How to build a secure blog

Generally, all it takes is a single hack to put security on the forefront of their minds, and it’s a lesson learned the hard way.

But, if you’re just about to start a blog, one of the best things you can do is consider security along the way to avoid potential disaster. And if you’re blogging for your business, these steps are essential to protect your data security.

Choose Your Web Host Carefully

Not all web hosts are created equally in terms of security. If you opt for a shared hosting environment, your website could be compromised just because another site on the server was compromised. If you can afford it, select a host that specializes in WordPress.

Managed WordPress solutions like WPEngine will not only perform daily backups in case something happens to your site, they will monitor for malware, too. And, in the event that malware makes it through to your site, they will work to repair it for you, for free.

Hosts that don’t focus on WordPress will also be able to provide services to clean your site, but will charge an additional fee to do so.

Check your Database and File Permissions

One of the easiest backdoors hackers can use to make your website their new playground is with database privileges and file permissions that give them access on the backend.

After the WordPress installation is complete, make sure to edit the database user permissions so that only these are allowed: SELECT, INSERT, UPDATE and DELETE.

The following privileges are not required for WordPress to function correctly, DROP, ALTER and GRANT and can be revoked. It may cause issues when schema changes are made, so it’s important to make sure you always have a solid database backup on hand.

Wp-admin, wp-includes, and wp-content need to have all files writable only by your user account. Wp-content should also be writable by the web server processes – including the wp-content/themes folder. The plugins folder should only be writable by you, with other folders adjusted accordingly to what the plugins require.

Change your Username

The default WordPress username is “admin” and that’s what hackers will try to use to login. When you install WordPress, you’re given the option to change it to something different.

This safeguards against automated brute force attacks that attempt to login with the default username.

Change your Password Frequently

This should go without saying – but just like with email, social media, and other accounts, change your password on a regular basis, and keep the password for your blog different than what you use for your email accounts.

Tips to create a secure password include:

  • Use a random password generator.
  • Spell a word with letters and numbers like S3rv1c3 (service) so you can remember it, but still keep it hard to guess.
  • The longer, the better.
  • Include symbols.
  • Use a password manager to make it easier to remember all your passwords for everything.

Limit Your Use of Plugins

Plugins represent a security risk if they’re not downloaded from the WordPress repository where they’ve been vetted. Choose plugins only from reputable vendors, and delete any that aren’t in use.

Having too many plugins on your site also slow it down dramatically, which can negatively effect user experience. The fewer plugins you have, the faster your site will load, and the fewer ways hackers will have to make their way in.

Remove the Plugin and Theme Editor

If you’re a developer and plan on making tweaks to the plugins and themes, then you can skip this security step. But, if you’re not, leaving these things open gives hackers room to play and make a bigger mess.

In your wp-config.php file, add the following:

define( ‘DISALLOW_FILE_EDIT’, true );

Protect Files with .htaccess

Add code outside the #BEGIN WordPress and #END WordPress tags to adjust which files can be seen on the server. You can get the codes you need directly from the WordPress Codex. These are some you may want to consider:

  • Hide wp-config:

<files wp-config.php>

order allow,deny deny from all

deny from all


  • Restrict admin access to your IP only:

order deny,allow

allow from (This is where your IP should go)

deny from all

  • Hide website directories:

Options All -Indexes

Keep Everything Up to Date

Updates are often released to fix security flaws, and patches need to be added to the code to close the holes.

You can set WordPress, plugins, and themes to automatically update, and you should. But, beyond that, you also want to keep everything on your own computer up to date because if there’s an issue with its security, you could be unknowingly placing your website at risk.

No WordPress installation will ever be 100% impervious to hackers, but simply running with a cheap web host and automatic installation is not the best way to handle it.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics