10 Tips for Securing a WordPress Website

One thing you have to think about when you go self-hosted is security! Here are ten things you can do to help secure your WordPress site…

10 tips for securing your WordPress website or blog and preventing a hack

1. Update WordPress
One of the most common security issues for WordPress sites are related to running outdated versions of the WordPress core, themes and plugins.

Regularly updating your site will help prevent you from being hacked. Keeping WordPress itself, your plugins, themes and PHP version up-to-date will fix any existing bugs and security issues. ⠀⠀

Related: How to easily update the PHP version of your WordPress site

2. Don’t install plugins or themes from untrusted sources
Only install plugins and themes from well-known repositories or reputable developers. Other forms of distribution may contain malicious code.

3. Uninstall and delete unused plugins and themes
It’s a good idea to uninstall and completely delete any unused plugins or themes, they can be a security risk if known vulnerabilities exist within them.

4. Review your WordPress password and logins
Your WordPress login is the most commonly attacked area of your site. This security vulnerability is the easiest access to your site’s admin dashboard. And brute force attacks (guessing usernames and passwords over and over until a successful login occurs) are the most common method of exploiting your WordPress login. Use a strong, unique and complex password.

Don’t use “admin”, “user”, “temp”, “test” or “user1” as your username, enforce strong password requirements and limit login attempts. You can also change the login page URL. It’s not foolproof, but can make it harder to access your site.

Related: Essential Security Tips for WordPress Users to Avoid Being Hacked

5. Add two-factor authentication for your admin login account
Two-factor authentication is a system that requires two items to log in to your account. The first being your username and password, the second is a unique code that’s delivered via text, email, single-use codes or mobile app. Two-factor authentication adds an extra layer of security to protect your account.

6. Regularly backup your website site
WordPress doesn’t include a built-in backup system, you’ll need to implement a backup strategy on your own. Trust me, you’ll appreciate it! If your website is ever compromised, you’ll be able to get it back online pretty quickly and easily if you have backups. Regularly backup your full site and database daily, weekly or monthly depending on your content frequency, so that if anything happens you can easily restore a previous version.

Related: How to backup your entire blog on WordPress or Blogger

7. Add SSL Cert
When someone visits your WordPress site, a line of communication between their device and your server starts to pass information back and forth. An SSL Cert adds a layer of encryption keeping that information private which is really important if you’re collecting login credentials and credit card details. 

Related: SSL Certs for SEO

8. Research your web host provider
Ask if the web host offer support, backups and advanced security configurations. Your host should be vigilant about applying the latest security and following important best practices related to server and file security. Choose a reputable host who has good reviews regarding security and updates.⠀⠀⠀⠀⠀

Related: 8 factors to consider when choosing a web host provider for your blog

9. Install a WordPress security plugin to handle security tasks
Using a WordPress security plugin can help with several WordPress security tasks that would otherwise take a log of time and technical knowledge. My favourite two plugins are iThemes [affiliate] and Wordfence.

You can also use Limit Login Attempts to stop a user from trying to login after a certain amount of attempts and Sucuri Security to monitor your site.

Related: 5 basic but must have wordpress plugins

10. Set up WordPress security logging
WordPress security logs are another way to keep tabs on activity on your website related to your security. A lot of WordPress security plugins can email you about certain suspicious activities like file changes, brute force attacks, lockouts, etc. 

WordPress itself is a secure platform, but it is your responsibility to keep your site safe and secure. These ten tips will get you started! 

Want more tips like these direct to your inbox? Sign up to the fortnightly newsletter below