Bottom line: replace all your insecure passwords with secure ones, right now. In addition, also make sure that your admin username is neither "admin" nor the same as your display name. If your username is either of those, that's one less thing a hacker needs to figure out, in order to breach your website. In the WordPress admin menu, go to "Users" -> "Your Profile". Here, you can set a nickname to anything you want and you can set the display name on your site to be your nickname: public_name

Secure FTP

FileZilla LogoFTP clients are extremely useful for managing the files on your server, but on a standard FTP connection, all of the communication between your computer and your server is un-encrypted. This means that, among other things, your username and password is sent in plain text and could, theoretically, be intercepted. The solution is to use an SFTP (secured file transfer protocol) connection. The general procedure is very simple: make sure you have SSH (secure shell) access enabled on your hosting account, set your FTP client to use SFTP and use your main username and password to connect (i.e. the password you use to log in to your cPanel account - logins for individual FTP accounts don't work via SFTP). Here is the same in more detail:

SSH Access

If you are using Hostgator, log in to you client and billing dashboard and click on the "View Hosting Packages" link in the sidebar menu. Then, click on the "Enable Shell Access" link: Enable Hostgator SSH If you are using StormOnDemand, SSH is enabled by default. If you're using a different hosting provider and you don't know how to activate SSH access, a look at the knowledge-base or a quick support request should get you sorted.


Next, download and install the free FileZilla FTP client (available for Windows, Mac OS and Linux). Launch it and open the site manager (File -> Site Manager).

Filezilla SFTP SetupUse the following settings:

  1. Set the host to your registered domain for the hosting account, preceeded by "ftp." or enter your server's IP address.
  2. If you are using Hostgator, enter "2222" as the port. On StormOnDemand, leave this field blank.
  3. Select the SFTP option for the Protocol drop-down menu.
  4. Select the logon type "Normal".
  5. Enter your cPanel username and password.
  6. Click on connect.
That's it, you now have a secure FTP connection to your hosted files!

BulletProof Security Plugin

BulletProof Security is a comprehensive WordPress plugin that creates htaccess files to protect all of your critical files and folders. It protects from many types of code injection attacks, it hides your WordPress version number and it also makes recommendations for how to change folder permissions in your WordPress files. Here's a quick video, demonstrating how to use the plugin:


CloudFlareCloudFlare is a service that was already mentioned and recommended in the post about how to speed up WordPress based websites. It's primary purpose is to act as something like a content distribution network and caching tool and most of it's features are all about increasing your site's loading speeds. However, another feature of CloudFlare is that it automatically blocks requests from known malicious sources. It mostly blocks spam bots, harvesting bots and botnet zombies. Especially with the latter, CloudFlare adds a layer of security to your site. To take advantage of this, simply sign up for CloudFlare (it's free) and install the CloudFlare plugin (also free) on your WordPress site.


Follow the steps above and you'll be presenting any potential hacker with a tough nut to crack, making it likely that they'll go look elsewhere, for victims. However, also keep in mind that you can never make a website 100% secure. Making attacks impossible is, unfortunately, impossible. That's why above all else, good back-up practices as described in the first section of this article, are the backbone of a secure site. With regular backups, even if things do go wrong, you never risk losing all of your valuable content and the hard work it represents. Shane's Signature [note title="Credit"]This article was created with the help of Chris Coleman, a self-taught programmer and computer security expert. Many thanks to him, as I could not have put this together without his unrelenting support and excellent advice.[/note]

About ​Shane Melaugh

I'm the founder of ActiveGrowth and Thrive Themes and over the last years, I've created and marketed a dozen different software, information and SaaS products. Apart from running my business, I spend most of my time reading, learning, developing skills and helping other people develop theirs. On ActiveGrowth, I want to help you become a better entrepreneur and product creator. Read more about my story here.

​Related Articles

  • I had a bunch of sites hacked by some script that redirected the sites via the htaccess file. It was a lot of work to fix them.

    Now I use backupbuddy to automatically backup sites to dropbox just in case, plus much of the regular security measures.

    Just having a complete backup makes me less anxious since I can have a site back up in a few minutes on any server.

  • Thanks for this post Shane. Some of my dinky sites got hacked a few months ago, just because of an outdated plugin they had.

    Never use the default “admin” username when you’re installing WordPress- that’s how I got hacked each time.

    I finally found a service called “Locker” from CodeGarage, and for me it was totally worth paying professionals each month to do all the steps you’ve outlined and more so I can do the stuff I’m good at.

    • Very good point about the admin username. One of those things that should go without saying, but then, some WP installers suggest that as a standard option…

      I’ve added a note about this to the article.

      Thanks for your comment!

  • Shane, this is THE BEST guide to security and backups that I’ve read online.

    Thanks very much for this – just realised there is a lot of things I should be done that I’m not!



  • Hi Shane,
    Very helpful post. I will definitely look into the CloudFlare service. A while back, I also posted on easy backup plugins that backup both databases and files of WP sites, like myRepono, which can handle multiple sites from one platform. Check it out if you have time; titled “Site Backup”.


  • Fantastic content as always Shane!

    It’s funny. I have a backup plugin on my blogs, but I never got around to seeing how to go about restoring, if I ever needed to.

    I wonder how many other people are in that boat.

    I’ll be going through all of this step by step, for a bit more peace of mind.

  • Hi Shane,

    What do you think about this management tool: WP Internet Management Center



    P.S. I did post so many times with my name as an anchor text to my newspaper site so Google could “think” this is my personal blog. So today I changes it to meaningful and useful anchor text, if you do not mind… :)

  • Great post, out of interest Shane, do you use the free version of Cloudflare? If you use the paid version does it produce better results?

    • I currently use the free version. I don’t think there’s a performance difference between free and paid, but I don’t know for sure.

      • I used Cloudflare for quite a while. Have loved them.

        Recently I outgrew my VPS and upgraded to a server. Once I did that, I got many “bad gateway” errors. I kept hoping it would resolve but finally had to take all my sites out.

        I might delete my sites and set them backup again. One a time to see how it goes. I wish I could figure out what caused the problem.

        At first I thought it was just me and my lousy connection in the Philippines but then I noticed utilities like ManageWP that handles my backups to my S3 account getting the same error and Google was also getting them as noted in Webmaster Tools. (I hate have those spies in there but sometimes it is good too. haha)

  • I haven’t been hacked yet, but I’ve noticed many attempts. Here’s a basic hint: Either don’t have an account named ‘admin’, or create one that has no access to anything, and give it a super-strong password. That way, even if some script-kiddie manages by shear dumb luck to log in to the account, it’s not a problem.

    I’m thinking of doing a plugin that watches for attempts to log in as ‘admin’, and adds an IP block to .htaccess automatically for the source of the attempt. Maybe even build a publicly-accessible list of those blocks so users of the plugin could collaborate.

    • The only time I was hacked was when I didn’t update right away. In the old days, it was dangerous to apply an update as soon as they came out. Often they were broke and break whatever you updated. So I learned to wait a while.

      These days, usually these updates are to fix a security issue that has just become widely known or has because widely known because WP or whoever announced the update was to fix that exploit. So these days, you need to update immediately.

      I’ve been using Lastpass for a LONG time and my passwords are VERY long. :) Nobody is getting me that way.

      Installing Bulletproof now… Haven’t seen that one before, thanks Shane!

  • I also worgot to mention these free wp plugins I use now:
    WP Security Scan and Secure WordPress by WebsiteDefender
    WordPress Database Backup by Austin Matzko
    EZPZ One Click Backup by Joe ‘UncaJoe’ Cook

    Did you use them before and what is you opinion if you do?


  • Another nice post – thanks. Security and WordPress combine to make me lose sleep at night. I am due for a large Security overhaul for my sites.

    My question is on Cloud Flare. Have you used this service? I have made some change in hosting providers as shared hosting was not working when I have a number of visitors at the same time (go figure). But some of the reviews I have read on Cloud Flare have been pretty harsh…. the ones I recall were by users that swear Cloud Flare actually was to blame for poor site performance.

    What is your experience with Cloud Flare?

    • Hi Scott,

      I use CloudFlare on several sites. Whatever you do, always test before and after, when making changes like this. I’ve found that on a shared hosting account, CloudFlare will lead to significant improvements in performance.
      For sites I’ve hosted on StormOnDemand, which is already cloud distributed and very high performance, CloudFlare actually caused a minimal slow-down. I considered using it anyway, for it’s minification, caching and bandwidth saving features, but for the time being, I’ve deactivated it.

  • A very useful take on the whole security thing for wordpress sites. For backup I tend to use Online Backup for WordPress which works very well even in its free incarnation. See http://www.backup-technology.com (not an aff link)

    Additionally the comments about the need to remove the user “admin and change your default display names is very important reinforcement to back up all the other voices who have been giving this advice for the past several years.

    Another approach that I am testing at the moment is 2 factor logins where you need to use a second token to secure your normal UN/PW login so far it’s looking pretty effective. It’s called Duo Two-Factor Authentication. it works by generating a series of passcodes that are delivered to your phone or via an app that runs on your phone. It’s worth a look, especially if you are stashing personal / payment info on your site. http://www.duosecurity.com (non aff link)

  • Thanks a lot for this post. I have one of my website about “safe security” hacked recently. The attacked just kept coming every time I restore from my back up files. The attacks only stop after I installed bulletproof plug-in mentioned above. And I did not even get to see the above video and follow through on each and every steps outlined in the above video (just click, read and repeat). I also like your cloudfare stuff, I registered with them and cannot wait to see how it go.

  • I have used several plugins to protect wp logins. However, they usually kept me locked out! lol I now use roboform to fix my memory lapses.

    I have made several changes you revealed.

    One important directory most wp users do not backup is the wp-content/uploads folder. Not doing so will cause broken links frowned on by google and your images etc will not appear.

    Your tips are appreciated Shane.

  • Good post! This something we all should be aware of when connected to the internet. Make backups and have some security measures in place. I use Cloudfare which adds some website security.


  • Hi Shane:

    Now this post is an actionable, worthwhile>>>> a most useful post!

    It makes me want to pay more attention to your next product offering because you have already added value to my quest to make a success online.

    BTW, sorry to ask you this but I’m not sure how to get my pic displayed when on your Comments…I have a gravitar…..

    I’ve been able to implement most of your suggestions, however, I was somewhat non plussed when I first tried to activate bullet proof by clicking on the 4 Star offering available

    I ended up with “Usernoise” from the same guy, Krakov, wow was that a surprise!

    Anyway, I finally managed to get the bullet proof properly installed after
    downloading it from wp.org

    To tell you the truth, I was upset with you after your last post about WSOs but you have redeemed yourself + alpha!

  • Hi Shane,

    I think this post helped remind a lot of us that we have neglected an essential part of our business – protecting it. The point that sites, no matter what size, without proper security measures sort of invite the visit of hackers – though logical – did not occur to me until now. At least I back them up regularly, which is something that gets forgotten a lot too.

    All in all a great post and securing my ftp access will be on my to do list too.

    As far as the price of hosting goes, isn’t there something available between Hostgator and StormOnDemand that can handle a higher amount of activity without sloooowing down on delivery?


    • There isn’t much in between, in terms of hosting. And nothing I found, that I could recommend.
      The next step after a shared hosting account is a VPS and even a very small VPS package is going to cost about half of what StormOnDemand costs, but it will have a fraction of the performance.

      A shared hosting account will go a long way. Personally, I used shared hosting up to the point where my business was generating enough income for the hosting costs of StormOnDemand to be negligible.

      • Well, I had nothing but trouble with hosting.

        SiteCloud had some problems, shut down and transfered all customers over to GreenGeeks. Later sucks as far as I’m concerned. Too bad I paid ahead for 3 years. Bad mistake.

        Evanzo.de, I don’t like because you either buy your domains there or you MUST have them transfered to them. It’s better to have your domains registered with a separate registrar. They also make it difficult to close your account – you actually have to request this in handwritten form.

        Hostgator and Arvixe where in hindsight the better ones I had. Particularly Arvixe.

        The only one I’m pretty happy with is Weebly. I wanted to see how good they are with with their free account (free hosting for 2 domains). No problems whatsoever.
        A good solution to recommend to newbies (No ftp, no cpanel etcetera) and people who can not invest a lot of money and still want a quality service and performance. They only hassle with the free account might be the upload limitation of 5 MB or that you can’t create any sub domains.
        They do not have the greatest site templates though and after a while you miss all the nice toys (plugins) from WordPress too.

        I get your point about quality/performance has its price, but there are a few marketer who need multiple hosts too avoid footprints or spread the load. I still have to watch out how much I invest in hosting. If you host every domain separately to play it save, then this can ad up fast.

        BTW, I think your subscription message system is on strike – never got a notification that you answered.


  • The easier way and faster way to change permissions is just type the recommended permission number in the field, instead of messing around with checking/unchecking check boxes to get the recommended setting. :)

  • Hi Shane, I tried cloudflare like you suggested after reading this but my rankings tanked. I got 1600 visits a day before, today was less than 300. I don’t think google liked the DNS change, so I switched back.

    • Did your rankings return?
      I’d be surprised if Google reacted like that to a DNS change…

      • Only just done it yesterday and not yet. Strange that one or two ranks stayed, but the rest died completely. The site is mainly a static content one so it might take some time for Google to do another indexing of the site. Google has an incentive to react to badly as DNS changes due to people buying expiring sites on GoDaddy auctions/namejet/snapnames and putting up link-spam blogs on them. I really hope the rankings return, I’m down like $20 a day from this.

      • Man, I’m sorry to hear that.
        I’ll do some reading up on this possible connection of DNS change and ranking drops.

      • This might belong in a Google-Myth section, but I’ll mention it anyway. I don’t use and haven’t used cloudflare so I don’t have any reason pump them up or tear them down.

        On another forum I frequent here was some discussion about problems with cloudflare. I’m going from memory here so don’t take this as fact but rather as something to look into.

        One person reported that he lost a lot of ranking after switching to cloudflare. He did some checking and saw that there were adult sites on sharing the IP he was on. He turned off cloudflare and his rankings slowly returned. His guess was Google decided he was in a ‘bad neighborhood’ and lowered his rankings.

        Another person reported that cloudflare’s dns servers have gone down much too frequently. When they go down, your site is unreachable. One time he said he was down for the better part of a day (maybe longer but I don’t want to inflate what I can’t remember for sure). I have almost as much trust in the guy that reported this as I have in you, Shane.

        In addition to that, I subscribed to a fairly high dollar service for a while that used cloudflare during their launch. It didn’t take them long to drop it. I don’t know what happened, only that they said it was causing a number of problems.

        True or not? I don’t know. Worth checking out? If you want to use them, then yes. See if others have reported something similar.

  • Hi Shane,

    Thanks so much for the great information.

    For those who doubt the need for protection listen to this: last month I set up a new account on a new host with a new domain name. There was nothing in the site except the automatic .htaccess file and it contained only a few lines of code to try to activate mod-security — which created a 500 server error code.

    Cloudflare reported over a dozen attempted hacks every day from all over the world. On a new, inaccessible, nothing site!

    The internet is teeming with vermin who direct their autobots to attack anything, anywhere, any time.

    Your site WILL be attacked. It probably was today.

    Will regular back-up protect you? Only against an unsophisticated hacker. The competent ones leave your site and files LOOKING the same. You may not know you’ve been penetrated for months!

    Do you keep back-ups for months? I didn’t. My host didn’t.

    So… I lost 45 sites across 3 hosting platforms and 2 home computers. 7 years of my life … poof. And I would have sworn I was being careful.

    It’s a jungle out there. Be careful.

  • Shane,

    Great information as always.

    I can only say that I have been backing up like a Mad Man these days and taken extra precautions regarding security on all of my sites.

    Whenever I can i grab the IPs of these bad characters, search them down and block them in my cpanel and on my sites.

    I use Bad Behavior which has been pretty successful tamping down the spam bots.

    I also use Login Lockdown which I can set to one or two unsuccessful login attempts before it shuts access for an hour.

    Bullet proof looks good and I may take a look at that too.

    There’s also a free plugin called Firewall 2. Seems to protect against high level sql injection attacks.

    But after losing a few sites due to negligent backup habits I can only stress from my own experience; Backup, Backup, Backup!

  • Hi Shane,
    I read the post when you first sent it. Though, I did not have time at that time to implement anything. So, I am going through this today.

    I was in Cpanel- when I checked my awstats.. and the number one page that was visited today was my wp_login.php. ..huh? I have not even tried to login today..

    So, i got with hostgator to see how can I find out who was trying to do that.. they taught me how to get the raw data file and found out it was an IP from netherlands. It has been trying all morning to get in.. I blocked the IP.. I had already WPlockdown.. so that probably helped me!

    Since most of the attacks are coming from China, and most of my customers are from the USA, would it be wise to just block all traffic from China and other countries known by the attacks?

    Question: What does the SSH shell does?

  • Hi Shane, good article indeed but I want to add two important plugins:

    Firstly, use “Limit Login” plugin that will protect your site from brute force attack.

    Secondly, if you want to backup your blog data, I found “myEASYbackup” plugin worth using and the best thing its Free!

  • Thanks Shane! That’s a good read. I thought you should also include 2 factor authentication in this article.

    By the way, I noticed that the post excerpts in the footer area (not in homepage, but in inner pages) have a minor problem. All excerpt text starts with the word “Tweet”. I thought it is due to social buttons on individual posts. You can solve this by 1) turning on the custom excerpt box {you can do this in the wordpress add new post area} and 2) fill the custom excerpt box for each post. If you need screenshots about that, please let me know.


  • Hello Shane,
    What an excellent post.
    It is so refreshing to see someone take the time to put out a well researched actionable post that is of very real benefit.

    The usual trick you see everywhere is to send out scare emails and then try to sell you the fix.

    I applaud you for your integrity, there are not many IM marketers I could say that about.

    Many thanks,

  • Shane,

    I see the videos were done in 2012.
    Are there any updates or this info current?

    Backupbuddy: I hear a lot about this.
    Then for security also there are lot of plugins.


    • Hi Roger,

      I haven’t updated the post, but as far as I know, all the information here still applies. Especially all the information about the security that doesn’t have anything to do with plugins or stuff on your site. That’s as relevant and important as ever.

  • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

    ​Develop the Ultimate Entrepreneurial Superpower: Productivity!

    ​Countless "wantrepreneurs" fail to achieve their business goals - not because of a lack of knowledge, but because of a lack of productive, effective implementation. Don't be one of them.