Follow me on social media:

Are You Making One Of These 3 WordPress Security Mistakes?


In process of redesigning this site a thought struck me. WordPress is quite easy to start with – load up a theme, install some plugins, write some posts – but what about WordPress security basics? Is there a set of rules for WordPress security?

Well, there is a number of things I do to ensure my blog is secure and you can do them too.

If you don’t have these three bases covered with the following plugins then you’re probably commiting a WordPress security cardinal sin:

Lockout unwanted attackers with Login LockDown

The login lockdown plugin will protect your blog from brute force attacks on the login page. You can also lock out non-registered logins which is handy if you follow the tip right at the bottom of this post.

Backup regularly and automatically with WordPress Database Backup

The last thing you want to find when you’ve been attacked and need to re-install your blog is that you don’t have a current database backup. WP-DB-Backup plugin lets you schedule backups and send them to an email address.

You should also be backing up your site’s files on a monthly basis at least.

Protect your site from spammers with Akismet, WP-SpamFree & Invisible Captcha

This trio will protect you from pretty much any spam. Akismet and WP-SpamFree don’t need to be installed together, just one will do.

I consider Invisible Captcha one of the hidden essentials and a little known plugin that deserves a much bigger audience. I find it invaluable. Don’t worry, your users won’t even know it’s there, it works by stopping the bots.

Speaking Of Spam, They Can’t Spam What They Can’t See

Use the Bad Behaviour plugin and WP-Ban plugin to lockout intruders for good. These bad boys can be dangerous if you’re a bit of an amateur because you can do silly things like banning yourself from your own blog.

Among a host of things they’re useful for banning IP addresses and ranges of IP addresses. People can’t spam you if they can’t access your website.

A Sneaky Fourth Security Tip

Pick a different name for your administrator other than “admin”. The default installation of WordPress uses “admin” as the default user. But you can add another administrator account and use that account to delete the original. This tip combined with Login LockDown’s lockout feature for non-registered users will thwart the script kiddies.

Some Friendly Advice On Server Choice

Finally, choosing an appropriate host and upgrading yourself from standard hosting. Get your own IP and virtual machine if possible. Bluehost have a premium account for only $14.95 a month. Sign up for the standard account then sign up for the premium upgrade via the console. You get SSL for conducting proper eCommerce plus you will receive your own IP address and your own virtual machine.

Do you have any security tips to add? Have you written a handy plugin that you think should be on this list? Leave a comment below.

3 thoughts on “Are You Making One Of These 3 WordPress Security Mistakes?

  1. Even though I do have quite a bit of internet marketing experience, Josh, I qucikly found that blogging about what I’m passionate about actually presented quite a few hurdles and challenges. Rather new to blogging, I was surprised to find that WordPress is GREAT, but it has quite a few considerations to take to use it to its greatest capacitty and capability.

    I know, I’ve been bombarded by so much spam lately. Every day, it seems like I receive at least 20 new spam comments….do you know what exactly causes this? Are these people that just run some kind of automated software? and…what really is the purpose of it? They are absolutely horrible attempts at internet marketing of a product/service, if that’s the goal. Or, are they attempting to make backlinks or something like that? (not sure how effective that is when their comment ends up being deleted anyway…just seems like it wastes EVERYONE’s time all around…)

    1. Hey Howie,

      There’s one reason why people keep spamming. It works.

      These people pay hundreds in getting people to post comments, illegally harass people on email and other shady tactics, but the reason they do it is because out of those millions of links and email that get farmed out they actually do get a small return and that small return counters the cost of the activity. They wouldn’t do it if they weren’t making something from it.

      Personally I think it’s a pain in the ass having to clean up, like you said 20 new spam comments a day isn’t uncommon. I’ve written a detailed article on fighting spam here if you want to take a look.

Leave a Reply

Your email address will not be published. Required fields are marked *