Why the topic of WordPress security tips? Because all sites are vulnerable.
No mater how much work you’ve put into launching your site, it can always find itself in harm’s way, even though you might have done nothing wrong. This is just how the internet works and how random attacks are carried out.
But most threats can be prevented if you just spend a short while implementing these 10 simple WordPress security tips:
10 WordPress security tips to keep your site secure
There are a few things you should put on the list when it comes to doing a routine check. Reviewing these steps once a month or so should be enough to keep you safe.
We’re going to be focusing on certain, key site areas. To some extent, a website is like the human body. If a certain part is damaged, it affects the whole system.
Here’s what to do:
1. Update WordPress regularly
With any new release, WordPress gets improved and its security is improved too. Lots of bugs and vulnerabilities are fixed every time a new version comes out. Also, if any particularly malicious bug gets discovered, the WordPress core guys will take care of it right away, and force a new safe version promptly. If you don’t update, you will be at risk.
To update WordPress, you first need to go to your dashboard. At the top of the page, you’ll see an announcement every time a new version is out. Click to update and then click on the blue “Update Now” button. It only takes a few seconds.
2. Update your themes and plugins
The same goes for plugins and themes. You should update your current theme and the plugins you have installed on your site. This helps you avoid vulnerabilities, bugs, and potential security breach points.
Just like it is with most software products, every once in a while certain plugins might get breached or security holes might be discovered in them. For example, in the past, plugins such as Ninja Forms and WooCommerce were hit with quite nasty problems.
So, how to update your themes and plugins?
Let’s start with the plugins. Go to Plugins / Installed Plugins; the list of all your plugins will appear. If a certain plugin is not on its latest version, WordPress will let you know:
For example, I have two old plugin versions, so all I need to do is click on “update now” under each one, and they will be ready in a few seconds.
To update your theme, go to Appearance / Themes, and you’ll see all your installed themes there. The outdated ones will be marked just like plugins were. Simply click on “Update now.”
Apart from updating every plugin and theme, keep in mind to also remove the plugins and themes that you don’t use at the moment. Those are just unneeded weight. Consider this a bonus one among these WordPress security tips.
3. Back up your site regularly
Backing up your site is about creating a copy of all the site’s data, and storing it somewhere safe. That way, you can restore the site from that backup copy in case anything bad happens.
To back up your site, you need a plugin. There are lots of good backup solutions out here. For example, Jetpack has some integrated backup features now, priced at an affordable $3.50 / month. For that, you get daily backups, one-click restores, spam filtering, and 30-day backup archive.
There’s also a free alternative, UpdraftPlus.
Here’s some more advice + how-to on backing up your WordPress site.
4. Limit login attempts and change your password often
Don’t let your login form allow unlimited username and password attempts because this is exactly what helps a hacker succeed. If you let them try an infinite number of times, they will eventually discover your login data. Limiting the available attempts is the first thing you should do to prevent that.
You can use certain specialized plugins to limit possible login attempts. There are two very popular solutions, for example, both free:
Also, by changing your passwords often, you further decrease any hacker’s chances of breaking into your site. Though, by “often” I don’t mean every day … once in 2-3 months would be enough. Diversity kills the fun for those who are trying to break in.
WordPress security tips note: LastPass is a nice tool that stores your password data safely and also generates strong passwords, so you won’t need to invent them yourself.
5. Install a firewall
Another one of our WordPress security tips deals with firewalls.
On your computer
Firewalls usually protect your computer from various online threats. This way, every strange thing that tries to connect with you will be questioned and kept away if it’s suspicious.
This has nothing to do with your WordPress site, per se, at least it has no direct connection, but installing a firewall on your computer is still worth the effort for one crucial reason:
- You use your computer to connect with the admin area of your website. Thus, if your own computer has been compromised, then your connection with the website can be at risk too.
On your WordPress website
Apart from installing a firewall on your computer, you can install security tools right on your WordPress website too. This type of firewall protects your site from viruses, malware, hacker attacks, etc.
Sucuri does a great job in this regard, and it’s one of the best security services for WordPress out here. It kind of does a bit of everything.
There are also free solutions for firewalls, such as:
6. Limit user access to your site
If you’re not the only user who has access to your site, be careful when setting up new user accounts too. You should keep everything under control, and try to limit the access of any type to users that don’t necessarily need it.
If you have many users, you could limit their functions and permissions. They should only have access to the functionalities that are essential for them to do their job.
Force Strong Passwords can help you with this issue too. By default, WordPress recommends a strong password, but it won’t force you to change it if you’re picking a weak one. This plugin won’t let you proceed unless your password is strong enough. This could be a good solution for all the people who enter your admin. Essentially, it’s your only way of making sure that they use strong passwords just like you do.
7. Rename your login URL
By default, the URL you use to log into your dashboard is either wp-login.php or wp-admin, added after your site’s main URL. For instance,
And guess what, those two are also the most accessed URLs by hackers who want to get into your database. If you change that URL, you reduce the chances of finding yourself in trouble. Guessing a custom login URL is way harder for hackers.
The iThemes Security plugin does this trick. For instance, your login URL can turn into something like
YOURSITE.com/I_love_my_site. This is one of those WordPress security tips that’s very simple to do.
8. Enable security scans
Security scans are something done by specialized software/plugins that go through your whole website in search of anything suspicious. If something is found, it’s removed immediately. Those scanners work just like anti-viruses.
For a simple and affordable solution, you can use the aforementioned Jetpack plugin. Apart from the backup features, it also has daily scans for malware and threats with manual resolution (this plan is $9 / month). Alternatively, you can also use CodeGuard, or Sucuri SiteCheck.
9. Use SSL
SSL (Secure Socket Layer) is a great strategy through which you can encrypt your admin data. SSL makes the data transfer between the user browser and the server secure. There are two ways to get an SSL certificate:
- a) Buy one from a third-party company like RapidSSL.
- b) Ask your hosting provider for one. Sometimes, this comes as a feature in some hosting plans. Depending on your host, it is possible that you can get one for no additional cost.
For instance, Pagely hosting comes with free SSL on all plans.
Bonus: If you’re using SSL encryption, you won’t just secure your website, but you’ll also rank higher in Google rankings. Google favors sites that use SSL. So you now have two reasons to apply this particular of our WordPress security tips.
10. Protect your wp-config.php
The wp-config.php file is one of the most important, hence vulnerable files on your site. It hosts crucial information and data about your whole WordPress installation. It’s technically the core of your WordPress site. If something bad happens to it, you won’t be able to use your blog normally.
One simple thing you can do is take that wp-config.php file, and simply move it one step above your WordPress root directory. Your WordPress site won’t be affected at all by this move, but hackers won’t be able to find it anymore.
Okay, that sums up the list! Is your site protected enough? Do you need any help in relation to these WordPress security tips?
If you want to learn more about WordPress security, this eBook provides an easy-to-follow checklist that will help you keep your site safe.