How to secure your WordPress website

SecureCategory
5 min read
Tom Ewer

I can still remember the day.

I was sitting at my desk with tea in hand when I logged into my site to publish my daily post. But wait, what?! That's not my site...

Yes, I'd been hacked.

Every day, hackers (which are typically ‘bots’ rather than humans) are scanning the web looking for easy targets. When they find a WordPress site that has questionable hosting, a weak password, an outdated version of WordPress or is running a theme or plugin with security issues, they know they've found their next target.

Today we'll go over four simple ways you can beef up security on your WordPress site, so hopefully you’ll never have a morning (and afternoon, in fact) like I did.

1. Choose reputable hosting.

A secure website starts with a quality web host. We'll focus on two popular ways to host WordPress: shared hosting and Managed WordPress hosting.

If you’re the DIY type of person — or on a tight budget — you might opt for shared hosting.

Especially if you’re a fan of natty mustaches.
Especially if you’re a fan of natty mustaches.

You'll be in charge of site maintenance, and you'll be sharing your web host with other potentially less security-conscious users. While popular hosts (like GoDaddy, natch!) provide a reliable shared platform, you can't control any unexpected security issues on the host's end. Reputable hosts do, however, have the staff and expertise to get things resolved quickly — something that can't always be said about smaller, cheaper shared hosts.

Managed WordPress hosting, on the other hand, relieves you from much of the day-to-day site maintenance and upkeep.

Optimized especially for people with sound-proof earphones.
Optimized especially for people with sound-proof earphones.

Servers are protected, backups are scheduled, plugins are pre-screened and security updates are performed automatically. You can sleep well at night knowing your hosting is the hands of experienced WordPress technicians.

2. Use a strong password.

Older versions of WordPress create a login user named admin by default. People (to tar an entire race with one brush) are notorious for choosing weak passwords, such as their dog's name. Hackers know both of these facts, and they repeatedly try to log into your site (by means of a brute-force attack) by guessing your username and password.

With the above in mind, here's how to improve your login security:

1. Change your password and make it strong. Use a password manager like 1password or Lastpass so you don't have to remember long, complex passwords.

password

2. If your username is admin or administrator, it's time to switch to a new one. It can be practically anything: your name, nickname or just something unique. Make sure you set the Role to Administrator.

adduser
deleteusers

3. Log in as the new user, attribute your existing content to that user and finally, delete the admin user.

3. Block malicious login attempts.

jetpack

To secure your site from brute-force attacks, use a plugin that blocks malicious logins. Jetpack Protect, found in the latest Jetpack plugin, records the IP address of login attempts. It uses this data, combined with data gathered from other Jetpack Protect users, to potentially block the login.

If you're not interested in using Jetpack, the Limit Login Attempts plugin is another popular option. It hasn't been updated in years and, as a rule, it's always advisable from a security standpoint to use well-maintained plugins — so it shouldn't be your first choice. But, with more than one million active installs, it's still a widely used plugin to stop would-be attackers from launching a brute-force attack on your website.

4. Keep on top of updates and backups.

The latest versions of WordPress automatically perform small security updates on their own, but you still need to keep your themes and plugins up to date.

Remember when you were setting up your blog and you test-drove all those new themes and cool plugins? Just because you aren’t using a plugin or theme, if it shows up in the WordPress update screen it means hackers can still take advantage of any security exploits— so update everything.

updates

When it comes to security, you can do everything right and bad things can still happen.

That's why having a site backup is so important. The UpdraftPlus plugin makes taking backups simple and even enables you to schedule backups and store them with various cloud providers. To get started quickly you can perform a manual backup by clicking the Backup Now button.

updraft

5. Make smart theme and plugin choices.

Unless you're experienced, stick to downloading themes and plugins from the WordPress.org Theme and Plugin directories or from a reputable paid premium provider like Gravity Forms, MemberMouse or Elegant Themes.

Themes and plugins downloaded from unknown websites can be infected with dangerous code.

To double-check the safety of your currently installed themes, install and run the Theme Authenticity Checker plugin.

I know it can be tempting to add more and more plugins to your site, but try to restrain yourself. New security exploits are discovered every day and each additional plugin or theme you install increases your exposure to future potential security problems.

Bonus recommendation: Be proactive

Hackers are sneaky. You might not even know your website has been compromised. Companies like Sucuri and Wordfence offer continuous malware scanning services that can alert you to problems almost immediately.

This might not be necessary for your average run-of-the-mill blog, but for a valuable web property it's something to consider.

Wrapping up

With confidence in your hosting provider and having your logins secured, you're off to a good start. Be sure to keep WordPress, your themes and your plugins updated — and don't forget to take regular backups. Lastly, for future plugin and theme downloads, stick to WordPress.org, a reputable seller or a site you trust. For extra protection, look into a malware scanning service.

What are you doing to protect your site and make life difficult for hackers? Let us know in the comments!