WordPress security doesn’t need to be complicated. But, if you search the web for the best way to secure your WordPress website, then you will get complicated results. That’s why I’ve written this simple guide to WordPress security. If you’re like me, then you want a step-by-step guide that is uncomplicated and effective.
As the CEO of a WordPress consulting agency, I work with a diverse group of business owners. Even though my clients vary in size and industry, their concerns about WordPress security are the same. In my conversations with business owners and IT managers, I am frequently asked, “Is WordPress secure?”
Yes . . . and no.
It’s about you
WordPress is an incredibly popular website management system. In fact, according to recent surveys, over 27% of all websites on the internet are powered by WordPress. And because WordPress is so popular, it is a regular target for hackers.
But that doesn’t mean that it’s not secure. In fact, WordPress is just as secure as any other platform as long as you take the correct security measures.
Luckily, these measures aren’t complicated—they’re mostly housekeeping. But if you let these things slide, then yes, your WordPress website is easily hacked. In the end, your website security is about you.
WordPress Security Methods
Follow these industry best practices for WordPress security:
1. Choose a well-known, reliable website hosting company
Website security starts not within WordPress itself, but with your hosting company.
There’s a time and a place for local businesses (I love Small Business Saturday)—but your website hosting is not it. Your choice of hosting company is one of the most important choices you’ll make for your website security.
Do not allow your website developer to host your website. A skilled website professional can support your website through the hosting company of your choice. Instead of trusting your website hosting to your developer’s server, go with known names in the website hosting industry.
I started my website agency in 2012 and I’ve worked with many different hosting platforms. A good indicator of quality is 24-hour telephone or chat customer service with a real human being. I personally use and recommend Siteground and WP Engine.
Read my article about WordPress hosting companies for detailed recommendations.
2. Click the update buttons for your theme, plugins, and WordPress software
This one is pretty easy—whenever you see the little red-orange flag next to your plugins (or a banner at the top announcing an update from WordPress), click on it to execute the update.
Updates are not just about adding new features that you can do without. They contain essential security patches and fixes. In my experience, the majority of WordPress hacks originate from outdated WordPress installations, themes, or plugins.
But, what if your website crashes whenever you process an update? I’m glad you asked!
3. Replace custom themes and plugins
Now is the perfect time for an important note: Customized themes and plugins make updating WordPress, plugins, and the theme itself risky. If you’ve heard the words, “Whatever you do, don’t update anything!” from your website developer, then you have a WordPress security problem.
Companies end up trapped. They must depend upon the original theme or plugin developer to make little tweaks to their own code in order to stay compatible with WordPress and plugin updates. And let’s be real: it’s only after a website problem comes up that these coding gaps are noticed and addressed.
This is a security nightmare.
Insist on only premium themes and plugins that don’t require hard coded customizations. A theme with good documentation and a wide user base, provides the support you need. With an established theme provider, you get regular security updates. You won’t have to chase down a developer to keep your site secure.
4. Have a WordPress backup plan
A good WordPress backup contains everything on your site: your pages, blog posts, comments, images . . . everything. But, have you thought of the steps you would take if you ever actually needed to use that backup to restore your website? You need a plan.
To make sure your website content is secure (and never gets lost), ensure that you have a daily backup of your database and files. This can be time consuming! Pro tip: make sure these services–backup and restore–are included with your hosting plan. WP Engine and Siteground provide this daily full backup and restore service at no additional cost.
What if your hosting company doesn’t offer an easy backup and restore method? Although it’s possible to do manual backups of your WordPress website, the steps to actually use that backup to restore your website are intimidating for the inexperienced. Many WordPress users install plugins to create backups manually. I personally use and recommend the plugin Duplicator Pro on websites lacking a modern hosting platform with backups.
5. Only download trustworthy plugins
This is the WordPress version of the classic Nigerian prince email: you wouldn’t wire transfer $10,000 to rescue far-off royalty—so why would you give an unknown plugin from an unknown developer access to your website?
It’s simple: check the trustworthiness of anything you install on your WordPress website.
Do this by looking for recent activity from the plugin’s developers: When was the plugin last updated? You should also thoroughly read the reviews and ratings: Have users had issues with bugs, crashes, or hacks? Look for these red flags:
- The plugin version is 1.0 or 1.1.
- The plugin was last updated more than a year ago.
- The link to the plugin website is broken.
- The plugin has only a handful of reviews
- The plugin has been downloaded fewer than 10,000 times.
6. Deactivate and delete unneeded plugins
Apply the principles of spring cleaning to your website. If you don’t use a plugin, don’t remember why you have it, or aren’t sure what it even does, remove it.
Outdated and custom coded plugins are the most common source of malware insertions. Plugins get abandoned by their creators and it’s hard to predict when that will happen. Part of website maintenance requires checking in on your plugins. Are they still receiving security updates from their creator? Or, are they a little too quiet–never bothering you with an update request?
Like any room in your home, over time, we accumulate stuff we don’t need and probably can’t remember why we ever got in the first place. Deleting unnecessary plugins will increase your site speed, and you won’t have to bother with a million updates to keep your site secure. Simpler is better.
7. Assign user permissions on an as-needed basis
Chances are, you aren’t the only person who writes articles and edits your WordPress website. To reduce the chance of accidental or intentional damage, only assign the permissions that are absolutely necessary to each user’s role. If someone is editing your already-published articles, that person can be assigned the editor or author role in WordPress—she won’t need administrator access to your plugins, themes, or site settings.
At my agency, we review with you the users with administrator level access to your website. More than 80% of the time, there are former employees or a developer who should be removed. Manage the WordPress roles on your website by removing users or downgrading their access to the website.
Read my article about WordPress levels of access to help you make informed decisions about granting access to your website.
8. Use strong passwords, and make sure your other users do, too
By now, you’ve heard this over and over. But it bears repeating, especially given that the most common passwords in the last five years have been password, qwerty, and some sequential combination of 1234567. Not so secure.
The best passwords are a nonsensical combination of letters, numbers, and special characters that use no publicly available information (like your name, birthday, city of birth, or physical address).
Keep reading to learn how a plugin can help you force strong passwords for all of the users on your website.
9. Don’t keep your “admin” username
By default, WordPress gives website administrators the username of “admin,” something that many people never bother changing.
Don’t be one of those people.
If you don’t change the pre-set “admin,” someone trying to hack into your site already knows your username! All they have to do is run a script that can enter an infinite number of passwords over and over, and voila—your WordPress site is hacked. Here’s what you do to fix this:
- Add a new user with a new (and secure) username and password and give this new identity Administrative level access. (You’ll need to use a different email address.)
- Logout of the account that uses “Admin” as the username
- Login to the new user account and delete the account that uses “Admin” as the username
- Going forward, use the new user account to login to your WordPress dashboard. (You can update your email address on this user account.)
10. Install a WordPress security plugin
If you take all of the measures I’ve described so far, then you’re 99% there. And, for many websites, that is all this is required for WordPress security. But some companies like to take things to the next level by adding a WordPress security plugin. If you go this route, then there are three things to keep in mind:
- You will get a lot of alerts to non-existent problems. Your security plugin settings and notifications will need to be configured to prevent false positives. The default settings for WordPress security plugins are set to reinforce an illusion of delivering value. “See how many attacks we stopped in the past 30 minutes!?” Ugh. It’s a little over the top.
- Security plugins can be oversensitive which makes the wrong people get locked out of your website. Be prepared to have an employee or even your website manager get locked out of your website simply because they logged into your website from a different location.
- You don’t need the paid version of the plugin. The best security plugins provide excellent protection at the free level.
WordPress security plugins
WordFence is a popular security plugin that I see on a lot of websites but it comes with overly aggressive notifications, marketing, and bloat. I recommend the WP Cerber WordPress security plugin because it is simple and effective. But, keep in mind that even the best WordPress security plugin is not going to protect your website if you fail to follow the guidelines I’ve described above.
Watch this video tutorial by Ankit Sharma to install and configure the free WordPress security plugin: WP Cerber.
Your WordPress website security is about you
Because WordPress is an open-source platform, the responsibility of website security falls on the website owner—probably you.
Not paying attention to updates, usernames, passwords, and backups opens your WordPress website up to potential malware.
Even if you aren’t managing your website yourself, it’s important to keep these security measures in mind. Ask your website developer or agency what steps are being taken to keep your website secure. A quality WordPress professional will be open with this information and will work with you to make sure your site is as secure as possible. (And if they aren’t working with you, it may be time to find a better website support service.)