How to Protect Your Blog from Hackers

Are you a new blogger and you’re not sure how to protect your blog from hackers?

Website security is very important and the chance of getting hacked is real. This is why you need to take some necessary steps to protect your blog.

Securing your site should be one of the first things you do when building a website so let’s have a look at a few simple things you can do to greatly reduce the risk of your blog getting hacked.


There are 7 ways to protect your blog from getting hacked. These are:

  • Setting up a strong username and password
  • Installing a security plugin
  • Block users who are trying to login with username “admin”
  • Enforce strong passwords for all users
  • Delete all un-used plugins
  • Make regular site updates
  • Always have a recent site backup

It’s not that hard to set this up in the WordPress Dashboard, I’ll walk you through all the steps below.

1. Set up a strong username and password

When you first login to WordPress it will be with the login credentials that your web host has provided you with. If the username is admin you’ll have to change this asap. Every hacker tries to login with the user name admin so get rid of it fast!

When you first login your username will be the only user in the database so you can’t delete it. You’ll have to create a new admin level user fist:

Go to Users > Add New > fill in your new username (not your name or blog name, make it hard to guess) and your email address. Then click on password and change it to a sentence that you can remember but is impossible to guess. Make sure it has a few $ymbo1s and use UPPER & lower case. Four or five words is good. (I like to be able to remember my password so I don’t have to look it up all the time, this is why a sentence works better than just random characters.) Write your login details down and keep them safe.

Next to Role you select Administrator from the drop-down.

Make sure to save your settings by clicking > Add new user.

Now log out of WordPress: Top right corner > Click on Howdy Admin > Log Out.

Now you can log back in with your new username and password.

Next you have to delete the old Admin username. Go to Users > All Users, hover over the old admin and click delete.

One more thing you should do: Go to Users > hover on your username > click edit.
Scroll down to Nickname and fill out your first name. Underneath Nickname it says: Display name publicly as > from the drop-down choose your first name. Scroll down > click on Update Profile to save your settings. This will be the name that is visible on your blog.

2. Install a security plugin

One of the first things you need to do when setting up your WordPress blog is install a security plugin. A great free plugin for this is iThemes Security, it has features like:

  • Security monitoring
  • File scanning
  • Malware scanning
  • Blacklist monitoring
  • Firewalls
  • Brute force attack protection
  • Notifications when a security threat is detected

To install iThemes Security, go to Plugins > Add New, and type the name of the plugin in the search bar. Once located, click > Install. When it’s finished installing click > Activate.

3. Block users who are trying to login with username “admin”

Remember how I said that every hacker will try to login with the username “admin”? Because we changed your username to anything but admin, we can now block anyone who tries to login with the username “admin”.

In the WordPress Dashboard, go to the menu on the left and scroll down to Security, and then click on > Settings.

Here you’ll see all the categories you can change the settings of. Go to the Local Brute Force Protection box and click on > Configure Settings.

Here you can select how many times someone can login to your website before they get locked out. I recommend setting the Max Login Attempts Per host to about 5 (just incase you stuff up your password a few times, you don’t want to lock yourself out too easily.) You can copy my settings.

The last setting lets you > Automatically ban “admin” user. Tick this box because you don’t have any users with the name “admin” and this will greatly reduce hacking attempts on your site.

4. Enforce strong passwords for all users

Using strong passwords is super important. In your iThemes settings you can make sure that anyone using your website is forced to used a strong password.

Go to Password Requirements > Configure Settings.

Tick the “enabled” box to force users to create strong passwords and select all user groups.

5. Delete un-used plugins

Plugins that aren’t updated regularly can leave your website vulnerable and can become an entry point for hackers. This is why it’s important to delete all plugins that you’re not using (Hello Dolly and Jetpack for example…)

Also avoid installing plugins that don’t come from a reliable source or don’t have a good rating or good reviews. Always look for the highest recommended plugins and avoid installing plugins that haven’t been updated recently or aren’t compatible with the latest version of WordPress.

Update all other plugins whenever they have a new version available.

To update your plugins go the menu on the left in the WordPress dashboard and click on > Plugins.

Here you’ll see a list of all your plugins. When a plugin has a new version available, it will show you like this:

Simply click on > update now and wait for the update to finish.

Always give your site a quick check after any updates in case it messed anything up. Because this can occasionally happen, it’s a good idea to make a backup (see point 7)  before making any updates.

6. Update your site regularly

Besides updating your plugins regularly, you also need to update WordPress and your theme whenever there’s a new update available.

In the left menu of the WordPress dashboard go to Appearance > Themes.

Here you be able to see which themes need an update, click > Update Now.

7. Always keep a recent backup

Even when you do everything in your power to protect your blog from hackers, there’s still always a small chance that your site gets hacked. This is why you need to save a complete backup of your site to your computer.

Backups are not just important in case you get hacked. Sometimes a plugin or theme update can mess up your site and it often would be easier to restore a clean backup than problem solve a broken site.

It’s important to  make regular backups so you don’t lose new blog post, edits or comments.

I use Updraft Backup Restore, a free plugin that makes it super easy to regularly backup your site.

To back up your site, go to > Plugins. Find the Updraft Backup Restore plugin and click on settings.

In the horizontal plugin menu click on > Settings. Here you need to select a remote storage, this is where your backed up files will be saved to.

I use Dropbox, you can use a free Dropbox account to store your files on. Select which storage you want to use and fill out your details.

Once you’ve got this set up, you go to Backup/Restore in the top menu.

To back up your site click on the blue Backup Now button and wait for the backup to finalise. This can take a while, just make sure to leave this window open until it’s finished.

Once the backup is done, you’ll see your backup appear on the same page under Existing Backups, like this:

If you want to save this backup to your computer, you have to click on each folder separately to download them.


I hope you’ve found this tutorial easy to follow and you now feel more confident in making your website more secure.

Rate this post