How to Keep Your WordPress Website Secure

In view of recent high profile hacks and data thefts I have updated this article with some new tools and information.

Thanks to WordPress’ popularity it is a common target for hackers. So how do you minimise the chances of your website being hacked? Follow these tips to keep your website secure.

wordpress security

Usernames & passwords

When setting up users, make each username unique and choose complex passwords. WordPress gives pretty good feedback about passwords and whether they are weak or strong. It can also automatically generate secure passwords. I have seen some websites where the username was “admin” and the password also “admin”. This is an open invitation to hackers who use automated brute force attacks to guess username & password combinations. Avoid the default username “admin” in favour of a longer and more unique username, and choose a secure password.

If you have trouble keeping track of your passwords, use a software such as LastPass to store them securely. Also avoid sharing logins – it is better to set up a unique login for each user.

You will also want to limit the number of administrators on your website. Login and go to Users – then click on Administrators and you will see a list of users with full website access. Any old / inactive users should be deleted (make sure you don’t delete their content though – follow the prompts to reassign their content to another user). Anyone who doesn’t need full access can be downgraded to a different WordPress user role, e.g. “Editor”. If I built your website you will see my details as an administrator, and I will need that to be able to maintain your website for you so please don’t delete me 😉 

Consider 2 Factor Authentication

If your website has the Wordfence plugin installed (see below), you can easily set up 2 Factor Authentication for your admin users. This is more important for websites that hold customer data, such as eCommerce and membership websites. 2 Factor Authentication means that you need to use an authenticator app to login to your website.

To enable it, login to WordPress, go to Users – hover over your username – click “2FA” and follow the prompts.

Update WordPress and plugins regularly

While it is easy to build a WordPress website and put it on the internet, the reality is that a WordPress website requires regular maintenance. WordPress is a great content management system, but to build a functional website it requires at least a handful of plugins (e.g. to build contact forms, set up backups, SEO functionality, or eCommerce). Both WordPress itself and the plugins release regular updates. These updates can include feature improvements, bug fixes and security patches.

Updates need to be applied regularly – at least once or twice a month. If a vulnerability is discovered for a certain version of WordPress or a plugin, this information will quickly spread amongst hackers so it is important to apply updates, in particular if they include security patches.

Your server’s PHP software also needs to be kept up to date, however older websites can sometimes break as they may not be compatible with the latest PHP version.

Ondetto offers website maintenance plans so if you don’t remember to login and update your website regularly, you may wish to consider this option.

Be picky with your plugins

Plugins are great as they can extend your WordPress website and add functionality ranging from simple contact forms to full blown eCommerce or membership websites. However, not all plugins are coded by reputable developers, or they may not be maintained by the developer any more.

It is best to go with the most popular plugins that have many installs and positive reviews. That way you can be pretty sure the plugin is reputable and well maintained.

Any disabled plugins on your website which you don’t actually need are best uninstalled.

Install a Security & Firewall plugin

There is a number of good security plugins available, both free and commercial. We use WordFence, which includes manual & automated malware scans, monitoring of other plugins, a firewall, blocking of brute force attacks, and email alerts if anything suspicious is going on.

If we have built your WordPress website we will have probably already set this up for you. You can check if it is installed by logging into your website and going to Plugins to see if WordFence is listed and active.

Set up regular backups

This won’t prevent you from getting hacked, but it will really reduce the issues if it does happen as you can restore your website from a – hopefully – clean backup. There are some great backup plugins such as BackUpWordPress, UpDraft, and Akeeba Backup.

If your website is hosted with us, we have daily backups set up which are kept for 30 days.

Some older websites use Akeeba Backup plugin for weekly backups instead but I am in the process of moving all websites to a new server with daily backups.

Without backups, the website will sometimes need to be rebuilt from scratch as it is very difficult to clean up a hacked website. This can obviously be costly and time consuming.

Submit your website to Google Search Console

For Search Engine Optimisation purposes, every website should be submitted to Google’s Search Console anyway as this helps with indexing the website in search results. The Search Console also offers malware scanning tools and will often pick up automatically on any malware on your website and send an email alert with further details to the website owner. When we build a website we always submit it to the Search Console so if you have had your website built by us, we would be notified of any malware that Google detects.

Choose a good web host & install SSL

Saving a few bucks on a cheap web host may come at a cost as some providers are less reputable and secure than others. A good web host that keeps its systems clean and up to date, and an SSL certificate to encrypt your website traffic, will go a long way to keeping your website secure.

Keep your computer secure

Make sure your computer has antivirus software and a firewall installed.

Don’t save passwords to your browser if you are on a shared computer, and be careful about logging into your website from a public or unsecured WIFI network.

For eCommerce and Membership websites

If you are storing customer data in your website, the risks of getting hacked are higher because they could result in data theft, which would be awkward to say the least. Consider deleting inactive customers / users to remove their data from your website.

WooCommerce is often used for eCommerce websites, and it has some data security settings. In WordPress go to WooCommerce > Settings > Accounts & Privacy. This section has some handy options for how to handle Account Erasure Requests and how long the website should retain personal data for.

In WordPress you can also access some useful tools for the removal of personal data under Tools > Export Personal Data and Tools > Erase Personal Data. 

Following the above tips can reduce the risk of your website getting hacked, and also prevent many issues if it does happen.