Checklist - How to Secure your WordPress site
This means, things you really should do, and they're not very hard to do.
This means, things that take more techie chops to do —
do them if you know how (or find a friend),
and your WordPress will be very safe!
This is only a reminder list — for full how-tos, follow the links.
Don't worry about learning how to do all these things at once!
Start with first 5 things. When you understand those (and do them),
try out the next steps.
The two most most most important things to do are:
Always update WordPress, and any plugins
Most updates are made to fix security problems.
The bad guys are always finding new ways to attack,
so the programmers are always having to write new ways
Updating is very easy. WordPress will show you when anything needs updating,
and all you have to do is click to do the update.
Update WordPress right away whenever the dashboard shows you a notice of a new version.
Update any plugin right away whenever the dashboard shows you a notice of a new version.
Back up your website. Often.
Back up your database often
How often? → How many of your posts will you lose before you start to cry?
Keep copies of your uploads and themes folders
Here's how ↓
Three other important things are:
Have good passwords, and keep them safe.
at least 10 characters. more is better!
upper- and lower-case letters, numbers, and punctuation
Just float your hand over the keyboard, and flop your fingers around on the keys:
Change some of letters to uppercase:
Replace some of the things with punctuation:
Boom! a password! (DON'T use this one! The hackers have it now.)
Use "secret keys" in your wp.config.php file.
You don't need to understand it — it's so easy, just do it!
Just click on
and copy the results into the section of your wp-config.php file that looks like this:
* Authentication Unique Keys and Salts.
* Change these to different unique phrases!
* Generate these at https://api.wordpress.org/secret-key/1.1/salt/
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
* @since 2.6.0
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
(Just replace all the define(); code lines, with what you copied from that url.)
Always access your WordPress admin through a secure computer:
Secure OS, scanned for viruses, updated browser.
Hackers can get your passwords and other info to hack your website.
(More about securing your computer is
If you don't do these things, you are opening the doors to your site.
Nothing on this page can protect you from yourself!
Don't just take my word for it :) See what the experts say
So you're doing the things above, and all is happiness.
But maybe you have to worry about the really bad guys!
Want to learn more and be a real professional?
OK, let's go!
Below are things to do:
when you install↓ ...
when you make user accounts↓ ...
in the code↓ ...
with plugins↓ ...
in the admin↓ ...
when you back up↓
making the database
Be sure that the "xx collation" and "connection collation" are Unicode:
Select "utf8_general_ci" from the menu.
When you install WordPress ...
These are a bit tricky to do — but will add to security.
After install ...
Take an ftp backup of the entire Wordpress folder (all the files) once installation is stable.
Don't give anybody the main admin password!
Make separate user accounts for people working on the site,
as editor, author, etc.
If you are logging in to do non-admin things, use a non-admin account.
Use the admin account only to do admin things.
If you have more than one person who does admin things,
make a separate account for each of them.
Install WordPress security plugins:
Limit plugins to the really useful ones, and only from trusted sources.
Do your research, don't just download any plugin that you see.
Google is your friend!
Upgrade your plugins as often as updates come out.
It is very easy to do from the plugins admin.
Try not to use plugins that allow php execution from posts/pages.
How to backup your WordPress site, at
Backup your database.
Backup your uploads and themes folders.
Manually: ftp your upload directory (images, videos, and other files), current theme directory, and plugins directory to your local machine.
WordPress Backup plugin - it backs up your files.
How much of your file uploads and theme changes will you be not bothered to lose?
I'm guessing - none!
So you may want to backup as often as you upload files or make stylesheet or other theme code changes.
Keep your backups safe.
Keep copies in two or three safe places.
And not on your server!
Hackers will love you if they find them there.
The best info about protecting your WordPress:
More about protecting your WordPress:
And more ...
[an error occurred while processing this directive]
[an error occurred while processing this directive]