Skip to content

How to Secure Your WordPress Blog

Published by Weakest Linux Enjoyer on March 22, 2025

How to Secure your WordPress Blog

Background

“Cybersecurity is not a job; it is personal responsibility.” If you are looking to secure your WordPress blog, you are in the right place.

In this article, I will explain how to secure your WordPress blog. Since cybersecurity is not a one size fits all solution, I have to explain my situation which influences my countermeasures first.

I access my blog solely from my trusted devices and I am the only user. My threat model is Low skilled attacks that relies on phishing, brute force and low hanging vulnerability. I refrain from using pro solutions. Thus, my article will involve a little tinkering.

Countermeasures

Strong Password

This goes without saying. If your Password is easy to guess , you will be easily breached.

There are few formulas to generate a strong password. Personally I am using the diceware method. It creates a strong and memorable password.

Then, head to Users tab, find your username, and replace the password as you desired. Pay attention the the password strength indicator. Make sure it says “strong”.

Enable Multi Factor Authentication

As an additional layer, you can enable Multi Factor Authentication using plugins. Keep in mind that they won’t make yourself invincible, only harder.

Using MFA also means you have to protect your phone. Additionally if you set up security questions, use the answer that are unique and confidential. Just as your password is.

Limit Login Attempts

Brute force is an attack that tries to guess password with thousands if not millions attempts. The best way to stop it is simply limit the login attempts.

To limit login attempts, go to Plugins > search Limit Login > choose anything that fits your needs. For me WP Limit Login Attempt is enough.

This does not protect you from more sophisticated password guessing, however. Also, be careful when typing your password or you’ll get locked yourself.

Auto Update WordPress

Keeping your system up to date is a simple way to keep yourself safe. A system can be compromised because it’s out dated, thus allowing attackers to exploit old vulnerabilities.

To enable auto update, you can check Dashboard>Home>Update. Alternatively consult your hosting provider if they take care of it.

Anti Spam Countermeasure

Phishing is a simple yet effective attack vector. To stop phishing attack possibilities, I adjusted some settings in the comment section.

  • Users must fill username and email.
  • Comments only from registered and approved users.
  • Lock commenting on posts older than two weeks, so spammers can’t keep spamming my site.
Comment Settings
Comment Settings

Better yet, use an anti-spam protection plugin such as Akismet. 

Conclusion

I have explained few simple steps to secure your wordpress blog. The countermeasures I deployed are based off my plan which changes over time.

After this, I will do SEO audit for this blog. It will make my site even more popular, thus inviting more attackers, and changing my plan.

So if you find my article relevant and would like to see how it changes, feel free to bookmark!

References

WordPress for Beginner – WP Beginner
20 Steps to Secure Your WordPress Blog – HubSpot
WordPress Documentation Official Page – WordPress.org

Published inTutorial