WordPress is an incredibly popular website management system. In fact, according to recent surveys, over 27% of all websites on the internet are powered by WordPress. And because WordPress is so popular, it is a regular target for hackers. But that doesn’t mean that it’s not secure. In fact, WordPress is just as secure as any other platform as long as you take the correct security measures. Get my SIMPLE GUIDE TO WORDPRESS SECURITY: https://emilyjourney.com/wordpress-se... Luckily, these measures aren’t complicated—they’re mostly housekeeping. But if you let these things slide, then yes, your WordPress website is easily hacked. In the end, your website security is about you.", "thumbnailUrl": "https://i.ytimg.com/vi/bpdPrV8IRcw/sddefault.jpg?sqp=-oaymwEmCIAFEOAD8quKqQMa8AEB-AHUBoAC4AOKAgwIABABGGUgVyhUMA8=&rs=AOn4CLDxUGFSnQgSEyt3Qn5ZeQkCfXpZbQ", "uploadDate": "2021-11-28", "duration": "PT0M45S", "contentUrl": "https://emilyjourney.com/wordpress-security/", "embedUrl": "https://www.youtube.com/embed/bpdPrV8IRcw?rel=0&controls=0" }

by Emily Journey on September 20, 2023

The Simple Guide to WordPress Security (2023)

WordPress security doesn’t need to be complicated. But, if you search the web for the best way to secure your WordPress website, then you will get complicated results. That’s why I’ve written this simple WordPress security guide. If you’re like me, then you want a step-by-step guide that is uncomplicated and effective.

As WordPress consultants, we work with a diverse group of business owners. Even though our clients vary in size and industry, their concerns about WordPress security settings are the same. In my own conversations with business owners and IT managers, I am frequently asked, “Is WordPress secure?”

The answer?

Yes . . . and no.

It’s About You Securing Your WordPress

WordPress is an incredibly popular website management system. In fact, according to recent surveys, over 27% of all websites on the internet are powered by WordPress. And because WordPress is so popular, it is a regular target for hackers.

But that doesn’t mean that it’s not secure. In fact, WordPress is just as secure as any other platform as long as you take the correct security measures.

Luckily, these measures aren’t complicated—they’re mostly housekeeping. But if you let these things slide, then yes, your WordPress website is easily hacked. In the end, your website security is about you.

WordPress Security Checklist

Below, you’ll find our WordPress Security checklist. Follow these industry best practices to craft a WordPress security plan that works for you. Think of it as a WordPress hardening guide to keep your site safe in the event of an issue.

1. Choose a well-known, reliable website hosting company

Website security starts not within WordPress itself, but with your hosting company. There’s a time and a place for local businesses. I love Small Business Saturday as much as anyone, but your website hosting is not where you want to support small businesses. Your choice of hosting company is one of the most important choices you’ll make for your website security.

Do not allow your website developer to host your website. A skilled website professional can support your website through the hosting company of your choice. Instead of trusting your website hosting to your developer’s server, go with known names in the website hosting industry.

I started my website agency in 2012 and I’ve worked with many different hosting platforms. A good indicator of quality is 24-hour telephone or chat customer service with a real human being. I personally use and recommend Siteground and WP Engine.

Read my article about WordPress hosting companies for detailed recommendations.

2. Click the update buttons for your theme, plugins, and WordPress software

This one is pretty easy. Whenever you see the little red-orange flag next to your plugins, click on it to execute the update. The same goes for a banner at the top announcing an update from WordPress.

Updates are not just about adding new features that you can do without. They contain essential security patches and fixes. In my experience, the majority of WordPress hacks originate from outdated WordPress installations, themes, or plugins. Staying up to date is the easiest, lowest-maintenance way to secure your WordPress site.

But, what if your website crashes whenever you process an update? I’m glad you asked!

3. Replace custom themes and plugins

Now is the perfect time for an important note. Customized themes and plugins make updating WordPress, plugins, and the theme itself risky. If you’ve heard the words, “Whatever you do, don’t update anything!” from your website developer, then you have a WordPress security problem.

Companies end up trapped. They must depend upon the original theme or plugin developer to make little tweaks to their own code. It’s the only way to stay compatible with WordPress and plugin updates.

And let’s be real. It’s only after a website problem comes up that these coding gaps are noticed and addressed.

This is a security nightmare.

haunted house — Boo!

Insist on only premium themes and plugins that don’t require hard coded customizations. A theme with good documentation and a wide user base provides the support you need. With an established theme provider, you get regular security updates. You won’t have to chase down a developer to keep your site secure.

Read my article about the top 2 WordPress themes for design flexibility and security. Or, contact my office to discuss our WordPress theme conversion services.

4. Have a WordPress security backup plan

A good WordPress backup contains everything on your site: your pages, blog posts, comments, images . . . everything. But, have you thought of the steps you would take if you ever actually needed to use that backup? You need a plan.

Make sure your website content stays secure by creating a daily backup of your database and files. This can be time-consuming! Pro tip: make sure these services–backup and restore–are included with your hosting plan. WP Engine and Siteground provide this daily full backup and restore service at no additional cost.

What if your hosting company doesn’t offer an easy backup and restore method?

It is possible to do manual backups of your WordPress website, but it’s not necessarily intuitive. We’ve found the steps to actually use that backup to restore your website are intimidating for the inexperienced. Many WordPress users install plugins to create backups manually. I personally use and recommend the plugin Duplicator Pro on websites lacking a modern hosting platform with backups.

5. Only download trustworthy plugins

This is the WordPress version of the classic Nigerian prince email. You wouldn’t wire transfer $10,000 to rescue far-off royalty. Why would you give an unknown plugin from an unknown developer access to your website?

It’s simple: check the trustworthiness of anything you install on your WordPress website.

Do this by looking for recent activity from the plugin’s developers: When was the plugin last updated? You should also thoroughly read the reviews and ratings: Have users had issues with bugs, crashes, or hacks? Look for these red flags:

The plugin version is 1.0 or 1.1.
The plugin was last updated more than a year ago.
The link to the plugin website is broken.
The plugin has only a handful of reviews
The plugin has been downloaded fewer than 10,000 times.

6. Deactivate and delete unneeded plugins

Apply the principles of spring cleaning to your website. If you don’t use a plugin, remove it. If you don’t remember why you have it, remove it. If you aren’t sure what it even does, remove it.

Outdated and custom-coded plugins are the most common source of malware insertions. Plugins get abandoned by their creators and it’s hard to predict when that will happen. Part of website maintenance requires checking in on your plugins. Are they still receiving security updates from their creator? Or, are they a little too quiet–never bothering you with an update request?

Like any room in your home, over time, we accumulate stuff we don’t need. We probably can’t remember why we ever got it in the first place. Deleting unnecessary plugins will increase your site speed. Plus, you won’t have to bother with a million updates to keep your site secure. Simpler is better.

7. Assign user permissions on an as-needed basis

Chances are, you aren’t the only person who writes articles and edits your WordPress website. You can reduce the chance of accidental or intentional damage. Only assign the permissions that are absolutely necessary to each user’s role. If someone is editing your already-published articles, that person can be assigned the editor or author role in WordPress. They won’t need administrator access to your plugins, themes, or site settings.

At my agency, we review with you the users with administrator level access to your website. More than 80% of the time, there are former employees or a developer who should be removed. Manage the WordPress roles on your website by removing users or downgrading their access to the website.

Read my article about WordPress levels of access to help you make informed decisions about granting access to your website.

8. Use strong passwords, and make sure your other users do, too

By now, you’ve heard this over and over. But it bears repeating.

The most common passwords in the last five years have been password, qwerty, and some sequential combination of 1234567. Not so secure.

The best passwords are a nonsensical combination of letters, numbers, and special characters. They shouldn’t use publicly available information (like your name, birthday, city of birth, or physical address).

Keep reading to learn how a plugin can help you force strong passwords for all of the users on your website.

9. Don’t keep your “admin” username

By default, WordPress gives website administrators the username of “admin,” something that many people never bother changing.

Don’t be one of those people.

If you don’t change the pre-set “admin,” someone trying to hack into your site already knows your username! All they have to do is run a script that can enter an infinite number of passwords over and over. Suddenly, your WordPress site is hacked.

Here’s what you do to fix this:

Add a new user with a new (and secure) username and password and give this new identity Administrative level access. (You’ll need to use a different email address.)
Logout of the account that uses “Admin” as the username
Login to the new user account and delete the account that uses “Admin” as the username
Going forward, use the new user account to login to your WordPress dashboard. (You can update your email address on this user account.)

10. Install a WordPress security plugin

If you take all of the measures I’ve described so far, then you’re 99% there. And, for many websites, that is all that is required for WordPress security. But some companies like to take things to the next level by adding a WordPress security plugin. If you go this route, then there are three things to keep in mind:

You will get a lot of alerts to non-existent problems. Your security plugin settings and notifications will need to be configured to prevent false positives. The default settings for WordPress security plugins are set to reinforce an illusion of delivering value. “See how many attacks we stopped in the past 30 minutes!?” Ugh. It’s a little over the top.
Security plugins can be oversensitive which makes the wrong people get locked out of your website. Be prepared to have an employee or even your website manager get locked out of your website. It might simply be because they logged into your website from a different location.
You don’t need the paid version of the plugin. The best security plugins provide excellent protection at the free level.

WordPress Security Plugins

WordFence is a popular security plugin that I see on a lot of websites. Alas, it comes with overly aggressive notifications, marketing, and bloat. I recommend the WP Cerber WordPress security plugin because it is simple and effective.

Still, even the best WordPress security plugin is not going to protect your website if you fail to follow the guidelines I’ve described above.

Watch this video tutorial by Ankit Sharma to install and configure the free WordPress security plugin: WP Cerber.

Your WordPress Website Security is About You

Because WordPress is an open-source platform, the responsibility of website security falls on the website owner—probably you.

Not paying attention to updates, usernames, passwords, and backups opens your WordPress website up to potential malware.

Even if you aren’t managing your website yourself, it’s important to keep these security measures in mind. Ask your website developer or agency what steps are being taken to keep your website secure.

Take Your Website Security into Your Own Hands

WordPress security can be complicated. If you’re lucky, a quality WordPress professional will work with you to ensure your site is secure. If they aren’t working with you, it may be time to find a better website support service.

That’s where the experienced team at Emily Journey & Associates comes in. Our team consists of WordPress experts. Our dedicated team knows all the ins and outs of this popular, but sometimes complex, content management system.

We believe that securing your WordPress site is all about having the right people in your corner. We offer a range of responsive website maintenance packages that make a difference for your company. Our passionate and experienced support staff will help you understand security measures, plugins, and more.

If you have questions, we have answers. Contact us to learn more about our maintenance plans, training courses, SEO services, and more.
Office: (844) 972-6224 Contact Us

Emily Journey
Author of Unlocking WordPress, a guide filled with practical tips for WordPress beginners. I travel around the United States delivering customized, on-site training to individuals and small groups. I love helping business owners leverage technology to increase sales and social impact.

Rachel Pfanz
Hi, I’m Rachel. I lead the team of WordPress experts at Emily Journey & Associates. As an instructor, I enjoy helping business owners and their staff gain confidence with WordPress. When I’m not training, I back up our website management team.

Reviews from Google, LinkedIn, and emails are used with permission:

“I’ve been working with Emily Journey & Associates for about six years now. I originally came across their services while looking for someone to train my staff and I to manage our website independently. Emily worked with us and was able to get us successfully trained – to the point that we were easily able to manage the website on our own (with the occasional question emailed to Emily or one of her friendly team members). As the business grew, the time we were able to personally dedicate to management of the website became limited. Emily and her team were there to take over and manage all aspects of the website at that point. They’ve done so ever since and we couldn’t be more satisfied with the results. I always trust that the website is in very good hands. The results have been consistent. Emily and her staff are accessible, knowledgeable, friendly and highly responsive. Year after year, they’ve continued to exceed our expectations. I highly recommend their services.”
–Brian Harmych, MD
Harmych Plastic Surgery

“I kept track of the conversions resulting from my 30 City SEO campaign and thought you would be interested in the results to date. In the past 10 weeks, there have been 48 orders from states and cities we have not served in the past. Orders have come from 14 of the 30 cities I targeted with SEO. That is a 450% return on our investment in your SEO Training. Fingers crossed for an even more successful Christmas!”
–Blanche Fraser
Gluteny Bakery

“You and your company are a godsend to people like me who are trying to manage a website for our little clubs. Money extremely well spent. It is very rewarding to learn how to manage these websites. And the board members have commented on how more professional it looks. I am very grateful to Mark. He’s excellent!”
–David Williams
Ikebana International Rochester Chapter 53

“After some research and reviewing references, we chose Emily Journey to provide WordPress training for our team. Emily was personable, effective and thorough in her approach to instruction. She was able to accommodate the diversity of skill levels and knowledge among our students and keep the classes moving. Since the class we have all been able to function successfully in the WordPress environment – and it’s great to know that follow up assistance was included in our instructional package. Emily will impress and then empower. She is a true professional and knows how to create a great learning moment.”
–Scott Forrest
Senior Vice President, Equity, Inc.

“Rachel was amazing! She has a deep level of knowledge about WordPress and her patience and skill made me far more confident in managing my own website. She was a pleasure to work with, and the remote sessions worked perfectly – it was as if she was sitting next to me throughout. Definitely worthwhile for beginning and intermediate users of WordPress!”
–Ed Budge
Budge & Heipt, PLLC

“I did the training virtually from Denver and had an extremely positive experience. I learned all the little details I was missing in order to connect the website development dots. The training was invaluable because it empowered me to rely on myself to achieve our organizational website goals as opposed to depending on our developer.”
–Rebecca Patterson
Website Development Consultant

Having someone like Rachel work with you when you need help is a great way to learn. So now, I can change the website myself, update at will, and insure the commerce side of my website is working properly. Since taking Rachel’s class, I have updated 4 sites, which allows me to pursue my businesses without any website delays.
–Fred Verd
Verd Guitars

“Thank you so much for helping set up my website and showing me how to use WordPress. Your training turned the intimidating task of website development into something that was well started by the end of the session. After the training, I was able to add content to the site without problems using the techniques you showed me.”
–Walt Neubauer
Sr. Oracle DBA

“Emily, I wanted to let you know that I just booked my first seminar using the SEO technique that you shared with me during our time together. Thank you so much for that wonderful tip”
–Michelle Joyce
Michelle Joyce Speakers

We connected and within a week we had a 2 hour virtual consultation scheduled. We implemented her training on our site and within 2 days of posting our SEO strategy pages, there we were, on page 1 of Google in #1 position. Thanks Emily!
–Jeremy Cyrier
Mansard Commercial Real Estate

“Rachel was able to take me from someone who knew very little about WordPress to someone who now is very confident in making changes to our company website. She even increased my knowledge on SEO and taught me ways to further benefit our company in the future.”
–Hannah Ballard
Cornett Roofing Systems