“WordPress isn’t secure.”
If you talk to enough people, especially developers, you’re going to hear that phase at least once. And if you’re not a web-savvy person, that phrase might make you a little bit nervous about using WordPress for your website.
While there is some truth to that phrase, the real truth is a little bit muddy. WordPress Core itself is about as secure as any software is going to be. Yes, there will be exploits and security patches, but that happens with all software.
Where WordPress really gets this odd reputation from is with plugins and themes. If you install and activate plugins and themes that are written with bad code, you start to open yourself up to security risks.
Fortunately there are ways that you can lock down your website and make it as secure as possible. If you follow each of the next 16 steps, you’ll really mitigate as much of the security risks with your website as possible.
So let’s start to make your WordPress website as secure as possible today!
Table of contents
- Select a web host that takes WordPress security seriously
- Use a WordPress security plugin
- Use only trusted plugins and themes
- Keep your website updated
- Use strong passwords for better WordPress security
- Use two-factor authentication
- Guard your FTP/SFTP passwords
- Stay informed about internet, WordPress security
- Disable plugin and theme editing
- Make sure you’re up-to-date with PHP
- Make sure you’re using HTTPS and SSL
- Utilize logging out idle users
- Change the admin username
- Limit the number of login attempts
- Make sure you have a way to back up your website
- Hiding what theme you’re using
- What about the table prefix?
- Don’t worry about your WordPress website’s security again
Select a web host that takes WordPress security seriously
The first thing that you can do is select a web host that’s actually going to take web security seriously.
That means that you can’t just rely on that cheap, $5 a month hosting that you see when looking for a web host. While that price is certainly very intriguing, especially if this is your first website and you’re on a budget, it can become quite a headache very quickly.
Those web hosts aren’t going to have as great of security protocols as the other, mainstream web hosting companies. In fact, the way some of those cheap hosts are set up, a bad actor could get into someone else’s website on the same server as you and find their way into your site no matter how many of the other security steps you take.
So instead make sure you’re using a reputable hosting company. You’ll want to look up what they do for security, plus it’s probably worth it to see if they take automated daily backups and use SFTP to transfer files as compared to normal FTP.
You can use my Best WordPress Webhosts for 2021 post as a guide to figure out what web host to choose. And yes, it might be a little bit more expensive, but it will be worth it in the long run.
Use a WordPress security plugin
Next up, you really should consider installing and activating a security plugin for your website.
These plugins can add an extra layer of security or two to your website by adding a firewall as well as scanning your files to see if things have changed and if there has been any malicious code added to those files.
They might even allow you to block specific IP addresses and block visitors by country if you need to do that. And some of them might even be able to add in two-factor authentication to your website, though we’ll get to that later on.
I wrote a list about some of the best WordPress security plugins you can find a while back, but here’s the short version of that list.
I personally use the free version of Wordfence, and I have loved it. I’m probably going to upgrade to the premium version, which costs $99 a year. There’s also iTheme Security and . Both of them have premium versions as well as free versions in the WordPress plugin repository for you to try out.
Typically, they all do about the same thing, so as long as you pick one of those, you’ll be good to go. Just make sure you use one to protect your WordPress website even further.
Use only trusted plugins and themes
Another thing you really need to do is make sure that you’re only using trusted plugins and themes for your WordPress website.
This is where the many, many security issues with WordPres really happen. You might pick that one plugin that you think is going to solve whatever thing you need to do with your website. And you might be very happy with it.
But if it’s not from a reputable plugin author, there’s a good chance that there might be security issues with that plugin. And that author may not be good about closing those loopholes. And
So when you’re looking for a plugin or theme, take a look at the author. Hopefully it’s by someone or a company that’s reputable. Also, take a quick look at the reviews to see if anyone has reported errors, especially security issues. Finally, make sure that it has been updated recently. If it’s been over a year since the last update, avoid it.
Keep your website updated
On that note, make sure you’re keeping your website updated as much as possible.
I know that can be really, really fun when it seems like there’s a new update for some plugin or theme or even WordPress core every single day (or multiple times a day). But keeping your website updated is a great way to protect your website from bad actors.
Every update might contain security fixes to plug holes that were found. Plus there are some updates that are solely filled with security patches. And those changelogs might mention those security issues, exposing them to the public. By leaving your website not updated, you could be opening it up to bad actors to get in and ruin everything.
Ideally, you should be updating your website once a day. I know it might take some time, but it will be worth it in the end. And after a while, you’ll get really efficient at it. At this point, updating my website takes no more than 15 minutes.
You might also be tempted to turn on automatic updates for your site, especially since WordPress now does it for themes, plugin and major and minor core updates. But there are a myriad of reasons not to do that.
Use strong passwords for better WordPress security
Next up, make sure that you are using strong passwords for, well, everything. From your WordPress login to your web host login to your domain login to your SFTP login. The stronger your passwords, the harder it is for bad guys to get into the site.
Stronger passwords take a lot longer for a hacker to break. So a strong password plus using a plugin to limit the number of failed login attempts (more on that later) can really protect you from someone else getting into your website.
So how do you create a strong password? First, make sure that it’s long. Ideally it should be more than 15 characters long. Also, be sure to mix in upper and lowercase letters. And include numbers and symbols if you can. That adds to the degree of difficulty for cracking your password.
If you use “password” or “12345” as a password, you are asking to be hacked. Duh.
If you’re having a hard time coming up with a strong password, WordPress has a strong password generator built in or you could use the Avast Random Password Generator.
There’s no excuse for not using strong passwords.
Use two-factor authentication
Similarly, you might want to try out using two-factor authentication on your website.
What is two-factor authentication? Well, TFA (as it’s commonly abbreviated) requires an extra step for you to login to your account. After providing your username/email and password, you will then be asked to provide some sort of code that has been sent to your phone or other device.
You’ve probably used this if you’ve tried to log into Facebook or some other website that already has TFA running. It adds an extra layer of security since the bad actor would also need your other specified device in order to complete the log in.
And the good news is that setting up TFA for your website is super easy with WordPress. I currently use the Two Factor Authentication from Simba Hosting, which was super easy to set up. And now I have an extra layer of security and peace of mind knowing it’s that much harder for someone to get into my account.
Guard your FTP/SFTP passwords
Also, be sure to guard your FTP or SFTP passwords.
What are those? Well, FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol) are the ways you can log into your web server and edit, add and delete files on your website. And if you have a web host that allows you to access your files outside of the CPanel, like FileZilla.
And you need to guard those passwords, just like any other password you have.
This really comes into play when you’re hiring a web agency or developer to create or update your website. They probably are going to need your FTP/SFTP password in order to add and change the files on your website.
You need to make sure that when you are done with the new website, and you’re not keeping them on some sort of a retainer plan, that you change the password so that they can’t get back into your website (or worse someone hacks them, gets your password and then gets into your site).
And as I mentioned before, make sure your password is a strong one.
Stay informed about internet, WordPress security
Next, you really need to make sure that you’re staying on top of the internet news, and more specifically internet security and WordPress security news.
You don’t need to be an absolute expert in internet security. I’m certainly not the expert on internet security. But you certainly need to be keeping up with the biggest news.
That way you can stay on top of what’s happening out there. You can see what the latest trends are and then take action based on what you’re reading in order to protect your website. Instead of being reactive you can be proactive. And that gives you the upper hand.
As for WordPress-specific security blogs, I’m a huge fan of Wordfence’s blog. They do a good job of both posting about security and WordPress security in general, but they are awesome about raising awareness about security issues with specific problems and making sure you are updating plugins so that your website isn’t at risk.
Knowledge is power, and it can be a big help in keeping your website secure.
Get Web Hosting and Security Help in One Place!
Want to really make sure your WordPress website is as secure as possible? Then sign up for one of the WordPress Website Care plans today. You’ll get your website protected with Wordfence, as well as all of the steps here taken care of for you. Plus you’ll get top-quality website hosting, managed updates and so much more. It’s the perfect plan so you don’t have to worry about your site’s security.
Disable plugin and theme editing
Another thing you can do to is make sure you have plugin and theme editing inside the dashboard disabled.
By default, you can use the plugin editor or the theme editor from the admin. You don’t need to use FTP to make those changes.
But that comes at the cost of two pretty big risks. First, you can edit the PHP for a plugin or theme, include some sort of the fatal and bam, you can no longer access your website. That’s called “cowboy coding” in the business, and as you can tell it’s a pretty big danger.
The second risk is that someone else can find a way into your account or the account of another admin and add in malicious code through this editor. And that’s extremely bad, especially since you might not even know that it has happened.
So you really should disable that today. To do that, add in the following code inside your wp-config.php file. If you need help finding it, it’s in the same directory as your wp-admin, wp-content and wp-includes directories.
define( 'DISALLOW_FILE_EDIT', true );
You don’t need to be editing your plugin and theme files from your website. So disable it right now.
Make sure you’re up-to-date with PHP
Also, you really need to make sure that you’re up-to-date with your PHP version.
Why does this matter for WordPress security? Well, WordPress still relies heavily on PHP to run. And just like your plugins and themes and WordPress core, PHP can sometimes have security vulnerabilities, which then get patched with later versions.
Currently, the latest version of PHP is version 8.0, although WordPress websites should still be using 7.4 since 8.0 features a number of breaking changes and there’s no guarantee that your website will work on 8.0 at the moment.
Either way, if you’re running 7.1, 7.0 or even 5.6, you are on a vulnerable version of PHP that is not receiving security updates. And that leaves your website vulnerable to security exploits.
And you would be surprised by the number of WordPress websites that are running on an unsupported version of PHP. Currently, that number is around 25 percent. And before a nudge from WordPress through the Site Health feature, that number was up near 50 percent.
Unfortunately, you will need to talk to your web host about updating your PHP version. I know WP Engine makes it super easy to upgrade the PHP version. So reach out to them today if you’re on an unsupported version of PHP.
Make sure you’re using HTTPS and SSL
Up next, check to make sure that you’ve got an SSL certificate for your website and that it’s running with HTTPS.
Using HTTPS is basically a requirement in today’s world. Google uses HTTPS as a factor in it’s ranking. And if you take credit card payments through your website, you have to be using HTTPS. Plus, it’s just a good thing to do for your users and visitors.
Why? Well to make a long story short, HTTPS essentially encrypts a user’s connection to your website. That means an outside computer can’t tap into that connection and steal important information. And you can only use HTTPS if your website has an SSL certificate.
And there’s no reason you shouldn’t be using HTTPS. You can get a free SSL certificate through Let’s Encrypt, and most reputable web hosts make it easy for you to get a Let’s Encrypt certificate set up on your website and switch to HTTPS.
So if you’re still using plain old HTTP, you need to get an SSL certificate and switch to HTTPS today.
Utilize logging out idle users
Another thing you can do is install a plugin that logs out idle users.
By default, WordPress will leave you logged in for two weeks at a time no matter how active or inactive you are on that machine. And while that might be great if you’re the only admin user on your website and you keep your laptop with you at all times, if that’s not you, that can be a problem. And it’s a bigger problem if you ever have to log in on a public computer and forget to log out.
But you can use the Inactive Logout plugin to change that behavior and log out people who aren’t active for a set period of time. It’s extremely easy to set up and it can be a big help in keeping your website secure. And let’s be honest, having to log in every day is a small price to pay for keeping your site protected.
Change the admin username
Also, you really probably need to change your username if it currently is “admin”.
By default, the first account on a new WordPress website is set to be “admin”. And because of that, it can make it easier for hackers to get into your account because they already know the username, and they are halfway there.
The good news is that you can change your username during the setup process. You can make it anything you want it to be. There aren’t any real set rules like there are for passwords.
But if you already have a WordPress website and your username is “admin” there are a few more steps you need to take to change it. Unfortunately you can’t just change a username. Once a username is created, it’s unable to be changed again.
Instead, you can make a new account with your preferred username and another email, set it to be an admin and make sure you skip the confirmation part for the new account. Then log into that new account and delete the old admin account.
Now you are no longer giving hackers a head start to getting into your account.
Limit the number of login attempts
Next up, you should make sure that you’re limiting the number of failed login attempts someone can make before they are locked out for an extended period of time.
When bad actors are trying to get into your account, they are going to try a ton of login attempts to see if they can guess your password. And even if you follow the strong password guidelines from earlier, they will eventually get it if given enough attempts.
So a good way to stop them is to simply limit the number of login attempts someone can get before they are locked out of the website for a set amount of time. That substantially slows down a bad actor’s ability to crack your password and enter your account.
Fortunately with WordPress, that’s pretty easy. Simply install and activate the Limit Login Attempts Reloaded plugin. You can set the number of attempts possible and how long someone is locked out if they hit that limit.
It’s another step towards making it that much harder for hackers to get into your website.
Make sure you have a way to back up your website
Another thing you need to do is to make sure that you have a way to back up your website on a daily basis in case something goes wrong.
This isn’t exactly a preventative measure, but it can be super helpful if you do unfortunately get hacked (or if something just breaks on your website). You can go back to your most recent backup and restore that version of your website as if nothing happened.
There are a number of web hosts that can do this for you. I know WP Engine and Pressable for sure have automated daily backups. And if you’re looking for a web host, I would definitely make that one of the top things to look for when deciding.
But if you don’t have that option from your host, you can always use a plugin to help you out. I’ve found that Backup Buddy, UpdraftPlus, VaultPress (from Jetpack) and BoldGrid Backup are some of the best at doing this. Unfortunately, all of them will cost you around $60 to $90, although UpdraftPlus has a limited free version for you to try.
But make sure that you are taking regular backups of your website. You never know when one might come in handy.
Create a New, Secure Website That Fits Your Budget
You might think that a new website is going to cost you a lot of money. But the good news is that it doesn’t have to. Let’s work together to build your business a great, professionally-built website that doesn’t wreck your budget. And the best part is that a lot of the security tasks and items talked about here will be built into it already. So let’s give you a great, secure website today!
Hiding what theme you’re using
Finally, you might want to consider hiding what theme you’re using on your website to the outside world.
You see, anyone can see what theme you’re using for your website. They could use inspector tools or view the page source to find your theme’s style.css and thus the page name. Or they could use a website, like “What WordPress Theme Is That“, to find the theme name.
Now most of the time, that’s not a big issue. After all, just seeing what theme you’re using doesn’t give them access to change any files.
But this could become an issue if the theme you’re using has a security issue that hasn’t been fixed. In that case, someone could come in, see you’re using a vulnerable theme and then set out to exploit that vulnerability.
So to close that possibility, you might want to consider using WP Hide & Security Enhancer to hide your theme’s name from the outside world.
I do want to note that if you’re using a custom theme for your website, you won’t need to do this since, well, it’s a custom theme that only you or your developer know.
Otherwise, you might want to consider taking this one last step to make sure your WordPress website is as secure as possible.
What about the table prefix?
Now if you’ve done some research into WordPress security, you’ve probably seen some posts mention changing the table prefix as another preventative measure.
There is certainly some truth to doing that. Each of your WordPress-related tables in your database start with “wp_” by default. And there are ways to change that behavior.
However, those ways are pretty technical and you would definitely need to have prior coding knowledge in order to confidently know what you’re doing. And you definitely need to know what you’re doing in order to make this work.
So for that reason, I don’t necessarily recommend doing it. The only exception would be if you know how to work with the WordPress database or you have a developer who knows how to do it.
Otherwise it’s just not worth the risk of accidentally taking down your own website and not being able to recover it because you messed up part of the process.
Don’t worry about your WordPress website’s security again
Does this list make you tired just looking at it with everything you need to do to secure your WordPress website? The good news is that you don’t have to if you don’t want to.
You can sign up for one of the WordPress Website Care plans and get this all taken care of for you. When you move onto one of the plans, I’ll install Wordfence on your website, make sure that you’re using HTTPS, add in other plugins to help further secure your website and review your website for any issues. Plus, you’ll get web hosting on WP Engine with daily backups so you can feel confident even if something goes wrong.
So sign up today and feel better knowing that your website is as secure as possible.