WordPress is an incredible website platform — it’s what I use and what I often recommend for businesses with specific needs or big dreams. But it has its downsides… primarily that you’re pretty much on your own. With an all-in-one website platform like Squarespace or Shopify, security is mostly managed for you. You’ll have a few things to take care of, but with WordPress it’s all on you and the tools/plugins/contractors you bring in to help.
WordPress websites of all sizes and types can (and do) get hacked, but it’s a greater risk for sites that get frequent traffic and sites that take credit cards and personal information. Regardless, it’s well worth the time it takes to fortify your site with these basic website security tips.
Change your password often.
All the best practices about passwords apply to your WordPress login password — use a complex password (ideally from a password generator), don’t re-use a password you’ve used elsewhere, and change it periodically. I recommend changing your WordPress login password every 3-6 months. If your site gets compromised in any way, change your password immediately.
Limit the number of Admin users for your site.
If possible, don’t have more than three Admin users on your site. Delete old Admin user accounts as soon as they’re not in use anymore. You can add users at other levels as much as you need.
Also, if you have a user with username “admin,” you should re-create a login for this person and use a more complex username. “admin” is the first username hackers or bots will use to try to get into your site since WordPress defaults to this username. You can’t change usernames within WordPress, so you’ll need to create a new Admin login with a unique username, make sure access to it works, then delete the other “admin” username account.
Keep your site updated with the latest versions of WordPress, plugins and themes.
WordPress releases minor and major updates periodically. While major updates should be carefully updated to avoid any site conflicts or breaks, minor updates like plugins typically won’t cause damage to your site. Keeping WordPress and all of your plugins and your theme up to date is critical for site security. Some theme developers or hosts will email you when a new theme version is available, but you’ll primarily see it in your WordPress dashboard.
Before you install any updates, make sure you have good backups of your site. You never know when a platform or plugin update will cause a problem on your site or cause it to go down. Consider HackGuard or work with a website professional to keep your site up to date without crashing it. I handle website updates through my WordPress Maintenance Plans.
Choose a reputable WordPress host or consider managed WordPress hosting.
While your hosting company isn’t fully responsible for security issues, choosing a reputable host can go a long way. You can choose an unmanaged (shared) host like Bluehost or Siteground (cheaper but less provided) or a managed host like WP Engine or Kinsta (more expensive but more provided). Managed hosts often include things like security monitoring, a good backups system and/or hacked website fixes.
Have a rock solid, automated backup system in place.
A good backup strategy is a MUST for a WordPress website. Luckily there are many plugins that can automatically pull backups for you. I like UpdraftPlus. Make sure you’re selecting a storage option so you can save backups somewhere secure. If you’re not making a lot of site edits, you can do weekly backups. If you update your site frequently, consider daily backups.
I prefer to store backups in the cloud rather than on my computer (pro-tip: killing your laptop by spilling tea on it is less traumatic when you store everything in the cloud!)
If you want someone else to manage backups for you, I handle that through my WordPress maintenance plans, or WP Umbrella offers a really affordable, fully automated system for $1.99/month.
Install a security plugin.
To a certain extent, you get what you pay for when it comes to security management systems. There are many plugin options available, but two I recommend are Sucuri and Wordfence. Both of these have free versions as well as paid versions. If your site doesn’t get a ton of traffic and doesn’t take payments, I recommend just using a free version. Read the fine print of any security provider — some will provide site repairs at no charge, but others won’t, which is fine, just be prepared to spend a few hundred bucks getting a hacked site repaired by Jim Walker.
Make sure you have an SSL certificate installed.
An SSL certificate is a must-have for all websites for many reasons, but it’s a good call for security too. Your website host can usually install an SSL certificate for you (there may be a charge, but hopefully not if they’re a good company!), but you can use a plugin if you prefer. I recommend Really Simple SSL.
Turn off commenting or install an anti-spam plugin.
If you don’t need comments activated or don’t plan to have a blog, I recommend turning off this feature via WordPress. If comments from your website visitors are important to you, install an anti-spam plugin like Antispam Bee, Akismet, or Cloudflare Turnstile.
If your website is built on WordPress and you rely on it for income, I highly recommend getting a good security system in place.
Jim Walker’s HackGuard service is an affordable solution ($13/month), and while there’s no way to fully prevent website hacks, Jim’s service offers a lot of protection so you can be more hands-off with your site and have peace of mind that he’ll fix your site if anything slips through the cracks.
At a similar cost, I also recommend Blogvault’s Plus plan for $150/year. Per their website, they offer “bullet-proof security, daily malware scans, instant malware removal, real-time firewall, bot protection, vulnerability scans, and activity logs.”
There are dozens more website security best practices not included here, but many require more in-depth knowledge of the platform or coding skills. These tips will at least keep your site safer than before.