5 Ways To Keep Your WordPress Site Secure

This is a guest post by Matt Hudson from La Lune Creative. He is a terrific graphic designer and has been building sites with ProPhoto and WordPress for many years. In fact, he designed https://pro.photo! He’s pretty passionate about simple site security measures so we asked him to write up a few tips for folks looking to improve their security without breaking the bank or adding heavy plugins.5 ways to keep your WordPress site secureKeeping your WordPress site secure doesn’t have to be a hassle or even cost you anything. There are lots of paid services and plugins that can be employed for security, but here are 5 ways to keep your WordPress site secure without spending any money.


1. Use strong user names and passwords

WordPress typically doesn’t allow you to pick “admin” as the default user name any longer; it depends on how it’s installed. The “admin” username is vulnerable for the fact that it’s easy to guess. At this stage, they only need to figure out your password to get into your website! The first step towards more security is to simply change out that username. ProPhoto has a tutorial on how to change your WordPress admin username.

Did you know that a more secure password can be more simple than a bunch of gibberish with numbers, symbols, and letters?  If you do a Google search for “most secure password” you’ll find that several articles advocating a 4 word combination with spaces like icecream dog bullet volvo . This is a very secure password, and is far more memorable.


2. Keep your site updated & clean of old plugins, themes and WordPress installs

We’ve helped a lot of clients over the years, and 98% of the time when we log into a client’s website it hasn’t been updated in some time. Falling behind on updates is probably one of the easiest ways to get your site hacked. WordPress does a pretty good job of letting you know it needs an update with an orange icon with numbers in it, indicating how many things you need to update.

If you’re finding that you have a lot of updates, and you feel like you’re doing it too frequently you’ll need to do some spring cleaning. Go into your WordPress install and delete all your unused plugins and themes. If you’re not using them, they’re not being updated, and if they’re not being updated then they are open to vulnerabilities. Did you know you can set up WordPress and plugins to automatically update?

Cleaning up your themes is a great idea. Realistically there is only a need for two in “Appearance > Themes” – the one you’re currently using, and one of the default WordPress themes (2018, or 2017, etc.). Obviously the active one should be there. The other one is there in case you need to manually update your other theme, which requires that activating another theme.

Another huge hack risk is the presence of outdated, unused WordPress installs left on your host. Typically these are from old blogs no longer in use, WordPress installations accidentally loaded in the wrong folder, or the remnant of a site move that was never removed. When they languish in an un-updated state, they become invitations for hacks. Be sure to login into your host’s control panel and make sure you don’t have any extra WordPress installs lying around.


3. Backups of your backups

It’s important to keep your site backed up in case something happens to it. There are several thousand plugins out there to help with backing up, and ProPhoto actually recommends one every time you install ProPhoto for the first time. Your host will likely also have a backup option, but most people don’t know that it’s not done automatically. With most hosts you’ll need to go in and setup your backups or you can ask your host to do it for you. No matter which option you choose, whether you go with a plugin or you’re using your host to do it, be sure to always have your site backed up and on a schedule. We have ours emailed to us weekly and backed up through our host daily. If you are using a plugin or some automated procedure, ask yourself, “Do I really know this is working?” If you can’t answer that with a resounding yes, then it’s time to investigate.


4. Get rid of spam and limit login attempts

Use the Akismet plugin to it’s complete advantage. Akismet has been around for a long time (almost as long as WordPress) and it does it’s job extremely well without all the bloat from other plugins. It’s also usually pre-installed for you if you’re installing WordPress through your host. We only recommend that you turn on the setting that says “silently discard the worst and most pervasive spam so I never see it” option. Otherwise you’ll get a million notices that you have spam, and false positives will always be flagged and shown to you if it thinks it picks up a real comment so you’re totally safe to turn that option on.

You’ll also want to limit login attempts on your site. This prevents bots and malicious attackers from trying too many times to login to your WordPress site by blocking the IP address trying to login. A common one and one of the most popular ones is wp-login-lockdown. It’s not bloated, doesn’t have a ton of features, and it’s free. It only does what it’s supposed to and that’s all you need.



Google is now telling all websites that if you have any kind of form or areas where a user has to input information into your site, then you now MUST have your site on a secure connection. All hosts are now offering a free SSL certificate for your website. Google will also start favoring sites with the secure padlock in the browser bar over sites that do not have one as of October 2017. We offer services to set this up for you or you can contact your host and see if they can help you get this setup on your website. Or you can try setting it up yourself.


See? All it takes is five steps to keep your WordPress site secure.  It doesn’t have to be hard or complicated, and you don’t necessarily need plugins that have a ton of features or bloatware. These basic steps will help keep your site nice and clean and worry free!


Only you can save your site from disaster

It’s that time of year for photographers. It’s cold outside, and there are fewer shoots to schedule. For most that means it’s time to work on business procedures, get some new gear, learn some new software and… work on the website. At ProPhoto we love winter; it’s our busiest season! Our sales numbers increase as people purchase ProPhoto and designs from our store to craft beautiful websites. We take great joy in seeing all these beautiful sites come to life. However, it’s also a time of gut-wrenching heartache as we help people discover that their hosting has expired and their website along with it. Hosting plans often start in the winter, that’s also the time with they expire.

Friends, ProPhoto is not your host. Only you can save your site from disaster.

As you work on your sites this winter, please avoid this disaster with the following two-pronged attack.

1. Make sure your hosting account is set to auto-renew, your credit card is valid and your email address is current

In the last week, I’ve had to be the bearer of bad news to at least three people. Your hosting expired. You’ve lost everything. Theres’s nothing I can do. For some it’s expired credit cards. Others don’t see a renewal reminder because of an old email address. Still others wrongly assume that we are their host. It’s a good idea to mark your calendar by your renewal date and set yourself a yearly reminder to pop in to your hosting control panel and make sure all your information is current. This is also a good time to see if you are on the fastest plan. Often, there is an upgrade or a different hosting plan that will increase site speed with little to no extra fees.

2. Be 100% certain of your backup system.

It blows my mind how many of our customers do not keep good backups. I know. It seems tedious. Probably just as many of us don’t have life insurance or a will (gulp!). There are lots of ways to backup your site. But whatever way you do it, you need two things – your website files and your database. Here are your basic options.

  1. Use a respected backup plugin to schedule backups and have them stored in the location you desire. The two we like best are UpdraftPlus and Blog Vault. If it costs a little money to get the features you need, then spend it! Most people should be using a full featured plugin that backs up the database and site files to a 3rd party location and offers various restore options. Everyone should use a tool like this. Everyone.
  2. Depend on your host’s system. Some hosts actually keep a lot of backups and allow you to roll back to specific dates. This is especially common with managed WordPress hosting varieties. That’s cool and very handy but we recommend this be the backup to the backup. We still recommend using a plugin. Host systems fail. We see it all the time.
  3. Backup manually. This involves using FTP to download your site files onto your own hard drive. Then you use a plugin to create a database download. Or you might backup using your host’s control panel. Some hosts make it easy to download your site files and database with the click of a button. These are tedious but not a bad option if you know what you are doing and also have an automated system in place, as well.

Don’t neglect either of these steps. Get them done and get piece of mind.


Premium Design Release for 1/26/2018

Reinvent your ProPhoto site for 2018 with one of these great new designs by Northfolk & Co. released to the premium design store this week!


Sacramento design by Northfolk & Co. for ProPhoto 6View the Sacramento design page or the Sacramento demo.


Basil design by Northfolk & Co. for ProPhoto 6

View the Basil design page or the Basil demo.

If you don’t already own a copy of the ProPhoto 6 software for WordPress, you can buy a copy or get a discount if you are an existing user of version 4 or 5.

Get a $30 rebate when you choose our recommended host, Hostpapa