10 Security Practices to Keep Your WordPress Site Safe

Stop Security Check Sign

WordPress is an incredibly powerful and flexible system for creating and maintaining websites.  That could be why it powers 35% of the internet, with almost 62% of the content management market.  It also makes it a top target for hackers.  Just this week, we have seen stories about 900,000 sites being targeted by hackers, a popular plug-in targeted and an older, but still used theme be targeted.  Unfortunately, as with so many things in the IT space, if you don’t follow some simple rules, your site can become a target of these hackers who can get any customer or user information on your server, take control of your site or use your server to do illicit activities.  Don’t let them.

Here are some simple things that you can do to protect your site:

Don’t Use Default or Common Emails or User Names

Once a hacker gets access to an administrator account, they can do almost anything on your site.  They can even lock you out of your own site.  Avoid usernames like “Admin”, “Login”, “Administrator” or “Webmaster”.  These are commonly tried by hackers to get into your site.  On sites we maintain, such usernames aren’t even allowed to try to log in.

Use a Strong Password

Passwords that are common, simple, or easy to use are a big risk.  Hackers use computer programs that randomly try passwords, starting with these, until they get in.  Unfortunately, with so many passwords to remember, it feels like that’s our only option.  A random password is best, but keeping track of those is a nightmare.  I have found that a password keeper, like LastPass (affiliate link), is my best option.  It’s very affordable and securely keeps track of all my passwords.  You can also share a password securely (including so that they can’t see it) with an assistant or family member.  It also allows you to share passwords in the event of your death.  Unique, random passwords are your best option, but you need a way to keep track of them.

Stay Up to Date

No matter how good the theme and plug-in developers are, there are more hackers than developers and the hackers can be very creative in trying to find ways to break things.  This means that the developers need to make changes periodically to shore up security issues.  When those changes come out, update your site (after backing it up.)  Close those security loopholes.  The same thing goes with WordPress itself.  They routinely close security risks in updates.

The downside to updating your site, and a big reason for backing it up first, is that sometimes the changes will break things.  Sometimes, plug-ins or themes conflict with one another.   Make sure that you back-up before you update your site and that you test your site after updates.


Stay up to Date

Keep up to date on the latest WordPress improvements, instructions and security.  Plus, get a special gift when you sign up.

Use Current Themes and Plug-ins

Before you use a theme or plug-in, check out the site and make sure it’s still being kept up to date.  Sometimes, these plug-ins and themes aren’t being maintained anymore and security issues won’t be fixed.  Here are some techniques to see if it is being maintained:

  • Look for the last update.  Was it recent?  What did they fix?  This isn’t necessarily a deal-killer, because if it’s a simple plug-in or very mature, it may just work well and not be a problem.  Recent updates are a good sign, though, that the theme or plug-in is being kept up to date.
  • Check the support boards – Usually, themes and plug-ins will have support boards where users can post questions.  Scan through these and the responses, especially recent ones.  You’re ideally looking for responses from the developers (check their signature or user name) and for recent ones.  This means that they are probably actively monitoring and still managing their product.
  • Use Google – Trying Googling for “[plug-in or theme] WordPress security problems” and see what you get.  Having security issues isn’t necessarily a bad sign, but security issues that aren’t fixed are a definite bad sign.  There should be an update right before or after any disclosed security issue.

Basically, you are looking for a sense of whether the theme or plug-in is still being managed.  You can even reach out to the developer using their webpage and ask if they still actively manage the product and fixing security issues.  See if they respond, the quality of the response, and how quickly they respond.  These are all signs of how active the developer is.

Don’t Use Nulled Themes

There are some great free themes and plug-ins out there, but many cost money (after all developers need to eat too.)  In many cases, you get what you pay for.  The problem, though, is that any time someone is making money, someone else is trying to find creative ways to get some of that money.  Sadly, there are questionable sites out there selling “cracked” themes where they have taken the theme and stripped it of the protections that ensure it’s been paid for and then they try to sell it for less.  Yes, you’ll save some money initially, but, even without ethical issues, you don’t know what else they did to the theme.  You don’t know if they left “back doors” in it so that they can hack you, or if they inadvertently created security issues and they aren’t going to keep it up to date (you don’t even know which version they stripped down.)  Saving a few dollars now could cost you a fortune later when you have your site hacked and need to try to fix it.

[convertkit form=1378102]

Backup Regularly

You should make regular, off-site backups of your site.  You need to backup all of your files and your database.  Keep a few generations of backups.  This does a few things for you. In the event that you get hacked, you can restore a backup from before the hack and fix the hack so that you can quickly go back and fix the security hole they got into in the first place.  Keeping the backups offsite (meaning on a computer other than where they are stored) makes sure that if your host has a computer issue, you can restore your site pretty quickly.  I once had a host that had been very reliable until their server completely crashed one holiday weekend and the backups that they were supposedly making didn’t exist.  I now keep my own backups.

Install A Security Plug-in

There are a number of security plug-ins out there.  Our favorite is WordFence.  All of the sites that we manage have WordFence installed.  They have both a paid and free version.  For the most part, we have used the free version as it has great functionality for securing WordPress websites.  It protects against brute force attacks, people trying to randomly use common usernames (they won’t even work on our sites) and it will block repeated attempts to get into your site among many other signs of hackers.  It regularly scans your site and sends you reports.  The paid version does even more.  Unless you have a lot of traffic and logging into functions, you likely won’t need the paid version.  It’s a good system and works well.

Install an SSL Certificate

Normally, things sent from your server to your browser are sent as clear text, kind of like sending a letter without an envelope.  This doesn’t just include the website information but login information, passwords, and anything else you type in are also sent that way.  To fix that, you should install something called an SSL Certificate.  This is sort of an encoder/decoder ring used to scramble and unscramble traffic sent to and from your site.  So, now, the letter is in an envelope and written in code.  That way, bad guys can’t intercept the information.  Installing an SSL certificate isn’t hard, but it can be a little bit complicated.  You should check with your host on how to do it.  (All of our sites have them.)  They also need to be renewed periodically.

To tell if the site you’re sending information on, look for a padlock in the address bar of your browser.  All of the major browsers have a padlock symbol in the address bar to indicate that it is using an SSL certificate.  They will also alert you to any irregularities in the certificate.  Also if the URL starts with https: then that indicates that it has an SSL certificate (if it loads) but these days, the browsers hide the HTTP(s) portion so, if you aren’t the one typing it in, then it’s difficult to be sure you ended up with a protected connection.

Padlock Symbol in Microsoft Edge Padlock Symbol in Chrome Padlock Symbol in Firefox
Edge Chrome Firefox

Not part of what we’re talking about today but Google penalizes sites without SSL now, so it’s almost considered a price of entry to the web to set-up an SSL certificate and it’s worth the extra security.

Change Your WordPress Login Page

By default, on any WordPress site, you log in by going to www.mydomain.com/wp-admin.  You can bet that if we know that, so do the bad guys and the scripts that they write to find hacking victims.  So, one step you can do is to change that login page to something else.  Perhaps it could be www.mydomain.com/dontlookhere or something.  Changing this is a quick step to help protect against brute force attacks.  You can find instructions here.

Don’t Allow File Editing

By default, any administrative user can edit theme and plug-in files.  This is done to let you customize how the site looks and feels more easily.  However, it’s also a way that you can get hacked.   Bad guys can hide code in these functions that get run automatically.   One way to help is to prevent these sites from being edited.  In your main WordPress directory (which you’ll need to access through your host or using something called File Transfer Protocol (FTP)) is a file called wp-config.php.  Add the following line to that file:

define(‘DISALLOW_FILE_EDIT’, true);
Now users can’t edit these files without access to the files themselves, which is a whole different way of hacking. It can happen but this helps.

Of course, these aren’t the only things that you can do but they are some big steps to protect your site. Many are pretty easy and non-technical. Others require a bit more technical knowledge and you might want to ask a developer to do for you. At least this way you know what to ask for.  We recommend them all but please, at least do the easy ones. Anything helps protect your site.  Stay safe!


Stay Up on WordPress

We send out periodic updates on WordPress hints and tips, security practices and deals.  Sign up now and we'll give you a special gift.

2 thoughts on “10 Security Practices to Keep Your WordPress Site Safe”

    1. I’ve worked in both. There are a lot more resources available for PHP systems (and cheaper.) Server space is cheaper, WordPress is easier to manage. Overall, PHP is simpler and cheaper.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top