According to W3Techs, WordPress now powers a full third of all websites. That’s a pretty insane level of market penetration, but if you look at the platform’s past growth it’s not terribly surprising.
While WordPress’ popularity speaks highly of its ease of use and reliability, there are a few downsides to being so widely used. One of the main issues is that it’s an common target for hackers because there are literally millions of sites on which to run automated attacks.
WordPress is inherently very secure, and when security holes do come up the core team is very prompt about patching them. The vast majority of hacked WordPress sites come from outdated versions of the core software or one of the many plugins available. Which leads us to our first tip.
Keep everything updated!
This is probably both the easiest and most important step to keeping your site secure. If your site gets hacked and you discover it was because you never applied that security patch from six months ago, or you installed a bunch of plugins but never bothered to update them, you really have nobody to blame but yourself.
Granted, updates can be a bit of a pain. They should be done on a regular basis, at least every week or two, and much sooner if an important security update comes out. And if you have a highly-trafficked site, you should ideally test your updates on a staging site first before updating everything on your live site.
But in the interest of simplicity, let’s assume you’re going to do this yourself and don’t want to complicate things. I would recommend setting up a calendar reminder for a certain time every week to log into your WordPress admin and check the Dashboard >> Updates page in the upper left of the menu.
This would also be a good time to do a backup of your entire site. You’re not doing any backups, you say? For shame. I really need to write another post on backups, but for now check out a free plugin like Updraft Plus so you can do this easily and not risk losing all your work.
Once you have that complete, just do the core, plugin and theme updates as needed and you’ll be all set. You can actually ignore any theme updates if you’re not using that particular theme (such as the default Twenty Nineteen). I usually do them anyway so the little orange icon goes away and I can clearly see how many updates are needed.
Change the default admin username to something other than ‘admin’
Here’s an easy one, and something that really shouldn’t be the common problem is usually is. Typically, when you first set up WordPress the main admin user is called “admin”. This seems obvious, but also means millions of sites out there are using the same default username.
This makes it quite easy for all those nefarious hackers to run brute force attacks using “admin” combined with a bunch of passwords. Of course, you want to use a strong password too, but it’s best to avoid the use of “admin” in the first place, thus thwarting said annoying hackers.
Fortunately, there are a few fixes for this problem. The easiest method, and one that doesn’t require a plugin or manually editing the database, is to create a brand new admin user (with a strong password of course).
Then, log out of your original admin account, log back in with the account you just created and delete the old account. Warning: be sure to attribute all of your existing content to the new user.
Use a security plugin to limit login attempts
Like I said earlier, there are a lot of hackers out there trying to log into your website using the default admin username combined with various passwords. Changing the default admin username is a good start, but how about blocking those nerds so they can’t hammer your site in the first place?
Excellent idea. I good security plugin will accomplish this for you, and I highly recommend using WordFence. This plugin will track failed login attempts and block the IP address of the offending user after the number you specify.
Wordfence also runs a web application firewall that tracks and identifies malicious traffic, does security scans of files, maintains an IP blacklist, enforces strong passwords and a bunch of other stuff that helps keep your site safe and secure. I install Wordfence on all the WordPress sites I set up. It’s a no brainer.
Use strong passwords
This one might seem obvious, but it’s really amazing how many people still use ridiculously insecure passwords for a variety of things. You’d think the barrage of news about hacks and surveillance would change their views, but such is not the case.
If your username is “bob” and your password is “bob123” this is bad. So is “passw0rd” and “123456” and “qwerty”. It sounds silly, but the reality is these are not uncommon.
WordPress will create a strong password by default when you add a new user. That’s an easy solution. Another is to use a password generator and stick to it. Like many things, the key is consistency. Just one admin user with a lame password can ruin your whole day.
A good overall security technique is to use different passwords for all of your accounts and then store them with a tool like 1Password or LastPass. Check out this excellent post for a good rundown of the dangers of re-using passwords, password managers, how to tell if your password has been compromised and more.
I know it’s convenient to use the same password for multiple sites. I used to do it. But all it takes is for one of those websites to get hacked and your email/password combination stolen. Next thing you know it’s published on a hacker board and all kinds of sensitive information is potentially exposed.
Use quality web hosting
I’m always amazed when, after spending lots of time and money creating a website and content, people will then look for the absolute cheapest hosting available. Makes no sense, but it’s surprisingly common.
Good managed hosting for a WordPress site can be had for $25 – $30 per month, which is next to nothing in the grand scheme of things, especially when it’s representing your organization.
I love WPX Hosting and have been using them for several years. In addition to the best tech support I’ve ever experienced, free SSL and their own CDN, they also provide enterprise-level DDoS protection, daily malware scans firewalls, and spam protection.
So, using WPX offers another level of security on top of what you provide yourself, hopefully by using a plugin like Wordfence.
On top of that – and this is pretty remarkable – WPX will do free malware removal if your site is hacked. I don’t know of another hosting company that offers this service, and it’s a testament to WPX and their commitment to going above and beyond for their customers.
WPX also does 28 day automatic backups, just in case you’re not on top of that yourself or your own backup gets corrupted for some reason.
If you’re looking for excellent hosting, I really can’t recommend WPX highly enough. I’ve lost track of the number of hosting companies I’ve used over the past 20 years or so, but none of them compare to WPX. They’ll even move your site for free.
I hope this has helped give you an idea of how to keep your WordPress website safe and secure. There’s a lot more to it, of course, but these tips are a great place to start. They’re also all within the realm of the average user without having to get into code or config files.
If you have any questions or comments, please let me know below or contact me any time.