Secure Your WordPress Website

Why You Need To Secure Your Website

It is a sad fact of life today that if you have a well-designed website that the search engines have listed then the spammers will find it. They will be looking for websites that they can log into, infiltrate with ads and maybe even capture customer information. The worst that can happen is that your website will be hacked.

I know, because the worst has happened to me. A very popular website that I designed for a community group in my home town was infiltrated and hacked by pornographers. One of the users I had set up on the website had the same text as her username and password. This made it very easy for the hackers to log in and access the posts and pages on the site and insert obscene ads and links.

When I discovered this, I deleted all the ads, changed her username and password and did everything I could to tidy up the site. But my efforts were in vain because the garbage all quickly reappeared. It turned out that the hackers had installed an automatic driver somewhere on the web server and this was continuously generating spam all over my site.

The web hosting company that I was using advertised themselves as clean, secure and robust but when I consulted their technical support they were of little help.

In the meantime, the search engines had picked all this up and were listing pages that linked to the junk. I had no option but to abandon the domain, move to a different hosting service and rebuild the site from scratch.

I’m not telling you this to panic you. In the early days of your website any of this is unlikely to happen because it will take the spammers some time to discover your site. And if you do get any spam it will likely be more of a nuisance than anything worse. But the WordPress platform is now so popular that hackers know exactly what to do to penetrate the unprotected. It is in your interests to be prepared for this from the start.

How To Secure Your Website

Here is a checklist of the things you need to do to secure your website from spam and attack:

  1. Create a username not equal to ‘admin’ (which is the username that some of the one-click WordPress installers will assign by default). Ideally it should be eight characters or greater and be a mix of letters, numbers and symbols. WordPress usernames are not case-sensitive.
  2. Create a password that is designated as ‘strong’ when you come to enter it under ‘Users’, ‘Password’. Ideally it should be eight characters or greater and be a mix of upper- and lower-case letters, numbers and symbols. WordPress passwords are case-sensitive. Make sure that you store your password in a safe place so that you can retrieve it if you have to.
  3. Use a plugin that will limit the number of unsuccessful login attempts on your website. (See Lesson 12).
  4. Only use WordPress themes from reputable sources and that ideally have a good number of four- and five-star ratings from current users.
  5. Only use WordPress plugins from reputable sources and that ideally have a good number of four- and five-star ratings from current users.
  6. When your dashboard tells you that the WordPress software, themes or plugins have updates then update them immediately.
  7. Use a plugin to insert a CAPTCHA (see Lesson 12) on logins, change passwords, contact forms, and comment forms.
  8. Backup your website regularly. Your web host company may offer this service but it is a good idea to have this under your own control by using a plugin (see Lesson 12) and downloading the backup on to your own computer.
  9. If you have other users registered to access your website then make sure that you do not allocate them more capabilities than they really need to perform their designated role. And make sure that they are well-trained enough to fulfil that role!
  10. Do not put your email address in clear text on your website as it will soon be farmed by spam phishers. Use a contact form (see Lesson 12) to enable visitors to email you. If you must spell out your email address make sure that it is encrypted by using a plugin such as WebEmailProtector.

Website Security Routine

All this talk of abuse and attacks may sound rather intimidating but the way to deal with the problem is to gradually put in place the protection you need. Think of it as the same attitude you have to securing your home.

Do this step-by-step in the first few weeks as you build your website and then it will become a matter of routine. When your website is safe and secure there should be nothing to stop you sleeping at night…

Start out by assigning user names and passwords as above and install the plugin which will limit the number of login attempts.

Choose your WordPress theme with care. If you have tried and installed several themes that you know you will never use again then deactivate and delete them.

Install all the essential plugins as mentioned in Lesson 12 and update them as and when notified by the dashboard. Deactivate and delete unused or out-of-date plugins.

If (when!) you received emails via your contact form that are sent by humans but are clearly spam then mark them as such in your email system. These typically come from people who offer to review your website or improve your SEO or tell you how wonderful your website is. They often want to sell you services, sunglasses or sex-aids. DO NOT click on links in these emails and delete them from your system after marking them as spam. You can minimize all this by placing a CAPTHCA on your contact form.

After setting up regular backups of your website look out for the emails telling you this has been done. Follow the links to download the backup files on to your own computer. The frequency of the backups you need will depend on how often you update your website but weekly should usually be sufficient.

Once you have done all this setting up there is little else you need to do. Just keep an eye out, be conscientious and don’t panic. Your website will be safe.

Action Steps

Check out the list 1-10 of steps above and decide which one(s) you should do now and which later


How do I restore my website from a backup?

It depends how the backup was created.

If your hosting company has generated a recent backup, contact their technical support and ask them if they could restore the site for you.

If you use the VaultPress plugin then restoring your website is simply a matter of a few clicks. Their documentation provides all the information you need to know.

If you used the Backup WordPress plugin (or indeed any other backup plugin) you will first need to unzip the backup files into a series of folders on your computer and then upload these to overwrite the equivalent files on your website. You would do this either through the File Manager on your host’s cPanel or via FTP (File Transfer Protocol) software. If this is unfamiliar to you then visit my website where I provide more information on this subject.

Note: If you are reading this, you are probably building an online business. Do you know that using some powerful marketing software can help your business scale to the next level? As the marketing technology develops very fast in recent years, there is a lot of new software being launched every month. To help you decide what marketing software you should use, you can read the detailed reviews of the most innovative marketing software below:

Leave a Comment