Authors: Take these Five Basic Steps to Secure Your WordPress Website Today!

by | Feb 13, 2017

by Nate Hoffelder

Monday is usually my spot in our publishing schedule, but I’m giving it up today for a good reason.

Last week Nate Hoffelder of The Digital Reader alerted me to a widespread attack on vulnerable WordPress sites. Since my site, and those of many other authors run on WordPress, this is a serious situation you should pay attention to.

The attacks, which have affected over 2,000,000 WordPress pages in the past few days, was reported by, among others, Ars Technica: “Virally growing attacks on unpatched WordPress sites affect ~2m pages.”

Here’s one thing they said:

“Attacks on websites running an outdated version of WordPress are increasing at a viral rate. Almost 2 million pages have been defaced since a serious vulnerability in the content management system came to light nine days ago. The figure represents a 26 percent spike in the past 24 hours.”

In this context, Nate suggested some immediate steps you can take that will help guard your site.

A Fact of Life Online

Listen, hacking and malicious attacks and bots that plant malware are simply a fact of life online. If you want to build a site that attracts readers, builds your mail list, performs as a media center or, like in my case, provides your income, you need to learn to address these issues.

Over the years I’ve spent time and money on making my sites more secure, hiring services that monitor sites, and moving my blog hosting to a fully managed environment.

On the day you wake up and discover you site is offline, or hacked until it’s unrecognizable, that’s the day you’re going to say to yourself, “Why didn’t I do those things when I could?”

Start today. Although some of these steps are simple, they will all help you stay online, in business, and productive. Here’s Nate’s article on the subject.


WordPress is the most widely used website platform, and it powers a quarter of all websites. That immense popularity means that developers are constantly adding new software options, but it also means that hackers are always looking for WP sites with lax security.

Here are 5 steps you can take to make your website more secure.

1. Don’t use “admin” as a username.

Did you know that the first account created when a new WP site is set up is usually named “admin”?

Hackers know that fact, and it is why they always try to hack that account on any WP site they attack. It doesn’t matter the age of the site or how active it is, hackers will always target the admin account first.

That is why you should never use that account.

  • Solution: Make a new account with administrator privileges, give it a unique name, and then change the permissions for the account named “admin” so that it is no longer an administrator. Change it to a “subscriber”.

2. Use a strong password.

Every year web security experts list the most common passwords, and every year hackers use that list to try to gain access to your website. So if you have an easily guessable password like “12345”, “qwerty”, “password”, or “12345678”, you should change it right away.

  • Solution: Luckily, WP will suggest a secure password for you, so all you need to do is visit your profile page on your site, scroll down to where it says “New Password”, and click the button to generate a new password.
  • Copy the suggested new password so you don’t lose it or forget it, and then scroll down to the bottom of the page and click the “Update Profile” button to finish the process.

3. Disable your web designer’s account on your site.

Did someone help you set up your site? Do they still have an account on the site?

If you answered yes to both questions then you should consider disabling that account right away.

This may come as a surprise, but even a pro will sometimes be careless and use an easily guessable password. In fact, I just helped a client clean up their site after it had been hacked through the old web designer’s account. A hacker had found that account, guessed the password, and gained complete access to the site.

  • Solution: Change the web designer’s account so that it is no longer an administrator for the site; instead, make it a subscriber. But don’t have to delete the account, because if you work with the designer again you can always restore their privileges.

4. Keep WordPress updated.

Did you know researchers are finding new security holes in software all the time?

Developers are constantly patching their software to fix the issues, but hackers are also on the lookout for sites which are behind on updates. If hackers find you missed a critical security update, they will pounce without mercy.

  • Solution: Check your site every couple weeks, and install any available updates.

5. Install a firewall plugin.

You wouldn’t dream of browsing the web without a firewall, anti-virus, and anti-malware software running, would you?

Of course not; that is just web safety 101, and the same is true for your website. A firewall plugin will alert you to someone trying to hack your site, and it can also tell you if a hacker has already gained access and is making changes.

  • Solution: Install either Wordfence or Sucuri plugins – and don’t forget to go through the full set up process.

    My recommendation is Wordfence; I like its email notifications. But Sucuri is also good in that it has the better malware scanner.

WordPressStart thinking about the security of your site today. And let me know in the comments:

Has your WordPress site been hacked? How did you solve your problem?

Nate Hoffelder has been building WordPress websites and blogging about digital publishing since 2010, and offers WordPress help for authors. You can find him over at The Digital Reader.

Photo by cafecreditHacker stealing information via photopin (license)

tbd advanced publishing starter kit

9 Comments

  1. Pamela

    Why didn’t the WordPress engineers notify us about this?

    Reply
    • Nate Hoffelder

      I see your site is on WordPress.com; you don’t have anything to worry about because Automattic took care of it for you.

      Reply
  2. J.L.Hunt

    Does it matter if you have a free WordPress acct? Or is this automatic?

    Reply
    • nate hoffelder

      If you’re at WordPress.com then most of this is taken care of for you.

      Just about all you have to worry about on WP.com is using a strong password.

      Reply
  3. David Todd

    Being a duffer on technology, I’ve wanted to upgrade my WordPress version. Alas, when I try to do so, I get a message something like “Best to back-up your site before proceeding”. But, since I don’t know how to back-up my site, I don’t proceed with the upgrade. How does one back-up a blog or website?

    Reply
    • nate hoffelder

      Most of the time you can ignore the warning, but if you should set up a backup anyway.

      I like a plugin called BackupWordpress, but there are many plugins which fill this need. Also, depending on the hosting company, they may be doing it for the website owner.

      I see that you are with Hostgator. They charge for this service:
      https://support.hostgator.com/articles/what-is-codeguard

      Reply
  4. suz

    was looking for advice on this since one of my sites was hacked last week. Luckily they didn’t do too much damage. Got firewall on them now.
    Thanks for great post

    Reply
  5. Sahara Foley

    Thanks for the heads up. I just installed the firewall plugin. I never thought about it.

    Reply

Trackbacks/Pingbacks

  1. Top Picks Thursday! For Writers & Readers 02-23-2017 | The Author Chronicles - […] Lots of WordPress sites have been under attack of late. Nate Hoffelder has 5 steps you can take to…
  2. Monday Must-Reads [02.20.17] - […] Authors: Take these Five Basic Steps to Secure Your WordPress Website Today! – The Book Design… […]
  3. Authors: Take these Five Basic Steps to Secure ... - […] by Nate Hoffelder Monday is usually my spot in our publishing schedule, but I’m giving it up today for…

Submit a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.