Jane Friedman

6 Common Sense Steps to Secure a WordPress Website

Today’s guest post is by Nate Hoffelder (@thDigitalReader) of The Digital Reader, who offers WordPress services for authors.


For a platform that powers a quarter of the websites in the world, WordPress is surprisingly insecure. The default settings leave a site open to being hacked a half-dozen different ways.

And hackers know that. They are always looking for WordPress sites with lax security that the hackers can take over and expand their bot army, but you don’t have to be their next victim.

I almost was that next victim. In 2012 I was targeted by a botnet that attacked WordPress sites. I never lost control of my site, but I did spend quite a few hours fighting them off. I had to learn the hard way that securing a site before you encounter a problem can prevent a lot of panic, but you don’t have to make my mistake.

Here are 6 steps you can take to make your WordPress website more secure.

1. Install a firewall plugin

Most people wouldn’t dream of browsing the web without anti-virus and firewall protection, so don’t you think that your website needs the same protection?

There are over a dozen legit security plugins for WordPress, and I recommend All in One WP Security. I like this plugin because it covers more security options than can be listed in a single blog post, including everything from blocking spambots to protecting your database and file system.

If you look for advice on making a WordPress site more secure, you will find posts listing dozens and dozens of steps you should take. Most of those steps can be completed simply by setting up this one plugin.

2. Disable old user accounts

Did you set up another writer as an author, editor, or admin for your site years ago, and then forgot about it? Did a web designer help you set up your site with an account?

If you answered yes to either of those questions, then you should immediately reassess and possibly disable those accounts.

Each account you set up on your site is another way for hackers to get in and engage in mischief, and that is why you should limit access to only those who truly need to access the site.

A good rule of thumb is to only give users the bare minimum of permissions to complete their assigned tasks. If someone is just uploading an article, then they don’t need to be an editor or admin (they can be a “contributor”), and if a user no longer needs admin access to your site, then you should change their status to “subscriber.”

Note: If a person is a past or current contributor of content to your site, do not delete the account; this might delete their posts as well! Just adjust their permissions if needed.

3. Use a strong password

Everyone used to say that you should use a long and complex password consisting of letters, numbers, and symbols. The security expert that first proposed that rule no longer believes it is a good idea, but you still need a strong password. The current rule of thumb is that passwords need to be long enough that they’re hard to guess but also simple enough that you can remember them.

You won’t be able to remember K5^KB@sUv0YasF9u, but you could easily memorize “Battery Horse Staple Correct”, a password that is actually harder for computers to figure out by guessing.

4. Delete any unused plugins

Plugins are a great way to add new features to your WordPress site, but they also add potential security problems. Over half of the WordPress security bugs listed in WPScan’s vulnerability database were found in plugins, and that’s why you should always take care to use only the plugins you absolutely have to have.

Disable and remove plugins once you no longer need them. This will not only make your site more secure, it will help your site run faster.

5. Run regular security scans with Sucuri

Here’s a thought that will keep you up at night: It is entirely possible for your site to be hacked and for no one—not even the firewall plugin—notice.

This is why I regularly have my site checked with at least two different security scanners. First I have my firewall plugin run a security scan, and after that’s done, I run Sucuri’s site scanner to double check that everything is okay.

6. Maintain regular backups

You need to do all you can to keep hackers out, but you also have to plan for the worst. Sites get hacked all the time, and it could happen to you. That’s why you need to make sure that your site is being backed up on a regular basis.

Many hosting companies automatically backup sites on a daily, weekly, or monthly basis. Check to see if yours offers this service. If the answer is no then you should install a plugin like BackupWordpress, and then set it up so that it makes weekly backups of your entire site (this includes both files and the database).

Your turn: What steps have you taken to secure your WordPress site?