10 tips for securing your WordPress website

One thing you have to think about when you go self-hosted is security! Here are ten things you can do to help secure your WordPress site…

1. Keep WordPress updated

One of the most common security issues for WordPress sites are related to running outdated versions of the WordPress core, themes and plugins.

Regularly updating your site will help prevent you from being hacked. Keeping WordPress itself, your plugins, themes and PHP version up-to-date will fix any existing bugs and security issues. ⠀⠀

Related: How to easily update the PHP version of your WordPress site

2. Don’t install plugins or themes from untrusted sources

Only install plugins and themes from well-known repositories or reputable developers. Other forms of distribution may contain malicious code.

3. Uninstall and delete unused plugins and themes

It’s a good idea to uninstall and completely delete any unused plugins or themes, they can be a security risk if known vulnerabilities exist within them.

4. Review your WordPress password and logins

Your WordPress login is the most commonly attacked area of your site. This security vulnerability is the easiest access to your site’s admin dashboard. And brute force attacks (guessing usernames and passwords over and over until a successful login occurs) are the most common method of exploiting your WordPress login. Use a strong, unique and complex password.

Don’t use “admin”, “user”, “temp”, “test” or “user1” as your username, enforce strong password requirements and limit login attempts. You can also change the login page URL. It’s not foolproof, but can make it harder to access your site.

Related: Essential Security Tips for WordPress Users to Avoid Being Hacked

5. Add two-factor authentication for your admin login account

Two-factor authentication is a system that requires two items to log in to your account. The first being your username and password, the second is a unique code that’s delivered via text, email, single-use codes or mobile app. Two-factor authentication adds an extra layer of security to protect your account.

6. Regularly backup your website site

WordPress doesn’t include a built-in backup system, you’ll need to implement a backup strategy on your own. Trust me, you’ll appreciate it! If your website is ever compromised, you’ll be able to get it back online pretty quickly and easily if you have backups. Regularly backup your full site and database daily, weekly or monthly depending on your content frequency, so that if anything happens you can easily restore a previous version.

Related: How to backup your entire blog on WordPress or Blogger

7. Add an SSL Cert

When someone visits your WordPress site, a line of communication between their device and your server starts to pass information back and forth. An SSL Cert adds a layer of encryption keeping that information private which is really important if you’re collecting login credentials and credit card details. 

Related: SSL Certs for SEO

8. Research your web host provider

Ask if the web host offer support, backups and advanced security configurations. Your host should be vigilant about applying the latest security and following important best practices related to server and file security. Choose a reputable host who has good reviews regarding security and updates.⠀⠀⠀⠀⠀

Related: 8 factors to consider when choosing a web host provider for your blog

9. Install a WordPress security plugin to handle security tasks

Using a WordPress security plugin can help with several WordPress security tasks that would otherwise take a log of time and technical knowledge. My favourite two plugins are iThemes [affiliate] and Wordfence.

You can also use Limit Login Attempts to stop a user from trying to login after a certain amount of attempts and Sucuri Security to monitor your site.

Related: 5 basic but must have wordpress plugins

10. Set up WordPress security logging

WordPress security logs are another way to keep tabs on activity on your website related to your security. A lot of WordPress security plugins can email you about certain suspicious activities like file changes, brute force attacks, lockouts, etc. 

WordPress itself is a secure platform, but it is your responsibility to keep your site safe and secure. These ten tips will get you started! 

Post last updated:

Join over 1,000 creators and small biz owners and be part of The Roundup

Ready to build your website, grow your audience and monetise your platforms? Receive the latest WordPress news, social media updates, SEO tips and industry insights straight to your inbox.

By signing up you’ll receive our fortnightly newsletter and free resources. No spam or unnecessary emails. You can unsubscribe at any time.