WordPress is an incredible website platform — it’s what I use and what I often recommend for businesses with specific needs or big dreams. But it has its downsides… primarily that you’re pretty much on your own. With an all-in-one website platform like Squarespace or Shopify, security is mostly managed for you. You’ll have a few things to take care of, but with WordPress it’s all on you and the tools/plugins/contractors you bring in to help.
WordPress websites of all sizes and types can (and do) get hacked, but it’s a greater risk for sites that get frequent traffic and sites that take credit cards and personal information. Regardless, it’s well worth the time it takes to fortify your site with these basic website security tips.
Change your password often.
All the best practices about passwords apply to your WordPress login password — use a complex password (ideally from a password generator), don’t re-use a password you’ve used elsewhere, and change it periodically. I recommend changing your WordPress login password every 3-6 months. If your site gets compromised in any way, change your password immediately. You can also password protect your admin area.
Limit the number of admin users for your site.
If possible, don’t have more than three admin users on your site. Delete old admin user accounts as soon as they’re not in use anymore. You can add users at other levels as much as you need. Also, if you have a user with username “admin,” you should change that username to something more complex/unique.
Keep your site updated with the latest versions of WordPress, plugins and themes.
WordPress releases minor and major updates periodically. While major updates should be carefully considered, minor updates typically won’t cause damage to your site. Keeping WordPress and all of your plugins (and your theme!) up to date is necessary for site security. Most theme developers will email you when a new theme version is available, but you might see it in your WordPress dashboard as well.
Before you install any updates, make sure you have good backups of your site. You never know when a platform or plugin update will cause a problem on your site or cause it to go down. Consider HackGuard or work with a website professional to keep your site up to date without crashing it.
Choose a reputable WordPress host or consider managed WordPress hosting.
While your hosting company isn’t fully responsible for security issues, choosing a reputable host can go a long way. You can choose an unmanaged (shared) host like Bluehost or Siteground (cheaper but less provided) or a managed host like WP Engine (more expensive but more provided) or Kinsta. Managed hosts often include things like security monitoring, a good backups system and/or hacked website fixes.
Have a good and automated backup plan in place.
A good backup strategy is a must for a WordPress website. Luckily there are many plugins that can automatically pull backups for you. I like UpdraftPlus. Make sure you’re selecting a storage option so you can save backups. If you’re not making a lot of site edits, you can do weekly backups. If you update your site frequently, consider daily backups. I prefer to store backups in the cloud rather than on my computer (pro-tip: killing your laptop by spilling tea on it is less traumatic when you store everything in the cloud!)
Install a security plugin.
To a certain extent, you get what you pay for when it comes to security management systems. There are many plugin options available, but two I recommend are Sucuri and Wordfence. Both of these have free versions as well as paid versions. If your site doesn’t get a ton of traffic and doesn’t take payments, I recommend just using a free version. Read the fine print of any security provider — some will provide site repairs at no charge, but others won’t.
Make sure you have an SSL certificate installed.
An SSL certificate is a must-have for all websites for many reasons, but it’s a good call for security too. Your website host can often install an SSL certificate for you (there may be a charge), but you can use a plugin if you prefer. I recommend Really Simple SSL.
Turn off commenting or install an anti-spam plugin.
If you don’t need comments activated or don’t plan to have a blog, I recommend turning off this feature. If comments from your website visitors are important to you, install an anti-spam plugin like Antispam Bee or Akismet.
If your website is built on WordPress and you rely on it for business/income, I highly recommend getting a good security system in place. Jim Walker’s HackGuard service is an affordable solution ($13/month), and while there’s no way to fully prevent website hacks, Jim’s service offers a lot of protection so you can be a bit more hands-off with your site.
There are dozens more website security best practices not included here, but many require more in-depth knowledge of the platform or coding skills. These tips will at least keep your site safer than before.