How do I secure a WordPress website?
Cyber security and resilience Expert Articles Learning Centre

How Do I Secure a WordPress Website?

How do I secure a WordPress website?

Any website which has an online admin panel can be a target for hackers and a well-kno­wn CMS like WordPress is especially vulnerable. So what can you do to keep the bad guys out and secure a WordPress website?

Secure your WordPress site with a firewall

One of the most important things you can do is to make sure you have a firewall installed as soon as you put the site live. Hackers have robots constantly sweeping the net looking for unsecured sites and they will know any weaknesses to be found in the software that runs your website before you do.  You will find a number of security plugins available in the WordPress repository, which make securing the site easy. Our favourite is Wordfence with over 3 million active installations and 3,241 five-star ratings to date.  The free version is suitable for most small sites. It is easy to configure and it blocks malicious attempts very effectively.

Always keep all your plugins up to date

This is the second most important action you can take to secure your website. Out of date plugins are a vulnerability and ensuring you have the latest versions is a MUST. Many updates are created because a weakness has been found in a plugin and the plugin owner has created a patch to mend this. If you have a good firewall on the site it will flag up the need for plugin updates. Log in and complete the update as soon as this happens.

Only install plugins that are held in the WordPress Directory

All the plugins in the WordPress directory are monitored to ensure they are secure. If you find that a plugin has been removed from the repository, find a replacement immediately. Plugins are generally removed only when they have a vulnerability that has not been patched or if they are found to be behaving maliciously. Again a good firewall will tell you which plugins have been removed.

Don’t continue to use a plugin that’s been abandoned

A plugin that has not been updated in over a year will be marked as abandoned. This means no one appears to be checking for vulnerabilities. Such plugins may be perfectly secure; perhaps it is simply the case that nothing needs to be modified in the plugin, but is it worth the risk? A good firewall will alert you to abandoned plugins.

Hide your version of WordPress

By default, all WordPress installations show their version in the underlying page source code. Remove this because it can provide a hacker with useful information about any known vulnerabilities if you don’t keep the core WordPress up to date at all times.

You can set WordPress to update automatically. However, a word of caution, sometimes the plugins you are using might not keep pace with changes in WordPress, so you must keep a weather eye on the site to check everything is working ok if you set WP to update automatically.

Take regular back-ups of your site

Backups are simple to do using a plugin such as Updraft Plus and are very important! You should take backups of both the site files and the database. Don’t simply leave the back-ups on the server, upload them to a secure location or download them to your computer. If anything should go wrong with your site, you’ll have a fall-back copy that can be restored by your webmaster onto your hosting package. It’s too late to take a backup after you’ve been hacked or there’s been a problem on your server that has corrupted your website files. Horses and stable doors come to mind!!

Make sure all login passwords are secure

Everyone who has a login for your website must use a secure password. Secure passwords are at least 8 characters long.

They should include:

  • at least one lowercase letter [a-z]
  • at least one uppercase letter [A-Z]
  • at least one special character such as  !”£$%^&*()@#
  • at least one numeral

Never use the WordPress default “admin” as a username

To frustrate any brute-force logins, you must make it impossible to guess any part of your login details – hackers will try “admin” first as a username, so make their life more difficult!  Choose usernames that are not simple to guess – they should not be your usual email address, the name that appears alongside any blog posts or anything close to the company name. Configure your firewall plugin to set a limit on the number of login attempts that are permitted before a visitor is blocked. Ideally, you should also immediately block any login attempt using any non-existent usernames.

Consider using two-factor authentication for your login

If you have a very popular website, consider using 2-factor authentication for logins. This is how most banks now ask you to log in.  Even if anyone discovers your username and correct password, and tries to log in, you will receive an authentication code (usually via your mobile) which must be added before login will complete, which will frustrate the hacker. We talk more about 2-factor authentification here

Use SSL to encrypt the data sent between visitor browsers and your server

All browsers now mark sites that do not have an SSL certificate as “Not secure” in an attempt to encourage everyone to secure their connection. Even if visitors are not buying online from you, they may well be put off by the “Not secure” message. Having an SSL certificate for your website does not make the website itself intrinsically more secure (that’s the job of the firewall)  but it makes it difficult to breach the connection between visitor browsers and your server or to spoof your information.


How do I secure a WordPress website? Written by Lisa Chadwick