Next Availability: February 2025

A Basic Checklist for WordPress Website Security

Georg Bommeli Ybtuqjybcje Unsplash

WordPress is an incredible website platform — it’s what I use for my website and what I often recommend for businesses with specific needs or big dreams. But it has its downsides… primarily that you’re on your own in terms of security, software updates, troubleshooting issues, etc.

With an all-in-one website platform like Squarespace or Shopify, security is mostly managed for you. You’ll have a few things to take care of, but with WordPress it’s all on you and the tools, plugins, and contractors you bring in to help.

WordPress websites of all sizes and types can (and do) get hacked. The stakes are higher for websites that take credit cards and collect personal information, but for all website owners, it’s worth spending the time now to make your website more secure so you have a better chance avoiding hacks.

Change your password every 3-6 months.

All the best practices about passwords apply to your WordPress login password — use a complex password from a password generator, don’t re-use a password you’ve used elsewhere, and change it periodically. I recommend changing your WordPress login password every 3-6 months. If your site gets compromised in any way, change your password immediately.

Limit the number of Admin users for your site.

If possible, don’t have more than three Admin users on your site. Delete old Admin user accounts as soon as they’re not in use anymore. You can add users at other levels as much as you need.

Also, if you have a user with username “admin,” you should re-create the login for this person and use a more complex username. “admin” is the first username hackers or bots will use to try to get into your site since WordPress defaults to this username. You can’t change usernames within WordPress, so you’ll need to create a new Admin login with a unique username, make sure access to it works, then delete the other “admin” username account.

Sometimes plugin or theme developers will ask for Admin access to your website. If it’s a reputable developer, this is typically fine to do, but always delete the Admin user account you created as soon as they’re done with their work.

Keep your site updated with the latest versions of WordPress, plugins and themes.

WordPress releases minor and major updates periodically. While major updates should be carefully updated to avoid any site conflicts or breaks, minor updates like plugins typically won’t cause damage to your site, especially if you’re using a solid tech stack from a reputable developer/designer who built your site.

Keeping WordPress and all of your plugins and your theme(s) up to date is critical for site security. Some theme developers or hosts will email you when a new theme version is available, but you’ll primarily see those notices in your WordPress dashboard.

Before you make any updates, be sure you have good backups of your site (more on this below). You really never know when a platform or plugin update will cause a problem on your site or cause it to go down. Be ready to roll back to your latest backup if any issues are caused.

I handle all website updates for clients through my WordPress Maintenance Plans. HackGuard is another alternative I recommend for $15/month. A cheaper automated service is Blogvault’s* $89/year or $149/year plan.

Consider managed WordPress hosting.

While your hosting company isn’t fully responsible for security issues, choosing a reputable host can go a long way. You can choose an unmanaged (shared) host like Bluehost or Siteground* (cheaper… but you get what you pay for) or a managed host like WP Engine, Kinsta, or my favorite Rocket.net* (more expensive but a much better experience). Managed hosts often include things like security monitoring, a good backups system and/or hacked website fixes.

Rocket.net guarantees 99% uptime and offers free SSL, CDN, WAF, and malware protection, which is more than many budget hosts provide. For example, GoDaddy typically charges for your SSL certificate, backups, and security piece by piece so you end up paying much more than their hosting is advertised for.

Have a super solid & automated backup system in place.

What about host backups?

Your website host likely pulls backups from your site periodically, which is definitely better than nothing. But I always recommend clients set up a secondary backup system of their own — a backup backup.

If your host happens to have catastrophic server issues, they could lose your backups. And if you can’t reach your host for whatever reason, you don’t have any backup to restore your website from in the meantime; you’re at their mercy. Plus when you set up your own backup system you can choose the frequency and retention period that works best for you.

How often to back up your WordPress website

If you’re not making website edits frequently, you can probably get away with weekly backups. If you update your site often, daily backups are a better bet.

Occasionally websites get hacked and have malware added weeks before you realize your site has been compromised. I recommend keeping at least a month’s worth of backups, ideally 2-3 months’ worth just in case this happens. Typically a good website hack repair service can clean up malware/hacking issues on your site, but occasionally this isn’t possible and restoring a pre-hack backup is the best option.

My WordPress backup recommendations

A good backup strategy for WordPress websites is well worth paying for. I run and store daily backups through my WordPress maintenance plans. If that’s not in your budget, I recommend WP Umbrella for $2/month, a really affordable, fully automated system. Or if you’re somewhere in between, Blogvault does daily backups as part of their $89/year plan.

If you’re handling backups on your own, the easiest free way is to use a plugin like UpdraftPlus. Make sure you select a storage option so you can save backups on your Google Drive or Dropbox accounts. Storing backups in the cloud rather than on your computer is best. When I spilled tea on my laptop and killed it a few years ago, my backups were still safe in the cloud!

Note that some website hosts don’t allow you to use UpdraftPlus. This is typically due to the resource usage from UpdraftPlus and/or backup plugin conflicts with your host’s backup system. If that’s the case, using a tool like WP Umbrella or Blogvault*, or a WordPress maintenance plan, is a better bet.

Install a security plugin.

To a certain extent, you get what you pay for when it comes to security management systems. There are many plugin options available, but the two I recommend are Sucuri and Wordfence. Both of these have free versions as well as paid versions.

If your site doesn’t get a ton of traffic and doesn’t take payments, I recommend just using a free version. Read the fine print of any security provider — some will provide site repairs at no charge, but others won’t, which is fine, just be prepared to spend a few hundred bucks getting a hacked site repaired by Jim Walker if you’re in need.

Some website developers choose to use tools like Cloudflare for security instead or additionally This is a great option, but more techy and I don’t recommend it if you’re DIYing your website. If you want help setting up Cloudflare, Troy Glancy is my recommendation.

Make sure you have an SSL certificate installed.

An SSL certificate is a must-have for all websites these days for many reasons, but it’s a good call for security too. This is one thing that makes your browser say a site is insecure vs. having the nice little padlock next to your URL once properly installed.

Your website host can usually install an SSL certificate for you. There may be a charge, but hopefully not if they’re a good company! You can use a plugin if you prefer. I recommend Really Simple SSL.

Turn off commenting or install an anti-spam plugin.

If you don’t need comments activated or don’t plan to have a blog, I recommend turning off this feature in WordPress. If comments from your website visitors are important to you, install an anti-spam plugin like Antispam Bee, Akismet, or Cloudflare Turnstile.

If you rely on your WordPress website for income, I highly recommend getting a good security system dialed in.

Jim Walker’s HackGuard service is an affordable solution ($15/month), and while there’s no way to fully prevent website hacks, Jim’s service offers a lot of protection so you can be more hands-off with your site and have peace of mind that he’ll fix your site if anything slips through the cracks.

At a similar cost, I also recommend Blogvault’s Plus plan for $149/year. Per their website, they offer “bullet-proof security, daily malware scans, instant malware removal, real-time firewall, bot protection, vulnerability scans, and activity logs.” Blogvault’s support has always been great for me.

There are dozens more ways to fortify your WordPress website, but many require more in-depth knowledge of the platform or coding skills. These tips will at least keep your site safer than it would otherwise be!


*I have an affiliate relationship with this company, meaning I get a few bucks when someone I refer signs up using my link. I’m equally happy for you to sign up without using my link, or to choose another product/tool. If you have questions, check out my affiliate philosophy blog post or email me!

Jess-20

About the author

Jessica Kennedy

Jessica builds websites and optimizes sites for SEO for small business owners who'd rather be outside. Learn more about Jessica.

Leave a Comment