Checklist - How to Secure your WordPress site

  • This means, things you really should do, and they're not very hard to do.
  • This means, things that take more techie chops to do — do them if you know how (or find a friend), and your WordPress will be very safe!

  • This is only a reminder list — for full how-tos, follow the links.
  • Don't worry about learning how to do all these things at once! Start with first 5 things. When you understand those (and do them), try out the next steps.

The two most most most important things to do are:

  • Always update WordPress, and any plugins
    Most updates are made to fix security problems. The bad guys are always finding new ways to attack, so the programmers are always having to write new ways to protect.
    Updating is very easy. WordPress will show you when anything needs updating, and all you have to do is click to do the update. So ...
    • Update WordPress right away whenever the dashboard shows you a notice of a new version.
    • Update any plugin right away whenever the dashboard shows you a notice of a new version.
  • Back up your website. Often.
    • Back up your database often
      How often? → How many of your posts will you lose before you start to cry?
    • Keep copies of your uploads and themes folders
    • Here's how ↓

Three other important things are:

  • Have good passwords, and keep them safe.
    • at least 10 characters. more is better!
    • upper- and lower-case letters, numbers, and punctuation
    • It's easy!
      1. Just float your hand over the keyboard, and flop your fingers around on the keys:
      2. Change some of letters to uppercase:
      3. Replace some of the things with punctuation:
      4. Boom! a password! (DON'T use this one! The hackers have it now.)
    See more here.
  • Use "secret keys" in your wp.config.php file.
    You don't need to understand it — it's so easy, just do it!
    Just click on and copy the results into the section of your wp-config.php file that looks like this:
        * Authentication Unique Keys and Salts.
        * Change these to different unique phrases!
        * Generate these at
        * You can change these at any point in time to invalidate all existing cookies.
        * This will force all users to have to log in again.
        * @since 2.6.0
        define('AUTH_KEY',         'put your unique phrase here');
        define('SECURE_AUTH_KEY',  'put your unique phrase here');
        define('LOGGED_IN_KEY',    'put your unique phrase here');
        define('NONCE_KEY',        'put your unique phrase here');
        define('AUTH_SALT',        'put your unique phrase here');
        define('SECURE_AUTH_SALT', 'put your unique phrase here');
        define('LOGGED_IN_SALT',   'put your unique phrase here');
        define('NONCE_SALT',       'put your unique phrase here');
    (Just replace all the define(); code lines, with what you copied from that url.) See more here.
  • Always access your WordPress admin through a secure computer:
    Secure OS, scanned for viruses, updated browser. Hackers can get your passwords and other info to hack your website.
    (More about securing your computer is here.)

If you don't do these things, you are opening the doors to your site. Nothing on this page can protect you from yourself!

Don't just take my word for it :) See what the experts say here, here, and here!


So you're doing the things above, and all is happiness. :)

But maybe you have to worry about the really bad guys! :/

No problem! :) Want to learn more and be a real professional? :)

OK, let's go!

Below are things to do: when you install↓ ... when you make user accounts↓ ... in the code↓ ... with plugins↓ ... in the admin↓ ... when you back up


making the database

  • Be sure that the "xx collation" and "connection collation" are Unicode: Select "utf8_general_ci" from the menu.

When you install WordPress ...

Always do:

Also useful:

These are a bit tricky to do — but will add to security.

After install ...

  • Take an ftp backup of the entire Wordpress folder (all the files) once installation is stable.

User roles

  • Don't give anybody the main admin password!
  • Make separate user accounts for people working on the site, as editor, author, etc.
  • If you are logging in to do non-admin things, use a non-admin account. Use the admin account only to do admin things.
  • If you have more than one person who does admin things, make a separate account for each of them.

Code modifications

  • Remove the word "wordpress" & wordpress version from the source code (Meta tags)
    add to functions.php in your theme:
          function no_generator() { return ''; }
      add_filter( 'the_generator', 'no_generator' );
  • Removing the link to WP at the bottom will help too, as your site will not be easily known as one that runs WP




How to backup your WordPress site, at

  • Backup your database.
  • Backup your uploads and themes folders.
    • How?
      Manually: ftp your upload directory (images, videos, and other files), current theme directory, and plugins directory to your local machine.
      With plugin: WordPress Backup plugin - it backs up your files.
    • How often?
      How much of your file uploads and theme changes will you be not bothered to lose? I'm guessing - none! So you may want to backup as often as you upload files or make stylesheet or other theme code changes.
  • Keep your backups safe.
    • Keep copies in two or three safe places.
    • And not on your server! Hackers will love you if they find them there.

Know more

The best info about protecting your WordPress:
More about protecting your WordPress:
And more ...
General info:
[an error occurred while processing this directive] [an error occurred while processing this directive]