WordPress Website Security Best Practices

When you put a website live online, you open it up to extensive attacks. From day one, attackers will be trying to gain access to your site. Most threats come from automated bots that crawl the internet, seeking known security vulnerabilities that haven’t been updated. Other attacks are more sophisticated and might involve someone targeting you directly to gain access to information.  

WordPress has a bad security reputation because many WordPress website owners fail to understand that security rests on their shoulders. If you don’t take WordPress security seriously you will likely have a hacked site eventually.

Here are some best practices to help you understand how to keep your WordPress site secure.

8 Password Best Practices

  • Use a password manager: this will make the rest of the recommendations much easier! We like Bitwarden.
  • Never give out your password even to friends and coworkers. 
  • If you give out your password (most do), ensure it is unique to that account only!
  • Use Complicated passwords greater than 16 characters in length with symbols, numbers, and letters. This helps protect your password from bots cracking your password.
  • Use two-factor authentication, this is annoying, sure. But, we recommend at least having some form of multi-factor authentication.
  • Do not reuse passwords: Imagine if your banking password is the same as a password you use for a less secure application? If they get into the less secure application, they can now get access to your bank!
  • Create a password story: if you’re going to use something like your pet’s name, get creative with it; make it a story about your pet that you would remember.
  • Don’t Use Common Words
  • Don’t Use Personal Information
  • Have a plan to recover passwords if needed.

Check out this great video if you’d like to see how some hackers can use brute force attacks against weak passwords.

WordPress Best Practices for Security:

  • Keep themes, plugins, and WordPress up to date: Up-to-date themes and plugins can cause problems on your site, but ultimately, some provide essential security updates. Incrementally updating plugins may cause minor problems on your site. Still, you are less likely to create significant breaking changes when you are forced to update a plugin for a security issue.
  • Utilize a Security Plugin: We like Malcare as it provides lots of extra security features out of the box, including a Firewall and Malware scanning. We recommend paying for a security plugin.
  • Use a Reputable Host: good hosts often implement security measures. SiteGround protects its sites pretty well, and we recommend using its hosting service for most projects. They offer managed hosting, which includes keeping your PHP version up-to-date with a maintained and secure version.
  • Set Automated Updates: Enable automatic updates for plugins. These may break your site, so we only recommend doing this if you take daily backups and can deal with downtime.
  • Limit Permissions: Provide employees and users with the lowest level of permissions that they need to get their job done. Try to avoid making everyone you an administrator.
  • Install Reputable Plugins: plugins from other sources that offer you alternate payment terms should not be trusted.
  • Check the Plugin or Theme’s Changelog: You should see a consistent history of recent and regular maintenance to most themes and plugins; this proves that the developer is active and will patch security vulnerabilities.
  • Subscribe to WordFence’s Security Emails: WordFence does a fantastic job updating you of vulnerabilities. We monitor their email reports daily. You can sign up here.