Use These WordPress Security Plugins To Protect You From Hackers


Wordpress security tipsIf you haven’t installed WordPress security plugins on your blog, then you have never had to learn the hard way.

I learnt the hard way a couple of years ago when I woke up to find one of my authority sites had tanked out of the SERPS losing out on 10,000 visitors a day.

That equated to nearly a $12,000 / £8,000 loss in affiliate commission…

After a bit of investigation it turned out someone had hacked the blog and created thousands of spam pages hidden from normal view and turned it into a cloaked link network.

That was enough for Google to slam the site even though it looked perfectly fine to the naked eye, even when logged in as admin!

It took me a few days to undo the damage due to my lack of backups (they injected C99MadShell code into every file) and a further 3-4 weeks for the recovery in Google.

All of this could have being avoided if I had just spent 10 minutes integrating the WordPress security tips I am going to share with you in this tutorial.

The irony is I had read and ignored plenty of articles just like this one ^^

WordPress it is a prime target for hackers no matter how big or small your site is. Check out the latest threats here and you’ll see what I mean.

What You Will Learn

  • How to improve WordPress security to protect against hackers
  • How to automate WordPress backups free of charge
  • How to scan your site for malware
  • How to do a complete WordPress security check
  • How to use free WordPress security plugins to protect your blog
  • All of my personal WordPress security tips

ATTENTION: Unlock My Award Winning Blogging Resources Instantly

Automatically Backing Up Your Site

First things first – one of the best WordPress security tips I can give you is to make sure you have regular backups of your site.

Having regular backups makes it easy to recover from hacks – in fact you can restore your entire site in just 1 click.

It is also handy to make a backup before making any significant changes to your site such as installing a new plugin or upgrading WordPress.

My host does this automatically for me and provides a great control panel but if your host doesn’t then don’t worry.

There are many paid backup plugins available but all you need is the free BackWPup plugin.

Backup your WordPress blog with BackWPUP

This will back up your site, the database and all of the files including everything in WP-Content into a single zip file.

It will then automatically upload the file to an FTP server, Amazon S3, Dropbox, SugarSync or a bunch of other services.

You can even setup a dedicated free Gmail account and get the plugin to email the backups to you! Gmail is great for storing your site backups!

Install the plugin and ensure you are doing daily backups!

Remove WordPress Version

By default WordPress will tell you which version of the software it is running in the source code.

The problem with this is when hackers discover a vulnerability it makes it very easy for them to use a WordPress vulnerability scanner to get a list of blogs that they can attack easily.

To remove it, just login as admin and go to Appearance > Editor > Functions.php and add this line of code at the end before the closing ?> tag-

remove_action('wp_head', 'wp_generator');

Block Directory Browsing

Usually if you browse to a specific directory you can view all of the files in that folder, just like when your browsing through files and folders on your computer.

To stop the server from listing the files in a directory you need to add 1 line to .htaccess

Open up the .htaccess file in the root of your site (where the wp-config.php file is) and add this line-

Options -Indexes

Update WordPress & Plugins

New hacks and WordPress security vulnerabilities are discovered all the time which is why it is important to keep up to date with both WordPress and plugin updates.

Make sure you keep both updated regularly in order to secure your WordPress site!

It is also a good idea to make a backup of your files and database before updating anything just in case it breaks!

Delete Unused Themes / Plugins

While unused themes and plugins don’t interfere with your blog directly, if the plugin or theme is hacked (there are thousands of these in the official directory) then hackers can still access it.

So if you have any unused plugins and themes, delete them!

This will not only improve WordPress security but help to speed up your website as well.

TimThumb Vulnerability Scanner

TimThumb is a popular script that is used by a lot of themes to resize images for thumbnails and so forth.

The only problem is this script had a huge bug which left the door wide open for any hacker.

The other problem is this is used by a lot of themes & plugins, meaning they come with a built in hacker friendly back door.

This is the back door that was used to hack my authority site.

To check if your theme is at risk, install the TimThumb Vulnerabiltiy Scanner.

That will scan your blog for any old versions of TimThumb and allow you to update them in one click if you need to!

You can uninstall the plugin once you have done that.


CloudFlare offers a free service that helps to protect and speed up any website.

This actually works on the DNS level and helps stop hackers in their tracks before they even reach or see your site.

Here is how it works-

Improve WordPress security with CloudFlare

It only takes a few minutes to setup and will offer decent protection. There are paid options available but you won’t need those for the most part.

Install One Of The WordPress Security Plugins

One of the quickest ways to identify WordPress security issues is to install one of the many free WordPress security plugins that are available.

There are lots to choose from but the two best WordPress security plugins are Wordfence & Better WP Security.

wordpress security plugins

Personally I use Better WP Security which will help to protect your site in a number of ways-

  • Removes the WordPress version
  • Changes the URLs of the login and dashboard pages
  • Renames the default admit account
  • Changes the WordPress database table prefix
  • Removes login error messages
  • Protects your sites from hacks
  • Monitors WordPress security issues
  • Has a built in WordPress security scanner
  • Automatically bans bots and hackers
  • Improves server security

And a whole bunch of other stuff! It does also have an automatic backup option but this only backs up your database and not your files, so please see the separate backup section for that!

Install A Firewall

Alongside one of the WordPress security plugins you also want to install a WordPress firewall that will block any attacks from SQL/Java injection.

The OSE Firewall plugin has you covered!

The combination of the firewall and the Better WP security plugin is a great setup!

How To Monitor Your Sites Security

There are a number of free WordPress security checker services we can use to monitor our site for hacks and downtime.

Sucuri Sitecheck

The first one is the Sucuri Sitecheck scanner which will check lots of URL’s across your site for a range of threats.

Sucuri WordPress security checker

This covers everything from malware to checking if your site is blacklisted anywhere.


The free account at Pingdom will check your site every minute from a range of locations.

You can get notifications of downtime via email, sms, Twitter, iOS or Android which is very handy indeed!

Pingdom WordPress monitoring

In fact if you manage a bunch of site the Pingdom mobile app is fantastic – I highly recommend it!

Change Detection

The Change Detection service is simple in function but amazingly handy!

All it does is monitor pages for changes and if a change is detected it sends you an email!

Monitor WordPress changes

You can use it to make sure your alerted of any changes to your site. It’s also great for checking when popular items are back in stock on websites ^^

ATTENTION: Instantly Increase Traffic To Your Blog With My Resources

Have You Integrated My WordPress Security Tips Yet?

For your own sake please do not ignore the advice in this article.

You do not want to learn the hard way like I did – heck I didn’t have the basics of regular backups in place when I was hacked!

If you don’t take this issue seriously you will have problems in the future.

It doesn’t take long to seriously beef up the security of your site, so what are you waiting for?

Don’t regret ignoring articles like this like I did! Take action NOW & integrate all of the WordPress security tips I have shared with you today.

At the very least you must install one of the WordPress security plugins & start making regular backups of your site!

107 Responses

  1. nick

    Again great work Matt!!
    I was recently hacked with some code that was causing pop up ads to be served from a few of my sites, it got sorted in the end but it meant time spent on instant chat waiting for my web host to sort it out!
    I installed WPfence, I am not sure if this is any good but it’s a start, I will take on board you’re points.

    • March 18th, 2013 at 5:48 pm

      Hi Nick,

      Yes WPFence is a decent plugin as well, just personal preference really!

      Your lucky your host offered to help out, not many offer that kind of support.

      • Jim
        September 5th, 2015 at 9:35 am

        Yeah, I’ve been in the same situation and my host helped me a lot. They installed WPFence once they clean my WP installation. I do not know why other hosts do not offer this feature, but with my host it is included by default. I think this is fully managed support. If you are interested, my host is Anyway, thanks for the tips, I find some of those really helpful.

    • Coran
      September 12th, 2015 at 11:12 pm

      For website backup and security. I have been using a wordpress plugin called “wordfence”

      It sends an email alert whenever there is a problem.

  2. joe

    As info..I emailed you before about this topic and u quickly answer with this post..thanks a lot matt for ur kindness…

    Btw what benefit those hacker got after they hacked your site?i wonder why didn’t they just replace your affiliate links with theirs..that what i would do if i were them..hehe..

    Can u explain why people hack others?? I don’t really get it..thanks dude..

    • March 18th, 2013 at 5:49 pm

      Hi Joe,

      Well if its what my readers want, its what they get!

      The benefit for the hacker is they were using my site as part of a link network for their own sites. But they had thousands of sites at their control/command.

  3. codexaero

    I’m surprised you don’t use nginx instead of Apache…. being this concerned about profits. Its way faster in terms of speed. (I’m assuming you use Apache since you referred htaccess.)

  4. 3.18.2013

    Some great stuff here, from free to paid services. Nicely explained on what the different plug-ins/services will do for you and how to set them up.

    Even adding the free simple plugin is better then nothing.

    Loved the idea of using gmail or dropbox.

    Thanks Matthew!

    • March 18th, 2013 at 5:55 pm

      Hi Jerry,

      Actually they are all free services – no need for anything paid here!

  5. seekdefo

    Comprehensive post. YOu have said it all, only the things need be done now and I am off to it

  6. 3.18.2013

    This is one of the most important posts I’ve read in a very long time. I’m already on with uploading the backup plugin and will be implementing all of your recommendations. Many thanks for this Matthew, you might just have saved me money and time! I’ve re-tweeted by the way.

    • March 18th, 2013 at 5:56 pm

      Thanks Paul =D

      At least my hard lessons are helping others!

  7. 3.18.2013

    Thanks for the mention of Better WP Security and thanks for the writeup. It’s amazing how many folks sort of “fire and forget” WordPress when it doesn’t really take a whole lot of effort to protect it.

    • March 19th, 2013 at 9:12 am

      Hi Chris,

      No thank you for making such an awesome plugin that is free for us all to use!

  8. 3.18.2013

    Great post Matt.

    I installed the plugin ‘BulletProof Security’ on my blog. I see that you haven’t mentioned it on this post.

    Do you think that this plugin is unnecessary? If so, why?


    • March 19th, 2013 at 9:13 am


      There is no reason not to use it – not something I use personally but will check it out!

    • March 28th, 2013 at 10:34 am

      Im a huge Bulletproof Security fan and have been using the PRO version on all of my personal and client sites for the last 18 months after numerous hours lost sorting out hacks.

      Its a little tricky to set-up in all honestly, but once its done your left with a rock solid WP install

      Anyway, thanks for your opinion here Matthew – im not really interested in the affiliate, linking, seo stuff but I found your site a few weeks ago and have found it compelling to read all the the same :)

      • March 29th, 2013 at 10:08 am

        You can be sure the time spent setting it up is less than the time spent cleaning up messes though :P

        So if you aren’t interested in that – what can I tickle your fancy with?

        • March 30th, 2013 at 9:41 am

          Just keep doing what your doing buddy!

          Its not a subject I can dedicate my time to right now, but I do enjoy your blog and it certainly gets me thinking of the possibilities :)

  9. 3.18.2013

    12k loss is harsh! I’ve got an automatic backup setup for one of my sites, and probably should for the other.

    Cloudflare is great also, I’ve been using it for a couple of months now. Thanks for the great post Matthew, I’ll be referencing this in the future when I need!

    • March 19th, 2013 at 9:15 am

      Well tbh the backups wouldn’t have saved me in that instance. The first I knew of it was the Google slap which is actually the last thing to happen in the process. The monitoring tools would have saved me though!

  10. 3.18.2013

    I am always surprised when people overlook security! Looking up various methods to secure my website as much as possible was one of the very first things I did the moment I had it running before I even had actual content! I did learn a few things from this article and will be looking into Pingdom’s downtime checker and the firewall plugin. I wonder if I have to exclude anything on Google Analytics so it doesn’t keep picking up Pingdom.

    • March 19th, 2013 at 9:17 am

      Hi Vincent,

      Analytics does a good job of filtering bots so I wouldn’t worry about that! Plus I don’t think pings execute Javascript anyway.

  11. Gregory

    Hey Matt, love this post. One of my concerns has always been the safety of my site(s). One plugin that’s free that I absolutely live by now is Better Wp Security. It highlights major issues that hackers could use to circumvent your site and helps you with even minor issues. Have you checked it out? Give it a look!

  12. 3.18.2013

    Thank you for the great article again. Finaly rediscovered Dropbox and SugarSync. I’ve postponed for a months trying these products and now was a g** occasion to do this.

    • March 19th, 2013 at 9:18 am

      Hi Paul – cheers, yeah they are life savers!

      The amount of free resources we have available to us is overwhelming!

  13. 3.19.2013

    Great Post Matt. I will be adding this to my official wordpress plugins installations.

    • March 19th, 2013 at 9:19 am

      Hi Mike,

      I’m not sure what you mean =\

      • March 19th, 2013 at 1:59 pm

        I meant whenever I make a new wordpress installations, I will be using your post as a general guidelines for the security plugins that I will be installing in the future. Thanks Matt. :)

  14. 3.19.2013

    Hey Matt,

    Great advice but one question. Will better security stop the SE bots from crawling and indexing your pages? I use my authority site to post keyword reviews and it’s essential the bots can see/access it.



  15. Mary

    Hi Matthew
    This is a bit of diversion from security but while we are on the topic of wordpress i just would like to ask you something please.I use twenty ten theme but i have not been able to remove the dates from my posts.I contacted their customer support and they told me that their theme is not compatible with the date removal plugin.Please do you any themes that I can change to that will allow me to remove the dates ?

    • March 20th, 2013 at 9:03 am


      Please send me an email with single.php and page.php with a link to your site – I’ll send it back edited out for you.

      I deleted my local copys of the theme =\

  16. Ian

    I went to insert the snippet that you supplied to remove the version display but I’m using a child theme which has no functions.php file. I’m not eager to modify the parent theme.

    Some themes have no functions.php.

    If I were to write to the functions file, the parent one in my case, would it be exposed to removal when the theme upgrades?


    • March 27th, 2013 at 11:41 am


      Just create one :) I don’t see why a theme update would scan for things to remove/replace. Unless it introduced its own functions.php file in the future.

  17. 3.21.2013

    Awesome post! I recently wrote a similar post and you had a couple extremely easy tips that I had missed in my research. Thanks! Clever tip about emailing your backup file to gmail. I want to add some points about Sucuri. While they do have the free scanner, for a very reasonable fee of US$99/year, they scan your site many times per day and notify you via your choice of SMS, email, Tweet, etc. if you have a security breach. Then, within 4-8 hours they fix the malware problem for you for no additional cost. The really amazing part is that if your site is already infected, you can go sign up for the regular subscription price and then immediately request support to remove the malware. What’s almost as good as not getting hacked? Having people that clean up sites everyday for a living put your site back together, for a few dollars a month of coverage.

    • March 27th, 2013 at 11:33 am


      Whats the link to your post sir?

      Great additional advice about sucuri – do you have personal experience of them cleaning up an attack at all? Sounds like value for money if you ask me!

  18. Vishnudath

    and a simple thing ;) don’t forgot to set a nick name in user dashboard. if you leave it, then your username will not be masked. then it will be links as post written by “admin” :O

  19. 3.22.2013

    Thanks for introducing the BackupWP plugin.

    As for Cloudflare, the free version is a big NO No. I knew few bloggers who are using the free version, and they had a bad experience. Their websites were offline few times. But I heard the paid version if pretty good, worth every penny.

    • March 27th, 2013 at 11:22 am

      Hi Rudd,

      Interesting feedback – would you mind pointing me int he direction of those bloggers? Sounds like we need a dedicated case study!

      • April 21st, 2013 at 11:20 am

        I also read that from multiple places. Cloudflare has caused a lot of downtime and in instances prevent full crawling by Google.

        Mike Johnson (used to be in profit marketer) avoids it at all cost. He used to recommend it for speed, but had too much downtime.

        It might have improved now, but just have not gotten round to trying it.

  20. 3.22.2013

    Hey Matt,

    Further to this I was wandering how you go about managing comment spam and also if you believe it is a good idea to remove wordpress footprints.

    Do you think you could answer this in a blog post?


    • March 27th, 2013 at 11:22 am


      What problems are you facing that leads you to need answers to those questions?

      Can certainly do a post covering it!

      • March 27th, 2013 at 1:59 pm

        I have always had problems with comment spam on my WP sites that are indexed. I have just started a WP project and already am receiving comment spam. I know that Scrapebox finds WP sites with ease using the WP footprints so I guess I was wandering if my site can be protected by simply removing footprints or if I would need one of the many plugins that stop comment spam. I am currently comparing two plugins on two blogs to see what works best. So far I am testing Spam Free WordPress and CleanTalk Spam Protection and both so far (a few days in) have stopped spam.

        The reason I ask you is because you have a vast amount of comments and relatively high traffic figures so it would be interesting to know if you are inundated with spam and if you have any tips for handling it.

  21. ipjrobson

    Great post.

    Security is something that many people overlook for whatever reason.

    I think that is the case when your site isn’t very big so you wonder why anyone would want to target it at all.

    You’ve provided some amazing points here. I shall have to read through them again and implement them. I have to go to work otherwise I would do some of it now.


    • April 10th, 2013 at 3:11 pm


      Yup which is silly because it only takes 10 minutes to setup ^^

      It doesn’t matter how big your site is, hackers scrape the entire web – if your indexed in Google your done and dusted in that respect!

      Best hope I dont hack you when your working :P

      • Iain
        April 11th, 2013 at 10:24 am


        I got it done today. Never fear.

  22. Ed

    Thanks for the great information. I am already doing some of it and am using backup and security plugins. Yet the hackers still manage to get into my sites at the rate of one or two a month. It is a real pain cleaning up, even with backups.

    So I read everything I find on the subject. I signed up for your email list and am looking forward to receiving future posts.

    Thanks for providing a great free service.


    • April 13th, 2013 at 8:23 pm


      What problems are they causing?

      • April 14th, 2013 at 1:44 am

        It varies with the hacker. All of them cause headaches with the hosting company.

        Some of them deface the web site. Some of them lock me out of WordPress so nothing can be done with the site. Some of them serve hidden webpages on adult material. Some of them pass on malware to visitors.

        Once in awhile I will spend the time to dig through all the files and remove everything they have buried in them just to see what they are doing.

        But when you do that you can not be 100% sure you caught everything.

        The only real solution is to delete everything and then use the back up to recreate the site. I generally move the site to a different server, then use the back up to bring it back online.

        This ensures there is nothing in my files and nothing on the server to cause me problems.


        • April 15th, 2013 at 7:31 am

          Hi Ed,

          Actually sounds like your hosting company sucks if they aren’t getting in at the application/wordpress level. Pick a host that has the technical ability to lockdown the network properly.

          Everytime you get hacked you lose money and time, time is money. Nevermind the effect this will be having on rankings.

          I would move hosting if I were you. Put a clean install of wordpress in a folder and the hacked one in another then run a file compare utility to automatically highlight the differences.

          Most new files will be plugins/changes you’ve made – but any changes to existing files in the default install will be worth looking at closer.

  23. 4.15.2013

    Great post. You mentioned deleting unused plugins, I’d also recommend deleting all themes except the one you’re using. Many web hosts auto install a bunch of them for you to choose from, problem is, they can often have vunerabilities that can be exploited.

    • April 15th, 2013 at 7:10 am


      That is true, active or not if any of those themes uses an older version of timthumb they are at risk!

  24. 6.12.2013


    Thanks for this great post. I have been looking for a guide like this to secure my WP blogs. I am new to building Niche sites and have learnt quite quickly that although WP is a fantastic tool for creating content, it does leave a lot of doors open to unsavoury characters if the correct security is not applied.

    I am currently working my way through all your posts, tutorials and guidance to help me improve. It´s great to see such recent and relevant information from a fellow brit!

    Congratulations on your success so far!


  25. 6.12.2013

    when i am bored i randomly type in google searches and this time your site popped up. so yes your SEO skills are oke and you do take the effort on plugging this site.

    BUT please don’t talk about things you really don’t have any clue off. English isn’t my native language so i am sorry for any grammer mistakes.

    deleting the wp version doesn’t do jack s***. maybe a bot comes along and doesn’t see the wp version and thinks “noting to do here” it will try to probe plugins to see vulnerabilities and learns the version after all.

    if directory listing is allowed by a host. LEAVE IT! if you don’t know what you are doing and if it is a shared server you are done, hacked and defaced. That has nothing to do with WP.

    WP is actually safe. It is the plugins that make it vulnerable. And yet you “advise” to install more plugins. I really don’t know which audience you are trying to reach and frankly i don’t care. but stop misinforming your readers!

    backing up a site – actually a smart thing. Chances are your provider will mess up and deleting your site. Ever tried putting a website back up, not even a WP site. it is h***!

    unused themes indeed need to be removed. Good point.

    Never used the plugin timthumb. But using plugins because you don’t have the skill or the energy to build your own ask yourself “am i capable enough to mess with this medium”

    if your hosting sucks don’t blame it on WP. you get what you pay for.

    Don’t add plugins because they will “secure” your wp installion. REMOVE WP files. no comments needed. get rid of the comments page.

    We/I use WP everyday to build open source websites. Common sense and knowledge had led to no hacks whatsoever.

    This comment probably won’t see the daylight but take this as an advise. you don’t take your car to a pet shop to get it tuned. want to be safe. TAKE IT TO A PROFESSIONAL!

    • June 13th, 2013 at 8:55 am


      Well no I am no security expert but perhaps with your experience you would be able to provide some additional actionable tips that are easy for the ‘average joe’ to implement.

      In terms of the security plugins – are you therefore saying WordPress is more secure without a security plugin?

      I understand that most vulnerabiltiys are not actually the fault of the WordPress core but the security plugins do make a number of changes that help.

      Why on earth would you get rid of the comments page? Thats sort of the point of a blog, so people can discuss & engage. I know it provides a potential vulnerability with XSS but I wouldn’t be willing to sacrifice the engagement with my readers – you wouldn’t have been able to share your views without it =D

      I do have an question you might be able to help with and your comment resonated with me on this. I wanted to do a follow up that actually put the different security plugins to the test and see what measurable impact they actually have. I was thinking about setting up a test blog with some commonly used plugins, then install a security plugin – penetrate test it, measure the results rinsing and repeating for a few different security plugins.

      What would be the best way to approach that in your opinion?


    • August 9th, 2013 at 9:11 pm

      Hi Matt –
      Good article. It provides an entry level look at security. I run a security company, and a lot of people ask similar questions. I would like to respond to Henk’s post. While I can understand his view point, as a professional penetration tester, a version number can make a world of difference in assessing a server. Yes, there are other ways to get the version number, but there are bots that scout the web for things like version numbers to check for public vulnerabilities. No, WordPress is not without vulnerabilities – nothing is ever 100% safe. It all comes down to putting safe guards in place to limit your risk.

      I’m happy to help you with your comparison article, just give me a shout. If anyone would like more info, or help securing your site, visit

      • August 13th, 2013 at 3:55 pm


        I am of the same thought that any change you make like that no matter how small can only help. I’ve used footprints like that before for SEO reasons so g** knows what the right person could do!

        Drop me an email if you want to explore the article potential further

  26. 11.11.2013

    All security plugins mentioned are good. Cloudflare works and do lot of things. One more suggestion I have. Try to use Two factor auth plugin. And you will get One time password before login same like gmail.

    That can be helpful as well.

  27. 11.19.2013

    Hey Matt! I just started reading your blog over the weekend and the tutorials are great! I followed your Scrapebox tutorial link to Jacob Kings site Nd read all 9,000 words. Pretty awesome. You’re tutorials are amazing and super helpful. Keep em comin!

  28. 3.4.2014

    Really great post, just started follow your blog/site. Glad I did

  29. Andy

    Great works and stuffs here, tks Matt :)

  30. 11.27.2014

    I, like you, learned the hard way. Many of the things you mention here I implemented already, and now consider them as ‘standard build’ for my clients. There are a couple of things you mention that I am not doing though, I will be looking at them. As always, fantastic post.

    In reality any security step, software, whatever, will always be behind the latest hacks. However, for those of you reading this who haven’t done it already, do it now. Don’t delay! The above measures will stop all but the most determined/latest techniques.

    One of my clients is trolled daily by bots looking for fckeditor, and tim thumb vulnerabilities. But because of the security measures that I learned the hardway I have them whooped. So far anyways!

    • November 29th, 2014 at 2:57 pm

      Is there anything you do that I didn’t mention?

  31. Darren Boland


    Thanks for letting me know about this tutorial. I will implement most of what you suggest. thanks mate. If I find the Nigerian Hackers that hacked me… I will hurt them….



  32. 1.28.2015

    Excellent article Matt! I always use BackWPUp and WordFence. Both have proved time and time again to be great plugins. Both free too!

    • January 30th, 2015 at 7:08 pm

      Another great one is WPClone

      • January 31st, 2015 at 1:50 am

        Thanks for the tip. I’ll check out WPClone, looks pretty sweet!

  33. 2.25.2015

    Fantastic article Matthew thank you.

    I already had Wordfence plugin for security and Updraft for backup (both of which are great), but I was HORRIFIED by the directory browsing vulnerability! Fixed this in 30 seconds with your tip, thank you. Also started using CloudFlare – it’s brilliant – took about 3 mins to setup, it’s free, and my site is about twice as fast!

    Many thanks.

  34. 3.9.2015

    Any chance of updating this?

    I’m always worried about adding all these security plugins in case they break the site or s**** something up that could lead to SERP drops.

    Plus I never know which ones conflict with each other etc. Searching for this brings back a lot of people who either don’t know what they’re talking about or come from a more programming angle.

    Would be cool if there was a 2015 article on “Securing Your Authority Site” or something like that (paid & free) on you site.

    Thanks Matt

  35. 6.17.2015

    Great article Matthew. I have been doing about 50% of what you recommend now so to get this good advice clearly laid out will put my mind at ease. Keep up the good work! Thanks.

  36. 9.14.2015

    Hello Matt,
    thanks for the useful tips. I have added a few of them to my site. I’ve backed it up, added security, deleted unused themes , installed a firewall and also checked my sites security.

    Just for fun and reference, I tought I’d check your site too and Sucuri showed this:

    Website Firewall Not Found Medium Risk Patch and Protect With Sucuri Firewall

    Website Outdated Detected High Patch and Protect With Sucuri Firewall

    thanks and hope this info was useful to you.

    • September 14th, 2015 at 9:57 am

      I had to remove it because it conflicted with a plugin and trust me, once you have a blog with 40 plugins and a custom theme – updating wordpress core is a nightmare task with lots of risk so I do all upgrades every 6 weeks unless a critical vulnerability is found :)

  37. 9.15.2015

    MainWP will easily keep all site plugins up to date in one click.

    The cross site scripting is prevalent at present.

    The latest is DDoS on the wp-login.php. Changing the name of the page does not work. This one is very hard to avoid. Get a host with good DDoS protection (NOT Hostgator) AND limit your logins to ONLY your own IP address. The paid protection services cost a fortune – Cloudflare (free version) helps to a limited extent.

    Best option – Goodbye WordPress. Plugins and core code are full of vulnerabilities. Bolt CMS is almost the same and never been hacked in 11 years, unlike WordPress.

  38. Lockrite Security

    We use Lacey Tech Solutions to host our website and they are always on hand to help, secure and protect our website. Our site used to have a lot of downtime with other providers but since moving to Lacey Tech we’ve had no problems at all.

  39. 10.25.2015

    I recently went under a attack with no backup or firewall. No nothing. I lost everything.

    This has helped a lot mate. Cheers

  40. 10.28.2015

    Thank you so much for the write up however I noticed a problem, while reading it that the pop up on your latest videos cant be removed on my tablet it blocks the whole screen and the section to close it doesn’t show. I think it is minor bugs you can fix thanks again. I had to be refreshing the page continuously in order to completely read it.

  41. Andrei

    Hi Matthew! Great article! Many thanks!
    My question is though.. how many of the previously mentioned options would you use simultaneously? I guess it won’t be a problem if I go for a combination of Wordfence + Better WP (iThemes Security) + CloudFlare (along with the .htaccess and functions.php amendments)… but will the use of one make another one useless?

    • March 22nd, 2016 at 10:34 am

      Andrei the best thing you can do is try it, and if there is a conflict anywhere just disable that option!

  42. Sam

    Hi Matthew,
    I’ve just come across this very helpful blog!
    I am a complete amateur & in the process of slowly building my WP’site, are all of the Plugins you mentioned still valid or would you now recommend alternatives?
    Many thanks,

    • September 9th, 2016 at 12:17 pm

      No they are all still great and obviously it depends on what you are trying to achieve as to what plugins you use

  43. 9.27.2016

    Good call Matthew, I personally think WordFence is brilliant, not only is the core security protection superb it has an additional caching module which craps all over ‘W3’, and a firewall service that really works.
    You have reminded me about backups – i need to implement those!

What are your thoughts?

* Name, Email, Comment are Required