How To Keep WordPress Secure: Eight Things You MUST Do

WordPress logo behind secured locks

If your WordPress website is on the internet your website needs to be kept secure. Every website needs some work to be made secure and remain secure. Even the simplest installation of WordPress needs to be actively secured.

Our clients don’t have to worry for the most part because we work hard to keep all our client’s websites secure. While we work hard to keep your website safe, that doesn’t mean you shouldn’t know what happens behind the scenes. Every one of our affordable website plans is updated regularly and secured with a high level of security monitoring.

Even with the best updates and monitoring, if you don’t do your due diligence for security then it could all fail.

Security is a chain and if one link is weak then the whole chain is weak. These tips to keep WordPress secure will help you secure ALL links in your WordPress websites security.

Pay special attention to the password tips, that along with updates are the two biggest potential weak links in the security chain.

Ways To Keep A Secure WordPress

WordPress by itself is extremely secure. If you look at all the hacks and vulnerabilities out there in the wild, very few if any are taking advantage of vulnerabilities in WordPress itself.

It’s an unfortunate effect of being the most popular content management system on the internet but everyone will blame the platform for the problems of 3rd party developments. Yes, the weak spot is usually poorly written or poorly maintained 3rd party plugins and themes.

In other words, you’ll see articles with a WordPress plugin with a major vulnerability being exploited in the wild. In the comments, you’ll notice person after person saying WordPress is insecure when the article clearly stated it was plugins that are vulnerable, not WordPress. Need an example? Check out this article on Ars Technica about the recent Easy WP SMTP and Social Warfare vulnerabilities.

You’ll see people spreading lies about the security of WordPress everywhere. That’s like an app on an iPhone that has a vulnerability and blaming iOS. Of course, it needs to be taken care of (and often is very quickly) but it’s still not the security of WordPress itself that’s the issue.

Enough sidetracking, though. The power to keep WordPress extremely secure is completely in your hands. We take care of most of these things for our clients but if you’re not a client then pay attention to each one.

1) Don’t Use Admin Username

Most installers for WordPress won’t set you up with the username admin so this shouldn’t be an issue anymore. If you do have that username now, change it immediately and don’t use it ever again.

The username admin is most often the most common to be hacked or scanned to hack. Don’t use it, anything but admin.

2) Keep A Strong And Secure Password

Security always starts with you.

Keep a secure password for your WordPress installation AND your server too. If one is a weak password then there’s your weak link in the chain, bad.

If you don’t keep an extremely secure password then you’re the weakest link. I recommend you use a password manager such as 1Password or the one built into iOS/Mac (I use it and love it).

If you want to venture out to create your own secure password, make sure it’s extremely secure. Google has a pretty simple guide to creating a secure password that you can remember too.

3) Update Your Secure Password Regularly

No matter how careful you are, there’s a chance your password could end up on a list somewhere that hackers try to use. Just to be sure you’re completely safe, it’s best to create a new unique password at least every 90 days.

I know, that sounds like a lot of work. It doesn’t have to be a lot of work though if you use a password manager. It’s as easy as going to the reset password screen and letting your password manager give you a new password.

Even creating a new password once every 6 months is better than never doing it. So, do what you can but know that the more often you set a new password, the better off you’ll be.

4) Use Two-Factor Authentication (2FA)

Two-factor authentication is an easy way to add further security to your WordPress admin dashboard. In addition to your password, you need a code from an authenticator app. We have enabled (and encourage) our client’s to enable two-factor authentication on their accounts.

So essentially to gain access to your WordPress admin dashboard you must know something (your password) and have something (a device with a special code). That makes it significantly more difficult to break in using just the password alone.

There are many two-factor authentication plugins for WordPress. Two-factor authentication was recently added to Wordfence and they also released a stand-alone Wordfence two-factor authentication plugin.

Wordfence Two-Factor Authentication Setup Screen

If you don’t already have an authenticator app on your phone then you should get one. Google makes an authenticator app for Android and iOS but there’s my favorite, Authy for iOS and for Android.

5) Keep Everything Updated Regularly

I cannot emphasize the importance of this one enough. Aside from the password stuff, this is the most important step to keeping your WordPress installation secure.

You can find a lot of the most recent and common WordPress vulnerabilities on WPScan Vulnerabilities Database but you have to do more than that. As soon as a new update to core, a theme, or plugin comes out, scan the changelog to see if any of the updates are security updates.

These are the order of importance for updates. I put plugins at the top because there are more plugin updates than anything and they’re often the weakest point of entry for vulnerabilities if there is one.

Updates all of these religiously:

  • Plugins
  • Theme
  • WordPress Core

Every one of our affordable website plans is maintained daily and updated regularly. We test thoroughly and make sure all necessary updates are in place to keep our WordPress platform secure.

If you’re not on our platform, we recommend you use a 3rd party WordPress maintenance service to make sure your website is always taken care of right including offsite backups in case anything does go wrong.

6) Use High-Quality Plugins

Believe it or not, people do buy extra cheap plugins from bargain websites and black markets. Why I’m not sure. You’re just asking for problems by doing this because you’re passing up on the most important part of plugins and themes:

  1. Regular plugin updates.
  2. Plugin support and support to keep them updated.

Plugins take work to keep updates and maintain with new code, new features, and regular improvements. Why would you intentionally rob plugin developers of what they deserve?

We’re not talking giant companies here, these are people who are trying to put food on the table for their kids, support that!

Don’t purchase a plugin based on price. Look at user reviews, price, updates history, and reviews by professionals. That’s the only way to find good plugins that are updated regularly and going to be less vulnerable.

Plugins from black markets and discount websites are not likely to get updates and they may have vulnerabilities baked right in. Don’t do it, it’s not even worth it.

7) Use A Security Plugin

This isn’t as foolproof of a security solution as it seems but it does help somewhat and is still essential. Don’t be lulled into a false sense of security, though. A security plugin is extremely helpful but not without performing all the above tasks first and foremost.

Security plugins can slow down your server if it’s not equipped to handle the extra load it takes to scan traffic. Not all security scanners sit on the server, though, which can have its benefits but also its drawbacks.

That’s a whole other topic though!

Just be sure you have a security plugin with a good reputation and that is actively developed for new threats.

8) Use A Secure Host

Did you know your hosting account could be the weak link in your security chain? It sure can!

It has been known to happen where a host doesn’t do their due diligence on updating their server software which introduces vulnerabilities into the server. These, of course, have nothing to do with WordPress.

If you’re using a less than reputable hosting company (or one that’s extremely cheap) then they may not be putting the necessary resources into server maintenance. That’s not good for your website’s security.

This isn’t the most common way for hacks to happen but it can. I have seen it crop up on occasion though rare.

Alternatives To The Worry

There are alternatives to the worry you should rightfully have when dealing with WordPress (or any website for that matter).

Our favorite alternative?

Use an all-in-one service that manages your WordPress installation, provides secure hosting, and makes sure your website is all taken care of. That’s what our affordable web design service does for you.

The best part?

You don’t have to even build your website, we take care of that part for you. It’s also on the WordPress platform so you get the robustness of WordPress, search engine optimization baked right in, and everything else you need for a powerful website.

The only thing we can’t take care of for you is a secure password but we do enforce that you maintain a secure one. It’s up to you to change it regularly though.

Shopping Cart
Scroll to Top