Steps to Keep Your WordPress Website Secure
In this large section, we are going to present steps you can take to secure your WordPress site. As you will see, WordPress security can take many different forms, so it’s worthwhile to keep an open mind as you approach this topic. While you might not be able to apply every single tip listed below to your site, most of these steps should apply to the vast majority of WordPress sites on the web. Let’s get started.
Step 1: Change Your Username
It’s traditional to use the word admin as your username on WordPress. This has long been the standard setting, and it is used by countless site owners on their WordPress installations. Of course, admin is easy to remember, so it makes for a handy choice when setting up your site and your credentials.
Given its popularity, however, it’s a good idea to consider switching that name up to something else. In fact, it would be good to not even use your own name, since that could be known or discovered by a hacker. Try creating a unique string of characters for a username, and then record that string somewhere so you can reference it when logging in. This will add a little bit of friction on your side, since it’s not as easy to remember that string of characters, but it will be nearly impossible for a hacking attempt to properly guess your new username. This adjustment doesn’t stop all WordPress security threats, of course, but is a good place to start.
Step 2: Enable SSL
This is one of the most important steps you can take toward improving your WordPress security. When you visit a website that has an address that starts with “HTTPS” rather than just “HTTP,” you know that the site has SSL in place. The presence of SSL adds a layer of security due to the encryption of data that flows between a site’s server and the browser of the user.
Traditionally, it was hard to get an SSL into place on your site if you were just starting out. The cost could be discouraging, and there were some technical details involved that confused many site owners. Fortunately, times have changed. These days, SSLs are affordable and easy to implement. In fact, when you sign up for hosting with a given hosting company, there is a good chance that you will get an SSL as part of your hosting plan. If that feature is available, be sure to take advantage of it, and activate it on your site right away.
Beyond the practical benefits of making your site more secure, SSL can also be a benefit from a user-trust perspective. When a website user sees that you have this security measure in place, they may see you as more trustworthy, especially if they are considering making a purchase. Without a doubt, put SSL near the top of your list for WordPress security measures to enact.
Step 3: Make Regular Backups
Instead of focusing on defending against site attacks, this step is all about recovering quickly after an attack or other event that impacts your site’s health. The concept of a site backup is simple: periodically, your entire site will be saved so it can be restored to that point if files are lost moving forward. Regular backups should be put right up there with SSL as one of your leading security priorities.
An example might help to make this concept clearer. Imagine that you take a backup of your site at 10 p.m. on a Tuesday night. On Wednesday morning, a hacker manages to compromise your site and delete some or all of the files. Thanks to the backup, you’ll be looking at just a minor annoyance rather than a major headache. Depending on how your backups are taken and stored, it may take just a click or two to restore everything to how it looked on Tuesday night.
Step 4: Place a Limit on Logins
You have probably had the experience of trying to log in to one of your personal accounts and getting locked out because you typed in the password wrong too many times. This limit is not put in place just to be annoying — it’s a security measure to stop hackers from trying huge lists of passwords until one happens to work. Your WordPress admin login page likely doesn’t have such a limit in place currently, which creates a potential vulnerability. Even if a hacker doesn’t have your password, it’s possible to just try tons of common passwords in search of a match. This opportunity will be even greater if you have left your username as admin, as we discussed previously.
Placing a limit on login attempts requires nothing more than using a plugin to create rules around how users access the WordPress dashboard. You’ll be able to decide how many chances a user gets to enter the right info, with three or five tries being common in the security industry. Of course, these limits will apply to you just like everyone else, so enter your credentials carefully to avoid locking yourself out of the system.
Step 5: Enable Two-Factor Authentication
While we are on the topic of login protections, enabling two-factor authentication is another big step you can take toward improving WordPress security. Known in the online security industry as 2FA, this is another process you are likely familiar with already. Some of your accounts, such as online banking accounts, probably have 2FA in place.
This means you not only have to enter your credentials to access a site, but you also have to provide some other form of proof that you are who you say you are. You might get a message sent to your email that you need to click on to confirm the login, or you could get a text sent to your phone. Adding another step will make it harder for a hacker to access your site, even if they do manage to obtain your username and password. Like almost everything else on WordPress, you can use a plugin to enable this functionality.
Step 6: Don’t Keep Idle Users Active
This is an important security measure if you have many different users for your site, whether as employees or as members of your online community. If an account sits idle for long, it’s likely that the user is no longer at their computer to engage with the site. However, they are still logged in, and the potential exists for someone else to take over at the computer and cause harm.
You can get around this problem by using a plugin to log out any user who has been inactive for a set period of time. It’s quick and easy to set up this function, and it will go a long way towards avoiding unwanted takeovers of legitimate accounts.
Step 7: Find a Trustworthy Host
When you are first setting up your site, be sure to work with a quality web host that can be trusted. Not only do you need to make sure that the host is legitimate — there are a lot of questionable ones out there — but you should also see what kind of security features they offer. Many hosting companies, in an effort to earn new customers, provide plenty of security bonuses as part of their hosting packages.
The best way to track down a quality web host is to read plenty of reviews and carefully compare features from one company to the next. It’s worth noting that you might not want to go with the cheapest hosting company you can find, as you often get what you pay for. Sure, you might be able to find hosting for less than $5 per month, but what kind of service and security are you going to get for that price? It may be a better bet to opt for a costlier service that is going to actively help keep your site safe.
Although higher costs may not equate to better services, be sure to look at the various package options to see if the costlier packages offer features that can greatly improve security. If the basic package doesn’t include SSL, it may be worth it to pay more per month.
Step 8: Turn Off File Editing
While you can take steps to prevent unauthorized people from accessing your site, there is no guarantee that you’ll be able to keep everyone out. If someone does get in, there will be a limit to the damage they can do when file editing has been turned off. Without the ability to edit files, getting into your WordPress backend won’t be such a big deal.
If you are comfortable with adding code to your site directly, you can disable editing with just a single line. However, there are also plenty of plugins that will help you alter code without actually writing the code yourself, so look into that option if it would be a better fit for you and your needs.
Step 9: Be Careful Where You Work
This step doesn’t have anything to do with your WordPress installation specifically, but it is a key factor to keep in mind with regard to overall security. If you often work on public Wi-Fi, there will be the opportunity for a nearby hacker to get into your system and cause harm. And, if you are working on your website while on that public network, they may be able to get right into your site while you are logged in. If at all possible, try to only work on your website when you are on a private network that is password protected from the general public.
Also, with regard to your computer itself, be sure to run all updates promptly to close up any security holes that have been discovered by the developer. The longer you leave those holes open by ignoring updates, the more likely it is that someone will be able to access your system. With so much effort going into protecting your site while it is out on the web, it would be a shame to have the site compromised by someone who found their way in through your computer. Good security habits with all the equipment you use can go a long way toward avoiding that outcome.
Step 10: Remember All of Your Passwords
At this step, we don’t mean you need to remember your passwords, as in you need to recall what they are so you can enter them. Rather, we mean to remember them in terms of thinking about just how many passwords it takes to set up a WordPress site from start to finish. If you use weak or common passwords anywhere along the line, the security of your whole system could be compromised.
Get into the habit of always creating complicated, difficult passwords for any account that relates to your website. That means integrating difficult passwords into your WordPress admin login, your hosting account, registrar account, email accounts, and more. It would be much easier to set up simple passwords, but hackers prey on those kinds of easy targets. Make it harder for anyone with bad intentions to break into your site by using strong passwords from top to bottom.
Step 11: Run All Updates
This is a good practice for any kind of technology, and that certainly includes WordPress websites. Whenever there is an update available for WordPress, be sure to run it as soon as possible. Those updates aren’t always related to security, but they commonly are — make sure they are applied to your site right away. If you are worried about problems popping up with the way your site functions, simply monitor its behavior right after the update to see if anything goes wrong.
Also, along with updating WordPress itself, be sure to run updates on all of your plugins. Those plugins are pieces of code that you’ve attached to your site, and they could leave your site vulnerable if they fall out of date and you miss out on key WordPress security patches. A regular part of ongoing site maintenance is checking for updates and making sure the site continues to run like it should after those updates have been performed.
Step 12: Add a Firewall
The goal of a firewall is to keep bad traffic away. When a potential visitor contacts your server to request the files for your site, a firewall can turn them away if they are deemed to be a threat. Putting a firewall in place can be a core component of a quality WordPress security strategy.
As you might have guessed, there are plenty of WordPress plugins available that will provide firewall service. If you are interested in adding a firewall, be sure to take some time to do research on the differences in the types of firewalls available and their respective costs. A good firewall plugin is going to come with a cost, but most are relatively affordable given the protection they offer.
Step 13: Limit Who Has Site Access
It might be tempting to give site access to many different people in various roles, but each new user represents a potential security risk. If you are trying to figure out how to make a WordPress website secure, sometimes the answer is as simple as using common sense and keeping people out of your site that don’t need to be in there.
For example, if you have built a site that is starting to get some traffic and you decide to hire a writer to add more content, you could choose to give them a user account to access your site and post content directly. But why take that risk? You’ll be passing out access to the backend of your site to a person you don’t even know. Instead, just ask the writer to produce the content in a Microsoft Word file or Google Doc and have the work submitted that way. With the writing in hand, you can simply do the posting yourself and keep things secure. Pasting content onto a page or blog post takes only moments, making the trade-off for added security worth it in the end.
Step 14: Don’t Give Away Information
There is a small piece of information that is typically displayed on a WordPress site that can give hackers an advantage when trying to break in. That info is the version of WordPress that you are running. This data can easily be seen by anyone who views the source code of one of the pages on your website — finding this information requires almost no technical knowledge.
Knowing which version of WordPress is active on your site might help a hacker design their attack to exploit known vulnerabilities of that specific version. You can use a plugin to hide this information so you aren’t giving out anything that could be helpful to an attacker. This might seem like a small step (and it is), but anything you can do to tighten up WordPress security and take opportunities away from the enemy is worthwhile.
Why is WordPress Security Important?
The unfortunate reality of the internet is that there are people out there with bad intentions. It would be great if everyone respected your site and left it alone, but that’s not always the case. Sometimes chaos ensues, and you want to make sure your site is prepared.
WordPress security is important for a healthy website. Rather than just trusting that people will treat your site properly, you can take matters into your own hands by adding some of the various security measures we discussed above. Many of these measures are affordable (or even free) and typically don’t take long to put into place. The more security you can have in place on your site, the better your chances will be of avoiding a major issue with hacking or digital vandalism.
It is estimated that tens of thousands of websites are hacked every single day. Of course, there are millions of sites on the web, but it’s easy to see that hacking activity is not uncommon. If you fail to implement any security measures on your site, assuming that you aren’t big enough to warrant an attack, you're making a big mistake. Hacking attempts are common, and it’s more likely than not that your site will be targeted at some point in the future. Make life on the hackers as hard as possible, and they may choose to move on from your site to target an easier victim.
It is easy to ignore WordPress security and focus on creating rather than fortifying your site’s defense. After all, this isn’t the fun part of building a site — you’d much rather be creating great content, growing your audience, and developing your business. However, WordPress security is vital, and ignoring website security now may result in many worse headaches in the future.
You may not be able to implement all of these steps into your site for one reason or another, so do the best you can to tighten up any security holes that currently exist in your system, and be prepared for any major problems that may come your way. Of course, if you take the advice to heart and perform regular backups, you’ll be in a good position even if something catastrophic does take place along the way.
Frequently Asked Questions
How do I make my site completely safe?
Unfortunately, there is simply no way to guarantee that your site will never be successfully protected. Even if you properly implement all of the steps we outlined in this article and take even more measures beyond that, it’s still possible that a hacker will get in. After all, there are huge companies with budgets in the billions that are successfully hacked, so it truly can happen to anyone. The best you can do is keep up with your WordPress security, make sure all plugins are up to date, and monitor the health of your site regularly.
Do hackers only target large sites?
If you are just getting started, it might not seem like your site would have anything worthwhile for hackers to target. That’s not the case. Sometimes, hackers are trying to get into sites just for the challenge or to destroy files as an act of vandalism. It’s not always about stealing something of value. Sites of any size can be targeted, so you need to take WordPress security seriously as a site owner.
How do I protect against damage by authorized users?
As your site grows, you may find yourself granting backend permission to more and more people who are helping you with the site. That’s a great way to take on new projects and bring in people who have skills different from your own. However, it also opens up the potential for a security hole.
For starters, it’s important to only give new users permission to access the things they will need in order to do their work. Don’t grant overall admin permission to anyone who doesn’t need such wide-ranging access. Even if you trust the person, play it safe and only give them access to what they absolutely need.
Also, when a person is done working with you on the project, remove their credentials entirely so they can’t log back in later. Again, this is just a precaution, and you should take it even with people you trust. WordPress security is all about plugging as many potential sources of trouble as possible, even if they don’t seem like a major threat.
How do I know if my site has been hacked?
It’s important to catch a successful hack as soon as possible if one does occur, so you can make the changes needed to lock that hacker out once again. Surprisingly, it’s not always easy to tell when a hack has taken place, so keep an eye out for some common warning signs. Pages that will no longer load, or are slow to load, are a potential sign that something has happened. If you use Google Webmaster Tools, you may also get a notification through that platform that a security issue has been spotted. Finally, if you notice that new users have been created within WordPress — and you or another authorized person did not create them — that’s a sure sign of foul play.
Do I need to know how to code to make my site secure?
Most people who create WordPress sites do not know how to write code, or only know a limited amount of coding. You don’t need to learn how to write your own code in order to improve WordPress security for your site, but you do need to educate yourself on how hackers might attack your site and what you can do to fend them off. The many steps we have listed in this article are a great way to beef up your WordPress security and make it harder for any unauthorized persons to do harm to your site.
What web hosts can I trust?
Web hosting has somewhat of a shady reputation in certain areas, so it’s important to go with a name that you are familiar with and has a big footprint in the market. You don’t necessarily have to go with an industry leader, but be sure your chosen host didn’t just open up shop in the last month or two. Find an option that is proven, not only so you can trust them to value the security of your site, but also so you can feel good about their ability to deliver quality hosting for a fair price.
What kinds of sites need to worry about security?
Every site on the web should be concerned about security. It would be tempting to think that only sites dealing with financial transactions, like ecommerce sites, need to pay attention to this point, but that is shortsighted. Once a hacker gets into your site, there is no telling what information they can gather or what damage they can do. The best bet is to invest some time and money into securing your site as thoroughly as possible, no matter what kind of site it happens to be.
Can I wait on WordPress security until my site grows?
It’s best to start dealing with this matter right away, as part of the development of your site. Fortunately, many of the steps we highlighted in this article are free or only cost a modest amount of money. In fact, as you plan out your site project and set a budget for the job, it would be wise to simply build space for security measures into the budget.