How to secure your WordPress website

Web and internet security is all the rage these days it seems. And it’s not without reason either.

How many times this year did we here about data breaches? It’s certainly a legitimate concern if you’re a website owner.

And the risks only grow if you run a WordPress website. They are some of the top targets for bad actors out there. And trust me, I’ve heard the horror stories about people’s websites getting hacked and trying to fix them.

So if you’re worried about your WordPress website’s security, here are some steps you can take to secure it the best you can.

Update your plugins, themes and WordPress core

The easiest thing you can do to make sure your plugins and themes and WordPress core itself are up-to-date.

Because it’s the biggest content management system on the web, WordPress core as well as plugins and themes are top targets for bad actors. As such, developers are coming up with fixes and reacting to different vulnerabilities. And they release those patches as updates that you need to run as soon as you can.

If someone updates their plugin that fixes a security issue and you don’t update that plugin, your website is extremely vulnerable, especially since that update’s release note will disclose that issue. The only way to keep someone from exploiting that vulnerability is to update the plugin (or theme or WordPress core).

Also, you should remove any plugins and themes that you are not using. Besides taking up space on your website, it’s not totally unheard of someone getting into a website through an inactive plugin. It’s just good housekeeping (or website-keeping, I guess).

This won’t stop everything, obviously. There are more steps to take to secure your website. But it is something you can do right this section with no cost to you. So do it now!

Use two-factor authentication

Another really good idea is to use two-factor authentication with your login to your website.

Essentially what this does is when you log in, you will receive a code through email, text or some other system before you get to the dashboard. You will then have to enter that code before you are logged in. This means that even if someone guesses your password, they need that code to log in. And as long as you keep that second “key” hidden, they can’t get in.

There are many plugins out there that can do this for you. I currently use Two Factor Authentication which works in conjunction with Google Authenticator to power my TFA. I’ve found that it works extremely well and it’s free, which is great.

This won’t prevent all attacks. But it will protect the potential that someone gets your username and password for the dashboard. And it definitely doesn’t hurt to have that added layer of security on your website.

Use a security plugin

Finally, one of the best things you can do for your website’s security is to use a security plugin. There are a lot of them out there, but the best I’ve found are Wordfence, iThemes Security and Securi. I went over those plugins in an earlier blog post.

While the specifics on what they do vary from plugin to plugin, on the whole they do a few things. First, they can stop bad actors from logging in. Then they can put up a firewall around your WordPress website. And third, they can scan your files to see if someone managed to add malicious code into them.

Plus, at least some of the plugins (including Wordfence), have free versions available so you can give them a test spin. That’s actually what I’m doing with Wordfence currently. Personally, I’ve found it to be a great help (especially with keep plugins updated) and I might go for the premium version sometime soon.

But no matter what, make sure you get a security plugin on your website to cover as many vulnerabilities as you can.

So even if you’re not currently concerned about your website’s security (which might be problem number one), you should be taking these steps to make sure it’s secured. Because securing the website now will save you so much time and headaches down the road.