Wordpress Security For New Business Sites

Ok, so you’ve followed my two previous articles that explain how to setup your first domain and how to install WordPress on your domain.

So now what?

Obviously, once you’ve completed the steps of registering a domain name and registering for a host account, as I outlined in that previous post, you are likely itching to get your site designed and setup for all to see. Don’t rush into it just yet. The next critical step is security, not site design.

If you don’t plug potential holes soon as your site is setup, you run the risk of your new site being hacked without your knowledge and well before your site is established.

How to Manage Security

  • Old fashioned way: study a bunch of boring internet security books and watch endless hours of repetitive droning videos. not recommended.
  • Smart way: install automated WordPress software (called plugins) to manage everything for you nearly seamlessly and quite invisible to you. Very little work required to manage ongoing site security.

You should download each of these plugins:

  • stealth-login
  • limit-login-attempts
  • exploit-scanner
  • antivirus
  • WordPress-firewall
  • timthumb-vulnerability-scanner
  • impostercide
  • login-lockdown
  • secure-Wordpress
  • wp-security-scan

Here’s How To Get The Plugins

You should always FIRST search WordPress official download area for these plugins.

WordPress tests the plugins for viruses and common security hacks before making the plugins public. Always get the latest stable version compatible with your installation of WordPress.

Then, once you find the plugins download them to your computer where you will recall where you downloaded the plugins. I suggest you create a new ‘WordPress Plugins’ folder within your default Download folder. That way all your plugins are together in one place. However, choose whatever location works best for you.

Oh. If the plugins have vanished from WordPress’ official site or you can’t find them by name, the next best thing is to download directly from the authors. This is NOT as safe as downloading from WordPress. But is generally considered reasonably safe, provided the sites have not secretly been hacked or the authors have become dishonest. Is a very small measure of risk. But still, it is there and you should be aware of that. Anyhow, here are links to the various authors:

Here’s How To Install The Plugins

Once you’ve downloaded each of these plugins the next thing to do is to install the plugins.

Installing is easy. Login to your WordPress installation.

Once you are in the default dashboard look along the left hand column for ‘Plugins’ link. Click it.

You should see an icon of an electrical cable ‘plugin.’ Next to that will be the
link for ‘Add New’. Click that link.

Click the link below that that says ‘Upload’ and browse to your folder where you saved your downloaded plugins. Select a plugin and follow the prompts to install the plugins individually. Repeat until all plugins have been installed.
But not yet activated.

Here’s How To Activate The Plugins

From the plugins page click the bulk drop down box and select ‘Activate’.

Click the empty box above the list of plugin names to select all plugins.

Do NOT click ‘Apply’ yet.

A BIG Warning!!!

These security plugins should be activated individually and dead last, in case they lock you out of your own site or cause other obvious errors:

  • login-lockdown
  • secure-Wordpress
  • wp-security-scan
  • stealth-login
  • limit-login-attempts
  • WordPress-firewall (this one is most likely to be a problem, in my experience)

Uncheck the selection box in front of their names to unselect these five plugins. I’ll explain why in a moment.
Be sure not to bulk activate the five plugins I’ve just warned you NOT to activate yet.
If you do you’ll be sorry!

After you’ve deselected the five above, next click the button that says, ‘Apply’. It is next to the drop down list where you selected the ‘Activate’ option.

All selected plugins should now be active.

Now for the possible ‘problem child’ plugins…

One of two problems can occur with security plugins. Actually, any new plugin. Lockouts and database errors.

By individually activating each of the possible problem plugins one at a time, you can eliminate the exact plugin that might cause a problem without having to uninstall all of the plugins in hopes of finding the right one. Sort of a needle in the haystack approach otherwise.

If you find one of these plugins locks you out (most likely the firewall), simply log back in and disable the plugin from the same plugins screen. Then right before logging out of WordPress make sure that particular plugin is the dead last plugin you activate. Then log out.

It is ok if a security plugin locks you out after activation. That is kind of what it is supposed to do. That is why to make sure to activate it dead last, right before logging out. Otherwise you’ll get frustrated when the plugin does crazy things to keep you out of your own site.

If though the plugin causes database errors or something else weird you probably shouldn’t keep the plugin activated or installed. Get rid of it altogether and find an alternative plugin that does the same or nearly the same things.

What To Do If A Plugin Crashes Or Locks You Out of Your WordPress Blog

What do you do if a plugin locks you out completely though, not just from a particular area of your blog?

Login to your cpanel or ftp or WebDav and delete that uploaded plugin. You will usually find a plugin in a folder path such as:


That is assuming you installed to the root of your domain, as suggested.

Then delete the plugin.

Log back into your WordPress and make
certain the plugin is now deactivated automatically by WordPress. If
not, then manually select the listed plugin and deactivate it.


Nope. Not yet.

After WordPress has been successfully installed there are three areas to continue with:

  1. Site design
  2. Site content
  3. Marketing your site
  4. Spam control and other important WordPress “tweaking” considerations

Marketing your site means getting people to your site. After all, if a site exists but no one visits the site, what was the point of all the effort? Just wasted effort. I’ll save the topic of marketing a site for an entirely different post. Too early for that at the moment, since your site is not yet created. And it is a lot of info to cover.