6 Common Sense Steps to Secure a WordPress Website

secure WordPress site

Today’s guest post is by Nate Hoffelder (@thDigitalReader) of The Digital Reader, who offers WordPress services for authors.

For a platform that powers a quarter of the websites in the world, WordPress is surprisingly insecure. The default settings leave a site open to being hacked a half-dozen different ways.

And hackers know that. They are always looking for WordPress sites with lax security that the hackers can take over and expand their bot army, but you don’t have to be their next victim.

I almost was that next victim. In 2012 I was targeted by a botnet that attacked WordPress sites. I never lost control of my site, but I did spend quite a few hours fighting them off. I had to learn the hard way that securing a site before you encounter a problem can prevent a lot of panic, but you don’t have to make my mistake.

Here are 6 steps you can take to make your WordPress website more secure.

1. Install a firewall plugin

Most people wouldn’t dream of browsing the web without anti-virus and firewall protection, so don’t you think that your website needs the same protection?

There are over a dozen legit security plugins for WordPress, and I recommend All in One WP Security. I like this plugin because it covers more security options than can be listed in a single blog post, including everything from blocking spambots to protecting your database and file system.

If you look for advice on making a WordPress site more secure, you will find posts listing dozens and dozens of steps you should take. Most of those steps can be completed simply by setting up this one plugin.

2. Disable old user accounts

Did you set up another writer as an author, editor, or admin for your site years ago, and then forgot about it? Did a web designer help you set up your site with an account?

If you answered yes to either of those questions, then you should immediately reassess and possibly disable those accounts.

Each account you set up on your site is another way for hackers to get in and engage in mischief, and that is why you should limit access to only those who truly need to access the site.

A good rule of thumb is to only give users the bare minimum of permissions to complete their assigned tasks. If someone is just uploading an article, then they don’t need to be an editor or admin (they can be a “contributor”), and if a user no longer needs admin access to your site, then you should change their status to “subscriber.”

Note: If a person is a past or current contributor of content to your site, do not delete the account; this might delete their posts as well! Just adjust their permissions if needed.

3. Use a strong password

Everyone used to say that you should use a long and complex password consisting of letters, numbers, and symbols. The security expert that first proposed that rule no longer believes it is a good idea, but you still need a strong password. The current rule of thumb is that passwords need to be long enough that they’re hard to guess but also simple enough that you can remember them.

You won’t be able to remember K5^KB@sUv0YasF9u, but you could easily memorize “Battery Horse Staple Correct”, a password that is actually harder for computers to figure out by guessing.

4. Delete any unused plugins

Plugins are a great way to add new features to your WordPress site, but they also add potential security problems. Over half of the WordPress security bugs listed in WPScan’s vulnerability database were found in plugins, and that’s why you should always take care to use only the plugins you absolutely have to have.

Disable and remove plugins once you no longer need them. This will not only make your site more secure, it will help your site run faster.

5. Run regular security scans with Sucuri

Here’s a thought that will keep you up at night: It is entirely possible for your site to be hacked and for no one—not even the firewall plugin—notice.

This is why I regularly have my site checked with at least two different security scanners. First I have my firewall plugin run a security scan, and after that’s done, I run Sucuri’s site scanner to double check that everything is okay.

6. Maintain regular backups

You need to do all you can to keep hackers out, but you also have to plan for the worst. Sites get hacked all the time, and it could happen to you. That’s why you need to make sure that your site is being backed up on a regular basis.

Many hosting companies automatically backup sites on a daily, weekly, or monthly basis. Check to see if yours offers this service. If the answer is no then you should install a plugin like BackupWordpress, and then set it up so that it makes weekly backups of your entire site (this includes both files and the database).

Your turn: What steps have you taken to secure your WordPress site?

Posted in Digital Media.

Nate Hoffelder has been building and running Wordpress sites since 2010. He blogs about the book publishing industry, and helps authors connect with readers by customizing websites to suit each author’s tastes. In his spare time, he fosters dogs for A Forever Home, a local rescue group. You can find him over at The Digital Reader.

Join the conversation

10 Comment threads
3 Thread replies
Most reacted comment
Hottest comment thread
8 Comment authors
Vicki WeisfeldNate HoffelderJoy DentThomas EdmundJane Friedman Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

newest oldest most voted
Notify of
Will Bontrager

I’m adding to the concept at the “Maintain regular backups” section of the article: It is important to test the backup system. You test it by making a backup and then restoring it – to make sure it works. If it doesn’t work, it’s better to find out now than after you’ve lost your site’s content. But before the test, export your WordPress data. It’s a backup in case something goes wrong with the test. That “export first” hint may make you hesitate. But would you rather do the test now, while you have an export available if it’s needed,… Read more »

S. J. Pajonas

I’ll add to the username portion and say don’t use the standard “admin” username that comes with WP. Change it to something people won’t guess. Then as an extra step, change the nicename on the backend so no one can see your username in the code of your site. I followed instructions online of how to do this and it was pretty easy. Don’t know if your security plugin already does this since I use the free Wordfence plugin instead.


[…] Common Sense Steps to Secure a WordPress Website (Nate Hoffelder on JaneFriedman.com): Nate writes The Digital Reader, which is one of my daily morning reads, and here he shares easy […]

Lynne LeGrow

Can you install a firewall plugin to the FREE version of WordPress?

Jane Friedman

No, but by being on WordPress.com (the free version), you are very safe from attack as long as you have a decent password in place and aren’t granting user rights arbitrarily.

Thomas Edmund

Whoops – none of those things, better get onto it


[…] https://janefriedman.com/6-common-sense-steps-secure-wordpress-website/ Couldn’t get these to work without buying the business plan which I don’t want to do—yet. Maybe they’ll help someone else though. […]

Joy Dent

Is this info for both WordPress dot com and dot org?

Vicki Weisfeld

I came back to this post and reread after a grueling experience, about which, the less said the better. Thanks for the information!